Rootkit or false Positive?

Ran a couple rootkit scan and got some warnings in:
C:##aswSnx private storage\webstorage\Image\Program Files(x86)\Google Earth\pligin\geplugin.exe

There are four warnings found by avast related to Google Earth (one form Chrome), from the same path.

When I attempt to move to chest, I get this message: Error: The request is not supported (50)

I ran Sophos rootkit scanner and it found these and a few more in this same location path (C:##aswSnx private storage\webstorage\Image…)

Sophos recommended not removing these files. Not sure why if they are detected.

Any suggestions as to what this might be or what to do?

Thanks

I found this, yet it was to be fixed. Apparently not.

Any further info on this kind of thing?


http://forum.avast.com/index.php?topic=64698.0

avast! team
avast! Evangelist

Re: Sandbox: C:## aswSnx private storage\webstorage\etc. detected as ROOTKITS by
« Reply #1 on: October 04, 2010, 03:02:47 PM »

Reply with quoteQuote
Please ignore these warnings.

Rootkit scan doesn’t fully cooperate with avast sandbox, that’s why it doesn’t know these files were created by avast and ignore them.
This will be fixed in next build.

Indeed, the C:##aswSnx private storage\ folder is the Avast! Sandbox folder, a hidden folder, so it is not strange that other rootkit scanners detect it or its ( legit ) contents. But as you pointed out this shouldn’t be the case with Avast! own rootkit scanner. No idea why it happens again now. I have send Petr ( pk) an email with a link to this topic so that he is aware of it :slight_smile:

Greetz, Red.

Thanks!

It ought to be written in the info about sandbox that the C:## aws… is an avast created area so there is no panic when even other scanners detect it.

A sticky might help awareness.

Documentation perhaps, but not another sticky there are to many as it is.

+1 for help file info (and, maybe, FAQs).

Just want to add that Petr is traveling at the moment, so we have to be patient :wink:

Greetz, Red.

I’m glad it’s not an issue and appreciate the info. pk said in the quoted thread that this was to be fixed in the next build. This was in Oct, so I wonder what happened?

Basically the same thing happens to me when I run FF in the sandbox! :slight_smile:

It doesn’t really matter what is in the sandbox, the problem being triggered by the fact that the folder is not visible by normal means (typical for rootkits), thus any content thereof is suspicious for rootkit scanners.