(Avast! 4.8 home, Win XP SP3 (32 bit) using uTorrent 1.8.1)
I am getting a false positive report from Avast (I believe it is the P2P shield provider). I repeatedly receive the following warning:
File name: J:\video\Heroes.S03E08.LOL.HDTV.XviD [TheTorrentSource org].rar.!ut\Heroes.S03E08.LOL.HDTV.XviD\Heroes.S03E08.LOL.HDTV.XviD.exe\IRSARU~1.EXE
Malware name: Win32Fabot [trj]
Malware type: Trojan Horse
VPS version: 081103-0, 2008-11-03
The problem is that the actual file path ends with the “.rar.!ut”. Avast! is trying to analyze the archive (the .rar), but it is incomplete (as indicated by the .!ut [like .bc! in BitCommet]). Either the uTorrent specific part of the provider should know about !ut or the p2p provider should obey a set of exclusion rules (such as that in the standard shield provider). The contents of the archive is supposed to be a single AVI file, but I have no proof of that.
I tried setting the exclusions in the on-demand scanner and the standard shield provider, but neither helps here. I tried excluding the directory, a partial directory, and the file name it thinks it found.
The file that avast! thinks is a Trojan Horse does not exist (it is an artifact of an incomplete archive). The Move/Rename, Delete, and Move to chest buttons do not help, because there is no file to move, rename, or delete. If I click No action, avast! does not learn that this file should be left alone (a bug) and finds the false file again the next time uTorrent accesses the file. My only available action appears to be to move the warning box to the edge of the screen and ignore it.
So, there are at least three bugs:
- Misinterpretation of an archive that is incomplete
- Ignoring the !ut in uTorrent and not providing a manual way to fix this
- Not remembering that a “No action” answer was given for a file, and repeatedly prompting for it.
- (possibly) Misreporting the Trojan Horse (the signature could exist)
- (possibly) Treating data outside the file as if it is inside the file.
I am not a newbie. I have used four other computer security systems in the past two months and I have specified security policy for more than one company. I would be interested in any suggestions you might have.
Martin Katz, Ph.D.
P.S.: Before I sent this message I received another Trojan Horse warning about BEncode Editor.exe. This is NOT a trojan horse and has been scanned by three other antivirus programs (NAV, ESET, and COMODO). It is a utility for low-level editing of the equivalent of compressed XML files (used for BitTorrent p2p). I do not know which part of avast! found this file (the on-demand scan hasn’t gotten to that partition yet).