I just did my first thorough scan in ages (usually do a standard), but with archives omitted, and got an interesting and surprising result. This was with both the program and VPS right up to date, 4.8.1335 and 090904-0 respectively.
I was alerted that it had found Win32:Dialer-gen13[trj] in, of all places, the VRDB file, …\integ\avast.int. It did not find any problems elsewhere on the disk. So that file got successfully moved to the chest.
I’m guessing that since nothing else was found, the infected whatever was present on my system when I last generated the VRDB (March 24th) and slipped past avast during generation, but is no longer around except for the “recovery” data for it. So I’ve got three questions:
Sound like a reasonable and likely inference I’m making?
If so, am I probably safe to just delete the file and generate a fresh VRDB? Or possibly it’s a false positive in the current defs which others have already reported, so I don’t even need to delete but can simply restore it?
Some time, way back when, I’d asked whether avast scanned files for which it put data into the VRDB, to ensure that the resulting VRDB was clean, and was told yes it did. If the current alert is in fact legit, does that mean we can’t take for granted that the VRDB is clean?
Oh, should also mention that I haven’t yet run SAS or MBAM scans, to see if maybe one or both of those turns up something elsewhere on the disk that the avast scan missed. I’ll post a follow-up shortly once those are done.
The detection seems to be a false positive. If you delete the VRDB file, just start (generate now) another.
avast scans the files before add them to VRDB and the .int file shouldn’t be detected as infected.
Thanks, Tech. Haven’t done anything with it yet, but might as well just delete it and re-generate, although it sounds like that’s unnecessary (in this case) for security purposes.
If nothing else, it should trim the file size way down since I’ll now have only the data for most recent version of updates of what’s protected rather than 3 versions. Plus, if I understand correctly, a fresh VRDB over an earlier existing one does not delete data relating to stuff that’s been uninstalled, so wiping the file and starting afresh should make the file smaller still.
Given the size and nature of the .int, I’d be curious what in it triggered the alert, and if the FP has since been confirmed and corrected.
The other aspect of the VRDB integ.int is that it doesn’t contain complete files as in a back-up copy. It only contains some information on the file to try and restore the original file to an uninfected state.
So I believe this just happens to be a random match of a virus signature, strange as this may be.
The only way for it to be corrected is for a) you to report it as a possibly false positive and send the sample which could be big as you mention, b) Alwil to analyse the file and try to identify why the detection occurred, c) to correct it and issue a VPS update.
I’m just scanning my son’s machine, which he has neglected - I’ve renewed the licence, updated everything and am now doing a full scan. I have had this same Trojan, Win32:Dialer-gen13[trj] reported in …\integ\avast.int.
This particular avast.int is 7455 kB and has not been modified since January 2006.
I haven’t deleted it yet - it it worth me sending in for checking as a false positive?
If you could, it will be good. Which is this file size?
You can report the false positive, you can send it to virus@avast.com or, if it is too big, you can upload to ftp site.
Might be a good idea to send it in, Chris, since you got the same thing I did – I’ve now gone the delete-regenerate route so no longer have it and can’t do that myself.
You normally don’t get a reply unless they need more information, if you have retained a copy in the chest, etc. you can periodically scan it within the chest. When no longer detected the VPS has been corrected.
Haven’t done anything with it yet, but might as well just delete it and re-generate, although it sounds like that’s unnecessary (in this case) for security purposes.