How Do You Read *PROCESS in the Client Side Scan Summary?

Hi all!

I didn’t see anything like this posted after a cursory glance (I couldn’t think of a good way to search for it), so I hope that I’m not asking a question that’s been answered already.

After ADNM runs the client side task that scans for viruses, the tasks are listed under Sessions>Client-side tasks>Nightly Scan>Computer Name. I understand the basic layout, but every once in a while we get a positive not on a file, but on something listed like ComputerName*PROCESS\etc. We often need to investigate what viruses are turning up on our systems here, but the information listed as *PROCESS doesn’t help. Can anyone explain how to read that information?

Thanks for your help in this.

This comes up during operating memory scanning. In Windows, memory is divied into running processes. When avast scans operating memory, it doesn’t scan physical memory (that doesn’t make much sense) but instead scans virtual memory mapped to each and every process running on the system.

If avast finds something during a memory scan it can mean active malware running on the target. Of course, it can also be a false positive.

Are the findings reproducible?

Yes, actually, we’re having a recurring problem with processes Avast is detecting as infected with HLLP-vova 10.1-b. For more details, check out this post: http://forum.avast.com/index.php?topic=28094.msg229273#msg229273. We’d like to be able to look into it further, but we don’t have any ideas as to how to check the processes. The ID that Avast gives isn’t very helpful toward that end; or maybe it is and we just don’t know where to look in Windows XP. Any tips you can give would be helpful; for instance, determining what program started one of the *PROCESSes Avast mentions.

Thanks much!

The number that follows the *PROCESS prefix is the PID (process ID).
Ie. unless the machine has already been rebooted, you can check which process it is e.g. by using the Task Manager (enable the PID column by choosing View → Select Columns…)

Thanks
Vlk

hmmm. We can’t find the PID in task manager that the ADNM tells us, and the computer hasn’t been rebooted. Not sure what we can do at this point except wait to see if Avast catches it again tomorrow. It detected a the same virus the past three days, but we can’t fine the PID… I think this is why we were confused about the how to read the *PROCESS in the first place.

Thanks for the reply though! I’ll keep this thread updated as we try to hunt down the culprit.

P.S. could the process just be run at designated times, and Avast can’t detect the file responsible? If that’s the case what can be done?

It is possible that the number avast tells you is in fact in hexadecimal format while the one shown in the Task Manage is decimal.

To convert between the two, you can use e.g. the Windows Calculator application (calc.exe), in the “Scientific” mode. See the “Hex” and “Dec” radio buttons in the upper-left corner of the calc’s “keyboard”.

Thanks
Vlk

I tried converting from hexadecimal to decimal, and the PID returned was assigned to the process called AvAgent.exe, which I thought was the Avast agent. Is avast infected? What options do we have?

BTW, we are paying corporate customers with 30+ seats; are there any other avenues of support available to us besides posting on this forum?

Thanks!

I tried converting from hexadecimal to decimal, and the PID returned was assigned to the process called AvAgent.exe, which I thought was the Avast agent. Is avast infected? What options do we have?

Sounds like a false positive :-[
Is it always the same virus name that’s reported - or different ones?

BTW, we are paying corporate customers with 30+ seats; are there any other avenues of support available to us besides posting on this forum?

There are multiple options. You can write to support@avast.com, or (better) create a ticket here: http://support.avast.com .
But the forum works, too - and it would be preferable to finish solving this issue here (I mean, it’s inconvenient to have the issue opened in multiple locations).

Thanks
Vlk

Sorry for taking so long to reply; it’s been a busy day!

Sounds like a false positive :-[ Is it always the same virus name that's reported - or different ones?
It's always the same one, alas. Of course what you identified as the PID changes upon each reboot. I just mean that the name Avast gives to the virus is always the same.
it would be preferable to finish solving this issue here
don't worry; I intend to finish this post! I don't like incomplete posts either. I just wanted to find out what options we had if we encounter more serious problems than a weird feedback from ADNM ;)
It's always the same one, alas.

So, which one is it, exactly? :slight_smile:

So, which one is it, exactly? :-)

You need to work on your telepathy! Geesh. It’s “Infection: HLLP-Vova 10.1-B”, of course! ( :-[)