Sending virus info to virus chest.

There is an option to send files considered a virus by Avast from the virus chest to Alwil by clicking on FILE and selecting SEND TO ALWIL.

My problem is that it needs SMPT settings apparently because I get the message (paraphrase): Message could not be sent… make sure SMTP settings are correct in program settings.

What I have done is set the following:
SERVER ADDRESS - to what my server address setting is in my email program.
PORT - to my port address in my email program.

I have also set my user name and password to my the related settins for the CURRENT EMAIL IDENTITY that I am using in OUTLOOK EXPRESS . Does it matter which email IDENTITY I use? I would think that it wouldn’t matter except that it should be the one that I would want Alwil to reply to.

There is just one setting that I have not idea what it should be ???

FROM ADDRESS: What is this suppose to be set at ???

I was not able to find anything on this in the forum, but I’m sure there is so can someone please direct me to the right place for this.

As far as the virus that was found it happens to be a “worm” virus that Avast has found which I think is probably a FALSE POSITIVE because it was in the following path:

Program files\CLAMWIN\LIB\Balloontip.pyd

Since it is in the library folder for ClaimWin Antivirus scanner program file I am suspicious that it is a false positive just as I had another false positive last time a virus was found in the Cleansweep program file folders.

If anyone knows anything about this virus that Avast found that would be great as well. I know there are some on this forum that do use ClamWin as an auxillary virus scanner.

Thanks for the help in advance. ???

avast should use your default email account in OE, when you selected the Send to Alwil software, on the pop-up dialogue window, leave the settings alone, don’t change the MAPI ‘Protocol to use’ to SMTP (just enter some additional information in the box and click Send mail), if I change it to SMTP it also fails.

The email is compiled and will be in your outbox awaiting being sent.

lakrsrool,
You are probably correct in your assumption of a false positive. Balloontip.pyd is the popup event notification for ClamWin. If you still have any problems sending the file from within avast! alternately you can mail the file directly from your email client. Create a password protected zip file with password like “virus” and send to virus@avast.com. Be sure the password is in the email body and a short description of the issue. In the meantime just exclude the ClamWin folder in C:\Program Files\ClamWin\ and the quarantine folder in C:\Windows\Profiles\All Users.clamwin\quarantine until the issue is resolved with a virus base update. Good luck!

Win98 Millennium Edition 4.10.222a/4.90.3000
No IE, no Outlook, no WSH, and no infections ;D

rayi7332 wrote:

lakrsrool, You are probably correct in your assumption of a false positive. Balloontip.pyd is the popup event notification for ClamWin. If you still have any problems sending the file from within avast! alternately you can mail the file directly from your email client. Create a password protected zip file with password like "virus" and send to virus@avast.com. Be sure the password is in the email body and a short description of the issue. In the meantime just exclude the ClamWin folder in C:\Program Files\ClamWin\ and the quarantine folder in C:\Windows\Profiles\All Users\.clamwin\quarantine until the issue is resolved with a virus base update. Good luck!

I have emailed to virus@avast.com in the past, I would zip the file but I never figured out how to password protect the zip file. Regardless, I guess Alwil got the email message okay that time as the false positive was fixed.

I think maybe I’ll just restore the file from the virus chest for now and wait on a virus signature data base update. I could exclude the path but I really don’t see the point based on what you have reported here on that file.

Btw, what is the need to exclude “C:\Windows\Profiles\All Users.clamwin\quarantine”? Wouldn’t that be "ClamWin’s quarentine folder?

For future reference, how DO you PASSWORD protect the zipped file (I am using WIN98SE)?

Thanks for the help. :slight_smile:

DavidR wrote:

avast should use your default email account in OE, when you selected the Send to Alwil software, on the pop-up dialogue window, leave the settings alone, don’t change the MAPI ‘Protocol to use’ to SMTP (just enter some additional information in the box and click Send mail), if I change it to SMTP it also fails.

The email is compiled and will be in your outbox awaiting being sent.

