Help on File automatically put in Sandbox

Hello, I’m curious about a file that has been put in the sandbox in Avast… I’m running Avast Pro Antivirus and the file is c:\Windows\System32\ctfmon.exe

I’ve done some reading on this file and there are plenty of reports that this file may be a problem…my question is should I Terminate or just leave as is? :-\

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners

alternative: jotti.org or metascan-online.com

you may post the link to the scan result here for us to see…

Seems the file is Good ware with a 0/45 detection ratio…

SHA256: 6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397
SHA1: 6c04499f7406e270b590374ef813c4012530273e
MD5: 4a3cdcef8ed41b221f3dbef5792fb52d
File size: 8.5 KB ( 8704 bytes )
File name: ctfmon.exe
File type: Win32 EXE
Detection ratio: 0 / 45
Analysis date: 2012-12-16 22:52:31 UTC ( 1 minute ago ) :wink:

better to post the link :wink:

https://www.virustotal.com/file/6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397/analysis/

First seen by VirusTotal
2009-08-12 21:33:14 UTC ( 3 år, 4 måneder ago )

OK…sorry, I’ve added the file to exclusions in the sandbox,rebooted and all’s well…

Thanks for the help! ;D

What where you actually doing when the autosandbox did this as the user doesn’t run this file ?
So something doesn’t sit right with this interception.

What reason was given when intercepted by the autosandbox ?

The reason I ask for this information is that ctfmon.exe in the c:\Windows\System32 is a system file and if being detected the forums would be flooded with like topics and this isn’t the case.

Can you right click on this file and post its Properties, file version, creation, modification dates, etc.

I was just surfing the web earlier today…nothing serious, had started a quick scan and left the computer unattended and when I returned the scan had registered No Viruses…it was just by chance I had opened the sandbox and seen the file in the sandbox…there was no notification what so ever. I’ve included the files info you asked for…

That is strange as from that the file is old, hasn’t been modified and something that isn’t run by the user but by the system so I can’t understand why it would have been intercepted.

Mine certainly hasn’t.

Which is why nothing was found on the virustotal scan.

What OS and SP version are you using given that our file properties differ in date and file size ?

I’m running Windows 7 Ultimate Service Pack 1
Not sure how long the file was in the sandbox for or can I come close to remembering what I may have been doing at the time it was sandboxed.

I installed 2 updates last night, they were…

Security Update for Report Viewer Redistributable 2005 Service Pack 1 (KB971117)

Installation date: ‎12/‎15/‎2012 11:23 PM

Installation status: Successful

and

Security Update for Report Viewer Redistributable 2005 Service Pack 1 (KB2579115)

Installation date: ‎12/‎16/‎2012 1:19 AM

Installation status: Successful

Don’t know if this did it or not, they were critical updates and were successfully installed.

Well that pretty much matches the one on my win7 SP1 netbook, it looks legit so I’m at a loss as to why it was ever intercepted by the autosandbox.

Personally I would remove the entry for it from the autosandbox settings, exclusions and see if it gets pinged again, it really shouldn’t. You might also try setting the autosandbox to Ask and see when/if it gets intercepted again, this may pin down why.

I don’t believe the updates would have triggered this as ctfmon.exe isn’t really involved in windows updates, see http://support.microsoft.com/kb/282599. If you look in task manager you will probably only see one entry for ctfmon.exe and that would be a User entry.

OK David, will do… Thank’s for the advice. :wink:

You’re welcome.