Possible F/P? -- operating memory of Windows Defender infected

I only just made the cool discovery of the screen-saver scanner, after reading the Avast! blog.
I am loving this feature, but now I see something strange happening with it.

When the screen-saver scan checks the operating memory, it detects the virus “JS:Agent-AU [Expl]” in the running process memory of Windows Defender (MsMpEng.exe). However, when I do the scan of operating memory by launching Avast! Antivirus manually, there is no report of an infection in operating memory (i.e. no pop-up dialog of any infection). Does this occur on anyone else’s (Win-XP) machine? Could it be an F/P? ???

The screen-saver scan is stopped when it finds this infection signature, so none of the rest of my computer gets scanned – this detection occurs very soon after the start of the scan. So, for now, I must turn off the “operating memory” scan-area choice - in order to get useful screen-saver scans.

I am running Avast 4.8 Pro.

Yep, an FP. It should already been corrected by now.

I have the exact same problem! Its been an issue since about the same time as this post. Unfortunately, its still an issue. If this is a False Positive, why hasn’t it been fixed yet?

Mike

Hi, my first post here. I also have the same problem. I have run MalwareBytes Anti-Malware, SUPERAntispyware, most of the online scanners such as Trend Micro Housecall, and they all come up clean. HiJack this log is clean. I even uninstalled Windows Defender, ran CCleaner, and performed a boot-time Avast scan. Everything comes up clean, except for the screensaver scan.

Running 4.8 Home.

Can someone confirm that this is indeed an FP? I read on another forum that it might be, or might not be. Thanks.

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?

not a FP imho… just some unencrypted signatures in memory…

Doesn’t give a filename, screensaver scan is interrupted with a Process number, and a memory address that are used by MsMpEng.exe. Says infection JS:AGENT-AU[Expl] has been found in process #### at memory address. Process number and memory address varies.

Thanks for the fast response.

Here are the details of the last interruption of the screensaver scan:

                                 avast! Screen Saver

File: Process 636, memory address 0x040A0000, block size 262144

Number of files: 1620

                   Found virus JS:Agent-AU[Expl], testing is interrupted

The Process ### and memory address varies at every boot; the block size is always the same. The Process is always Windows Defender.
I don’t believe that I’m infected, as 12 other scans e.g., Housecall, MBAM, SUPERAntispyware all come up clean. I’m stumped.

No it doesn’t look like you are infected, not because other scans don’t say so, but just bad practice by windows defender loading unencrypted virus signatures into memory as Maxx_original (one of the avast virus labs team) said.

avast will check and monitor processes loaded into memory as a part of the resident scanning by the Standard Shield, so I don’t really know why the screen saver scan would detect this but not the Standard Shield, perhaps the settings that you have chosen for the scan.

I have had avast for a over 5 years and other than testing have never used the screen saver scan, perhaps because I can’t be bothered with a screen saver, can’t see the point when I’m not there to watch. I would rather my monitor (and system) went into standby after a short time and save power.

I just do a manual Standard on-demand scan without archives as a part of my weekly system maintenance.

So outside of the screen saver does avast find this on any other scans ?

Hello Mate,

Thanks for the reply. avast! doesn’t find anything in a boot-time scan, nor a manual scan. I’ll look at my settings, perhaps the screen-saver scanner was the only one I have set up for a memory scan. Not surprised that the problem probably lies with Microsoft.

Thanks again for your help.

Jerry Davis

You’re welcome.

The on-demand scan if started from the avast ‘a’ icon (right click the avast ‘a’ icon, select Start avast! Antivirus) does a memory scan before it opens the Simple User Interface. This is why I thought it strange that it wouldn’t be found on that, but on the screen saver scan.