Yea I know I sent both attempts from my email when I went in to OE.

As far as Avast using my default, I had left it alone and used the MAPI settings as it was but I was getting a username and password prompt that wouldn’t seem to work since it would just keep popping up.

So I tried using SMTP, at least I wasn’t getting the continual username/password email prompt.

As far as the “default” email account, I use the Identity option in OE to seperate my email accounts, so I presume Alwil would use what ever I have set for default in OE for what ever Identity I am currently using.

So since SMTP fails as you say and I can’t get MAPI avoid the username/password prompt that won’t allow me to send email I guess emailing virus info from the virus chest just doesn’t work. ???

I had just assumed SMTP wasn’t working for me because I have no idea what to set the “FROM ADDRESS” value to. I had all the other setting correct as far as Port & Server address.

Thanks for the help. :slight_smile:

lakrsrool,
When you’re creating a zip archive there should be an advanced options area. Look for the set password option. Also look for it in the preferences. I use IceOWs so I don’t know where exactly this option is in other zip utilities but it’s there.This option will encrypt the zip file so virus scanners at the email gateway won’t capture it. As far as excluding the ClamWin quarantine goes, most AV vendors encrypt and rename the files in the quarantine,virus chest, and also give the folder attributes as “read only” and "hidden"to keep them benign and to keep other AV’s from detecting them. ClamWin just prepends “infected” to the virus name, that’s it, so any other AV will detect and alert to it. Hope this helped :slight_smile:

In winzip it’s under the options heading at the top of the screen. Or when creating a new archive, it’s at the bottom right of the page. Leave the mask pasword box unchecked.

Thanks for the info on Winzip oldman :slight_smile:

I have emailed this virus from my virus chest one week ago today from my outbox.

DavidR wrote:

The email is compiled and will be in your outbox awaiting being sent.

There has been several Virus Signature data base updates since then so I was really surprized to find that it still remains in the Virus Signature data base as a result of my scan today.

rayi7332 wrote:

[quote]
Balloontip.pyd is the popup event notification for ClamWin.[/quote

Does anyone know how long it will be before it is removed from the data base as it appears to be a false positive based on the post above.

If it really is a virus that will be a surprise to me since I had already restored it a week ago and have not had any problems that I know of.

I have now moved it to the Virus chest again for precautionary measures since it is still considered a virus a week later.

I have emailed it from my sent folder again today. Maybe I should email it again directly from my email client as was suggested but I am seeing all of these emails in my sent folder so I would assume that Alwil is receiving them.

Since it has still not been removed from the data base I am not sure what to think at this point so under the circumstances, will I be notified from Alwil if this really is a virus?

Thanks for the help.

One way to confirm one way or another if it is a false positive is to check against a multi-engined scanner (if you haven’t already done so), if only avast detected it then it is a fairly safe bet it is an FP.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Thanks DavidR, Avast was the only Scanner that found it to be a Virus using both of the links you supplied. That first link had 30 other scanning engines so between these 2 links I feel confident that it is a false positive. I’ll try and keep these to links in mind if this happens again.

I just thought that Alwil would have updated their data base after a week following my email to them so I became concerned.

One thing is for sure it is certainly much better to get an occassional false positive than for just one real virus to get through. ;D

Thanks again DavidR, better to be safe than sorry so I’m feelin cool. 8)

avast are usually very quick in correcting any FP.

If you still have the sample I would send it again with false positive in CAPS in the subject title and include that avast was the only AV to detect it in VirusTotal, etc. I would also include a link to this Topic.

I assume you managed to get the path working in the exclusions (sorry I missed that in your previous post. ?

I would a have thought you needn’t exclude clamwin’s quarantine if it is encrypted (and I would like to hope so), avast shouldn’t be able to scan it.

If this is the correct location of the quarantine (I don’t use clamwin) then adding an * wildcard would exclude it and all files, C:\Windows\Profiles\All Users.clamwin\quarantine*