I got a message that Avast file system shield found a virus (/win32: malware gen Program Files\HP Digital Imaging\bin\document manager\hpqDM.exe). I scanned the bin file and avast said no virus found. I did not have the choice to ignore - I only had move to chest, delete and block. So I okayed move to chest. I also went into the chest and scanned it there - it says no virus. When I try to restore the file, it tells me that the file already exists and do I want to overwrite the file. I don’t see the file in the location Avast said it was in and I don’t know what to do.
Also, when I first told it to restore the file, I had to give the admin password to continue (Vista pc) and the screen went black but the file remained in the chest and I got no message the file was restored. Here’s a few screenshots.
I’m attaching the first screenshot which is the Virus Found notice. I am not seeing the file in the location Avast says it is and I don’t know if I should tell Avast to overwrite the file (from the Virus Chest). This appears to be an HP file for my printer and Avast shows no virus when I scan it - I’ll take a screenshot of that scan from the Virus Chest too.
From your image it looks like your File System Shield is set to Ask (which I have mine at also).
If you set it to Auto, the alert window allows you to select the Option to Report as a False Positive, this may be something worth trying as it should also transmit general information on the detection.
I think part of the issue is that it is svchost.exe launching this file and there are many instances of malware using svchost.exe (a legit windows file, services host) to launch other malware. So I think that this generic signature (the -gen in the name) is too aggressive in this case.
That is probably why when scanned in isolation (not launched by the svchost.exe) nothing is found.
Thank you for your reply. I do have the File System shield set to ask. (Chances are I wouldn’t know if something was infected or not until I scanned it with Avast, or at jotti - which seems difficult to do when the virus alert shows up.) I just went into the settings and don’t have an auto to select. I have Repair, Move to Chest, Ask, Delete and No Action.
I agree, I don’t really think this file is infected since it’s a printer file. But at the present time that file does not show up in the path Avast listed (even though it says it already exists).
I think when I went into the chest there was an option to send the detection to Avast. If so, that would have to be done through the program because I have webmail.
I haven’t used the printer since that detection to see if it is affected.
The Auto relates to the file system shield, expert setting, Actions. There you can choose what action to take automatically rather than Ask. By default that should have been move to chest, so someone must have changed that.
By selecting Move to Chest, this will then give the kind of alert image that I posted, which give you the option of reporting the detection as a false positive.
Open the chest (avastUI, Maintenance, Virus Chest and check if the file is there. If so right click on it and select 'Submit to virus lab.
I would certainly check if the printer is working without that printer and let us know.
I changed the action setting back to send to chest. I went into the Admin account and sent the file to Avast as a probable false positive. And, this computer being Vista, I was able to see the restored file where it belongs (but cannot see it in a standard account). I tried to use my printer last night and it went through the motions of printing, but no ink was on the page. This happened about 2 months ago, so I don’t think it had anything to do with the file being moved. I checked out the HP support area and was able to get the printer to print.
I imagine I can delete the file from the chest at some point?
I was going to make a new thread, but if you don't mind I'll mention it here. I checked our Windows 7 computer and that shows 8 files relating to Acer Games as Win32:BogEnt [Susp]. I scanned each one in the chest and Avast said "no virus". I then put them in a Suspect folder and scanned with jotti. All showed no virus with the exception of two that AVG saw Win32/Heur but the other 19 found nothing.
These files are JQSolitaire3-WT.exe, TPIR[Windows]-WT.exe, Virtual Villagers-WT.exe, BlackHawk2-WT.exe, Escape Rosecliff Island-WT.exe, Golf-WT.exe, Polar-WT.exe and Scrabble Plus-WT.exe. All are located in C:\Program Files\Acer Games ...
The chest now shows "no virus" following each entry. Can I restore those files - I don't know if Avast knows about them or not? Should I be submitting them as a false positive?
Thanks for your help.
Sincerely, Libra
If the file is back in the original location, then it should be OK to remove the copy in the chest.
This is why it is important to move files to the chest rather than delete, as detections can change, if it is a false positive the detection will be corrected. So subsequently scanning a file from within the chest and it no longer detected you can use the Restore option from the chest. Avast would know about them as first they were considered infected, but not now, so the detection signature has been changed (an indication of an FP).
####
For the future - You could also check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
You are very helpful and I want to let you know that I appreciate it very much. I feel all is well now with both computers and I bookmarked the Virus Total site for future reference. Thank you for explaining that after the file was restored if Avast didn’t target it again, it knew it was a false positive.
