Possible FP? Sf.bin

Just started a full system scan with the lastest updates and had C:\Program Files\Avast Software\Avast\Defs\12020300\SF.bin flagged as Win32:Trojan-gen

I scanned my avast folder nothing found here :slight_smile:

thats weird!

reboot your machine and scan again…still detected ?

Yes and no as odd as is sounds, the scan and real time shield say it’s a threat, but going to the virus vault and clicking to scan it comes up with no virus.

C:\Program Files\Avast Software\Avast\Defs\12020300\SF.bin
part of avast VPS....

Yea, I know it’s part of Avast, but that’s not really explaining why it’s being flagged by Avasts scans and real time shield, but says it’s clean when I scan it in the virus chest.

hmmmm…computers…and avast works in mysterious ways ::slight_smile:

Same here:

http://img862.imageshack.us/img862/7281/avast601367freeavvps120.png

[Move to Chest] and [Delete] don’t work as the file is protected by Avast against tampering.
The popup won’t go away until you make it [Block] the file.
Excluding [R][W] [C:\Program Files\Alwil Software\Avast5\defs*] from the File System Shield scanning coverage shuts it up, but ignoring it doesn’t seem to be the best idea.

Manual scan of [C:\Program Files\COMODO] turns out clean.
Manual scan of [C:\Program Files\Alwil Software\Avast5\defs] finds the “infection”.

It’s as if the VPS 120203-0 update contains a malware signature/sample which in itself is regarded a threat by Avast.
I hope VPS 120203-1/120204-0 will address this and be released soon.

Just now, while it wasn’t excluded from File System Shield scanning, I couldn’t open Firefox. Only the [firefox.exe] processes would start without showing the program window. I could open Firefox once I selected and applied [Block] in the popup.

At least I’m not the only one, should say that this is still an issue for me in the latest defs that have just come out 120203-1

I don’t know what scan it was that you were doing, but a context menu (right click), ashQuick.exe scan on the sf.bin file you mention and the whole defs folder (and sub-folders) comes up clean - VPS version 120203-1. The ashQuick.exe is effectively the most thorough of the scans.

I know, I’ve got no suspicions about it being infected or anything, I mean when it gets moved to the virus chest and I scan it there is comes up clean, but a full scan, or just scanning the file itself or containing folder flags it, and so does the real time shield.

I hate mysteries too.

Hello,

thank you for notice that. Its false positive and it should be fixed in next virus definition update.

Thank you and best regards,

Filip Chytry
Virus Analyst

I shut down my PC yesterday around 20:00 GMT+1, not wanting to mess with it - the VPS ver. at the time was 120203-0.

Booted today at 9:30 GMT+1 and got the popup - selected block. Then I checked the VPS ver. and it was 120204-0, so I hit manual engine/defs update to make sure I had the latest VPS - ver. 120204-0 was already up to date.
I did a manual (Explorer context menu) scan of [C:\Program Files\Alwil Software\Avast5\defs] and it turned out clean. I logged off and on again and the popup didn’t show as it used to do. I guess the popup in the morning showed up just before Avast auto-updated to VPS 120204-0.

VPS 120204-0 appears to have fixed it.

As a side note:
[\12020300] (containing [Sf.bin]) is still in the [C:\Program Files\Alwil Software\Avast5\defs] folder along with the new [\12020400]. Should I do anything to remove [\12020300] (like LiveCD boot and manual delete), or just leave it there as it doesn’t cause problems anymore?

No leave the defs sub-folders alone; you will normally have the current one plus the last one and on occasion (before avasts own housekeeping removes it) the one before that.