I decided a couple days ago to sync my entire OneDrive cloud account locally so I could run an app to remove duplicates. Since then, Avast has been pinging me every 10 minutes about the same 3 files that have been moved to the virus chest. That’s great, but since it’s syncing with a cloud service, OneDrive keeps replacing them.
So I try to figure out which files are the infected ones, but OneDrive seems to sync to a temp directory with a file ID instead of the actual name of the file, before actually going to its destination (though I could be wrong). It’s similar to what was posted here a while back: https://forum.avast.com/index.php?topic=177690.0 Attached is a screenshot.
What I’ve tried so far:
Deleting the files from the Virus Chest (they just reappear at the next attempted sync)
Looking at the green checkmarks on the local files to see if any folders are not completely sync’d yet (all are green/complete)
Looking at all the files that are NOT in folders and comparing the local list to the remote list (they match, except the OneDrive site does not display Mac files despite the fact they are there)
Are those detections false positives? If you think they are, please provide us some example (attach it here, or send it to my email address) so we can analyze the files and alternatively provide a fix in the next VPS update.
In the meantime (or if the files are not false positives), you can add the “~/Library/Application Support/OneDrive/tmp” directory to the fileshield exclude paths in the fileshield preferences.
I’m not sure if they are false positives – how can I tell?
I’ll be happy to provide whatever you need – do you want me to upload the detected files in question, knowing there’s a possibility they might be truly infected files?
Yes, we need some samples to see if it is a false positive or not. Even infected files are harmless if they are not activated (executed, displayed by the browser, …), so simply copying them is no problem.
Thanks. Because of the nature of the files and the apps, they either disappear into the chest or they go into the OneDrive directories before I can grab them. Can I just click the check boxes on the 3 relevant files and submit them to the virus lab? Seems like the easiest way to get them to you. I can include a link to this thread in the comments if it helps.
Yes, submitting the files to viruslab using the corresponding dialogue in Avast is fully sufficient. The benefit of noticing me about the submit (by sending eg. the mail used in the submit) is, that I can make the submit more urgent or make sure, that it does not get lost somewhere in the “process”.