We are a Small Office Admin installation with 17 computers. 5 of them run multi-user Quickbooks.
This morning, Avast began flagging one of the multi-user services (QBCFMonitorService.exe) as a root kit on each machine.
I’m about 90% certain this is a false positive.
A) If it is, how do I add this file to an exception list?
B) Can avast please update the virus definitions to eliminate this false positive?
Have you uploaded and tested the file at www.virustotal.com if tested before, click new scan
Post link to scan result here
You can report it using one of these options…you may add a link to this topic in case they reply here
You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)
You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected
or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21
Just ran it through VirusTotal.
Curiously, they report that NONE of the virus def files flag it.
QB released it on Feb-25-2014 and it was scanned same day by VirusTotal.
I asked for a reanalysis and it passed with flying colors.
Here’s the link to the reanalysis on VirusTotal:
https://www.virustotal.com/en/file/fc096329405669b06239fed869cdd585566a19f54f5484987ef4fe1c51921080/analysis/1403877400/
I will also submit to avast.
But I am puzzled.
If VirusTotal tested the current Virus def from Avast and it cleared, why was it flagged with the same virus def on my local machines as a root kit?
There are some differences with home scanner and VT scanner… you may see about VT
also what exact detection name was given when detected in your machine…
ELF:Malware-gen 3 ALPHA 6/27/2014 8:56:46 AM
Win32:Evo-gen [Susp] 1 ALPHA 6/27/2014 8:13:14 AM
I just wanted to add that I received an Avast generated email from my computer (SERVER) at my remote office location. The email reads:
avast! [SERVER]: File “SVC: QBCFMonitorService > C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe” is infected by “Win32:Evo-gen [Susp]” virus.
“Full system scan” task used
Version of current VPS file is 140626-1, 06/26/2014
I have not physically been to that location to evaluate the issue further. However, that particular computer is hosting our company’s Quickbooks file and is currently being used in multi-user mode. Reports from users at that location are that Quickbooks seems to be behaving normally over the network.
@rgshearer, have you added this to the exceptions list in Avast? If so, will you post your findings once you’ve determined whether this is a false positive or not?
http://www.getavast.net/support/virus-chest
…then find the text, “Restore and add to exclusions” under step 2).
I’m running Endpoint Protection (with Small Ofc Admin).
Virus Chest is an option under the maintenance tab.
But when I right-click on a file, there is no option to “Restore and add to exception list”
I found this on one of my computers with TDSSKiller, but then I ran it again, and it didn’t come up in the scan, so it must have just been a false positive.