MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit

During the MS update process (Vista 64bit) avast! accused the “Trustedinstaller.exe” (located in "C:\windows\servicing") as rootkit.
I think this is a false positive since this file is AFAIK an essential part of Windows (Update).
Can you confirm this false positive?

Unfortunately after several clicks in the notification window (I tried to choose “Ignore”, there were not much options) it was not possible to close the notification window with a regular button (it was some kind of blocked), so i closed it using the “x”, which obviously caused, that this file has been deleted :frowning:

This has as major effect, that Windows Update will not work anymore (since the Trusted Installer Service is broken, because it is based on this .exe)… About an hour to repair this :frowning:

Sorry, not many of us use Vista 64bit. :wink:
But if you want to make sure send the file to virustotal.com
Please post your results. Thanks…!
asyn

Unfortunately the file has been deleted by avast! (so it is not even in the virus chest), so i can not provide and check this file.

In order to “repair” Windows (Update) and the Trusted Installer Service, I restored the file (probably an older version) from the Vista component store (WinSxS folder) … which is only a suboptimal - but working - solution … The restored file was not accused as rootkit by avast! …

If the file got deleted, there’s nothing much we can check or do anymore, I guess…
asyn

(Btw, do you already know about the new german section…? http://forum.avast.com/index.php?board=24.0)

and what if you try to update again now, see if the updated file is flagged again? just make sure to set the file system shield to “ask”, so that you’re a 100% sure to get the opportunity to send to Chest…then restore it to any location (may be temporarily deactivate the fs shield, and submit it to Virus Total as suggested by Asyn…

@asyn: thanks for the info about the german section … nice to know :slight_smile:

@logos: thanks for your suggestions
First to say … it was not my own machine, so i will “see” it in some days at the earliest. On the machine, i have performed several checks for updates (Windows Update) after the “repairing”, but there were no new updates available (but update check worked again, since some optional updates were listed). So no new version of the file has been updated, as far as i have noticed. But i will keep an eye on it.
To come back to the “detection” (which ended in the deletion of the file), the notification window with the options to choose (in the drop-down) looked quite different from the normal “file shield” … if i correctly remind, there were only two options (“delete” and “ignore”) … i had also already configured all shields to “ask” as first option … maybe the rootkit detection/warning/heuristic has other settings …

you can may be get the file back from here:
http://catalog.update.microsoft.com/v7/site/Home.aspx

(works only in Internet Explorer)

edit can you post a screen shot of the alert next time?

I had no problems with my Vista 64bit and avast! 5. Unless this problem raised today. I haven’t start my system yet today…

Found another post in the “avast! Free/Pro/Suite”-Section of the forum from yesterday with the same “effect”:

http://forum.avast.com/index.php?topic=60635.0

http://i808.photobucket.com/albums/zz7/Zaph0day/Capture.png

confirmed on Windows 7 Version 6.1 Build 7600
http://www.virustotal.com/analisis/a59c40a090e03c0136a865fc54508ba938e7b467c8198bc009fe263e6c275781-1277945618

Did this happen with the latest avast build…?? (5.0.594)
asyn

Again, with the “Recommended” Delete now default…That is a windows file…I thought there would have been measures to avoid this… ::slight_smile:

It was on a fresh install yesterday, popped up after all available updates had been installed. i.e. I installed all available system updates prior to installing Avast.

Program Version: 5.0.594
Virus Defs: 100705-0

no issue here with “trustedinstaller” up and running…may be the issue came on 32 bit Seven? …anyway there’s just been an update to 100705-1. My screen shot comes from a time when 705 was still there.

If delete is on default, can it be change to ignore? I have done some searching
and I have not found that to be possible. Can somebody tell me if indeed is
possible to change the default action of the auto anti-rootkit scan and how.
The delete default action scares the hell out of me.
Bo

Yes it should be able to be changed as in my reply in another topic, http://forum.avast.com/index.php?topic=61636.msg521086#msg521086.

There is a drop down list in which you can choose Ignore or Delete, whilst avast displays what it considers the best option based on its detection you don’t have to choose that option.

By clicking the inverted triangle, see image, it should also show Ignore as an option.

Thanks for your reply s Dave. I know the action can be changed if we don’t
experience the problem that Sgt.Schumann had when he tried to choose
ignore. Scares me what he describes here:

“Unfortunately after several clicks in the notification window (I tried to choose “Ignore”, there were not much options) it was not possible to close the notification window with a regular button (it was some kind of blocked), so i closed it using the “x”, which obviously caused, that this file has been deleted”

Before yesterday I did not know about this automatic “auto anti-rootkit scan”
and after finding out about it, I did some reading and I think we should be able
to have “ignore” on default and if something is detected, then do some search
to make sure the detection is a good one. I have not had a infection for a long
time so I prefer to leave files where they are when they get detected.
Bo

I somehow doubt avast would allow setting of default actions the last thing you want is to have all set to Ignore in the event of a genuine rootkit, that could be very dangerous.

I would imagine it would be the same as their policy on allowing a user the option to exclude/ignore and run a file which they consider to be OK, as any such single click option could leave a users system in tatters.

+1
asyn

I agree with you that for most users it would be dangerous but users like
you or me should be allowed (I think) to have ignore as the first action if
something gets detected. I prefer to choose what action to take if a file
gets detected as malware but at the same time I can tell you that 2 years
ago when I was clueless on what actions to take, I would had prefered
that Avast pick the action for me. Today I am not the same clueless user
I was 2 years ago and I have learned how to prevent infections and I know
that my chances of ever again being infected are minuscule. So, if something
gets detected on my PC, most likely it will be a FP. A rootkit infection 2 years
ago is what got me interested on security and I was able to fight it and beat
it. It took me a couple of weeks and after a few days of fighting it, it became
a game that was fun, specially after I beat the infection by myself.
Today I use programs like DefenseWall and Sandboxie together with Avast and
is almost impossible to have a rootkit infection if you learn and use them the
proper way.
Bo