Hi,
Receiving a threat on both XP machines in an MS Office CAB file:
File name: C:\MSOCache\All Users\900000409-6000-11D3-8CFE-0150048383C9\L2561403.CAB|>FINDER.EXESeverity: High
Status: Win32:Malware-gen
Looks like an FP to me. I found it on one pc while doing a custom scan & the other while doing a boot scan. A regular Avast full scan did not detect the “infection”.
Any issues with this being reported from the latest Avast update?
Thanks!
A regular scan won’t be opening archive files, which a .cab is so no it wouldn’t find anything in the pre-defined Quick or Full scans.
Archive (zip, rar, cab, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast’s Standard Shield should have scanned them and before an executable is run that is scanned.
How big is the .cab file ?
You could also check the offending/suspect file (if it doesn’t exceed 15MB maximum, see ~~~) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
If it is over 15MB or the current max size, I don't know if you would be able to extract the FINDER.EXE file from the L2561403.CAB cabinet file. You could then upload that.TY DavidR!
So, do you think it’s a threat or an FP…if you had to guess?
I have deleted the files & my entire MSO suite! Why?
Well, prior to Avast detecting the supposed bug, the folder L2561403.CAB had a bunch of files in it including FINDER.EXE…at least this was the case on the machine that I ran a boot scan on after I found the bug on machine 1.
After Avast moved the FINDER.EXE infection into the chest, the folder L2561403.CAB seemed empty…at least I could no longer open it! Upon doing a repair, MSO detected that there were missing files in said folder, so I just wiped out the whole program & will do a fresh install. It’s easier & safer than trying to remedy the missing files.
I haven’t the slights idea if it is either, which is why I gave the information to try and confirm that.
You can as suggested extract the file from the chest the the suspect folder and upload it for checking and post the results.
Like I said…I deleted it… :o
PS- When the file was in the chest & I scanned it from there, it came up as clean! Not sure I understand how this happened.
New News!
So, I reinstalled MSO on both pc’s from my disk that I have been using safely for years. Prior to installing, I ran multiple scans from Avast, MBAM & SAS…all clean! Like I said, I also deleted the initial threat from the chest & removed MSO.
After reinstalling Office, I ran(am running) another boot scan on one of the pc’s & the same threat is appearing in the same folder! This must me an issue w/ Avast & a FP…no?
Also when trying to unzip files from the disk to reinstall MSO, Avast.Svc was running like mad in the background. I am guessing that is why I was having trouble reinstalling MSO… The winzip program & the MSO install tool were freezing. Finally, it managed to unzip all of the files but Avast was consuming at least 50% of my cpu while unzipping!
So, any thoughts?
I don’t know how long after having sent it to the chest that you scanned it from within the chest, but if there was a virus definitions update in the interim period, then it was most likely an FP which was corrected.
The boot-time scan depends on if you left it on the default settings, then it would unpack all archive files and this would make it a very long scan.
When you use winzip opening/extracting files (depending on your file system shield settings) would result in a lot of scanning by any resident antivirus, that is it job to prevent files running before being scanned.
Good Morning!
I don't know how long after having sent it to the chest that you scanned it from within the chest, but if there was a virus definitions update in the interim period, then it was most likely an FP which was corrected.
Well, I scanned it from the chest immediately after my “Custom Scan” was complete. No updates were performed. A few hours after all of this began, after cleaning, deleting, etc & reinstalling Office, I ran another custom scan & the same threat appeared in the same folder. This time I ignored it as moving it to the chest somehow wiped out all of the contents in the CAB folder. Actually, this time there were 2 threats detected…1 from the original CAB folder & 1 from the installation Temp folder containing the same CAB folder.
So, how does Avast think there is a threat when scanning that file, yet while in the chest it scans as clean…I don’t know. Also, how did the entire contents of the CAB file get deleted, not just the FINDER.EXE file…I don’t know ???
I will run another scan now that Avast has updated & try to upload the folder to VirusTotal. Any other thoughts are welcome! 
Thanks!
Here you go…I scanned the entire CAB file in question…
Well from the VT results it looks like an FP - If only GData and avast detect it, GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP if only those two detect it.
As an avast user like yourself I can’t explain why it would be detected on a scan and not within the chest, if there was no virus definitions in the interim period.
I don’t know what your avast settings are as there are options if a file can’t be extracted from an archive to deal with the archive and not simply the file within it.
I don't know what your avast settings are as there are options if a file can't be extracted from an archive to deal with the archive and not simply the file within it.
Ahh…I know what you mean…I will check those settings. That’s probably why the whole folder was wiped!!
Will Avast know to fix this as it is a new detection?
Thanks!!
To fix what ?
If it is related to user settings it is doing as you elected.
My image represents the default action in an on-demand Full System Scan.
I am getting the same detection across the PCs on my network, the file si within a compressed.CAB file and hasn’t been modified in years. Files moved to chest anyway but if it gets confirmed as FP I can always restore them.
Fix the detection of a legitimate file. I have had MSO installed on my system for years & never a detection. I realize that once detected, what Avast does w/ the file may be dependent on my settings but the fact that it is detected at all as a “severe” threat that stops a boot scan seems to be an Avast issue, no?
UPDATE: I checked my settings & my “Custom Scan” is set to “do nothing” when a file can’t be unpacked yet the entire contents of the aforementioned folder was deleted. Also, there does not sem to be any such setting for a boot scan, unless I missed it! So if detected by a boot scan & I choose to add to chest, it would seem that the entire contents of the file are deleted…at least that’s what happened here…
Hello I have also had this found TODAY in an Avast boot scan. THe exact same file, FINDER.exe a Win32:malware-gen virus
It is in the chest. The whole file or folder was NOT put in the chest or deleted, just this one FINDER.exe was. I have clicked to submit it to Avast
My boot scan settings are All harddisks - System Drive - Auto start programs (all users) - set to HIGH Heuristics - UNPACK Archive files - Scan for PUPs
I have right clicked it in the chest and set it to submit to Lab at next update for BOTH possible malware and false positive. So it should be submitted twice, one for each.
Does anyone have any further info on this yet?
P.S. when I scanned it in the chest it came up clean.
Send the sample finder.exe to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
The boot-time scan is interactive input, so it would be on a detection by detection decision. I don’t know if it would be able to extract from within the .cab file or not. If trying to send the whole cab file to the chest it could exceed the maximum file size to be sent (I don’t what the cab file size is or the maximum file size setting for the chest is in your setup).
allenergy,
Hi…Perhaps you wouldn’t mind following DavidR’s suggestion to send the file to Avast as I no longer have the file in the chest & considering that I somehow lost the entire contents of the CAB rendering MSO inoperative, I don’t want to take the chance that will happen again when moving the file to the chest.
And, I am still trying to figure out why I lost the entire contents of the folder considering that others have not! ???
Thanks!!
Hello Bub12 I have already sent the file to Avast before DavidR posted his reply. I indicated so in my original post.
I am curious though, will I hear back from the Lab as to the result of their testing?
I don’t know why your whole folder contents were deleted, it has to be the way you have your settings. Perhaps you have something selected that indicates if virus found DELETE CONTENTS OF FOLDER instead of delete file? I would think this would be in the primary Avast! settings. You may want to review all your settings.
I am curious though, will I hear back from the Lab as to the result of their testing?
Not sure…