Hi. I’m a newbie to the forum. I’m using Avast 4 on my home laptop and over the last few days its been popping up a warning about “VME Family detected”. I’ve tried variously: deleting it, moving it and doing nothing with it, but it reappears when Skype boots up every morning!
The supposedly infected file is just a Skype chat log, and looks quite unexceptional. I’ve tried deleting it manually but it keeps reappearing. I can’t find any useful info on VME on any database. So I searched this forum - and found a thread in April in which it was agreed this was a False Positive, and a fix was said to be coming. Has it been done yet? If not, is there any way to disable the warning I’m getting? It makes me jump every morning! :-\
What is the infected/suspect file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
The infected file is: C:\Documents and Settings\Barry Croft\Application Data\Skype\greenbeard955\chatsync\d9\d9baf4e01c09e52d.dat. See the attached screenshot. I’m on a Dell Inspiron 6400 running XP Pro, Avast 4.7 Home, and Skype 3.1.
The log says ‘Sign of “VME family” has been found’ (VPS 000752-0, 25/06/2007). This actually started on 20th June after a Skype text chat with a client. I can recreate the Avast alarm at will by re-opening Skype.
Even though I’ve manually deleted the file from the above location it reappears when I access Skype afresh.
It wasn’t caught in Standard Shield, it was in Instant Messaging. I don’t want to switch off Skype scanning though.
Now the file has reappeared I’ll try an online scanner as you suggest, and will report what it finds…
Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.26.2007 no virus found
AntiVir 7.4.0.34 06.26.2007 no virus found
Authentium 4.93.8 06.25.2007 no virus found
Avast 4.7.997.0 06.26.2007 VME family
AVG 7.5.0.476 06.26.2007 no virus found
BitDefender 7.2 06.26.2007 no virus found
CAT-QuickHeal 9.00 06.26.2007 no virus found
ClamAV devel-20070416 06.26.2007 no virus found
DrWeb 4.33 06.26.2007 no virus found
eSafe 7.0.15.0 06.26.2007 no virus found
eTrust-Vet 30.8.3743 06.26.2007 no virus found
Ewido 4.0 06.26.2007 no virus found
FileAdvisor 1 06.26.2007 no virus found
Fortinet 2.91.0.0 06.26.2007 no virus found
F-Prot 4.3.2.48 06.25.2007 no virus found
F-Secure 6.70.13030.0 06.26.2007 no virus found
Ikarus T3.1.1.8 06.26.2007 no virus found
Kaspersky 4.0.2.24 06.26.2007 no virus found
McAfee 5060 06.25.2007 no virus found
Microsoft 1.2701 06.26.2007 no virus found
NOD32v2 2355 06.26.2007 no virus found
Norman 5.80.02 06.26.2007 no virus found
Panda 9.0.0.4 06.26.2007 no virus found
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.26.2007 no virus found
Symantec 10 06.26.2007 no virus found
TheHacker 6.1.6.137 06.26.2007 no virus found
VBA32 3.12.0.2 06.25.2007 no virus found
So only Avast thinks its anything, i.e. its a False Pos.
I tried to report it via email but when I tried to attach/send the file via Outlook (a) Avast reported it as a virus and (b) Outlook wouldn’t accept it.
Rather than take any chances though I’ve now disabled Restore and deleted this (False Pos) file, and also deleted the two infected files McAfee found that Avast missed.
I know Avast is free so I can live with the odd false pos, but its the false negatives that worry me!
I suspected it might be a false positive because of it being detected in a chat log as you mentioned.
You need to zip and password protect the sample otherwise it will be detected.
You didn’t mention the file names or location of the 2 you say McAfee detected ?
Downloaders are trojans and I would say you also want to add an anti-spyware tool to your system. No one program is likely to give 100% protection.
If you haven’t already got this software (freeware), download, install, update and run it periodically.
I’ve added just that one log file to my Exceptions, but still when Skype starts the Avast alarm goes off. That’s after disabling Restore, deleting the file manually and rebooting! So perhaps Skype writes that file afresh on startup? NOW what do I do? I’m sure its not a virus, so the question is how to disable Avast. ???
The files detected by McAfee were:
java.class-1fbec264-2c4065f5.class
and
312bcf5-38ee583f
I forget exactly but both were somewhere deep in my Application Data subdirectories, in the Java folders I think. Both were about 26k in size and I’m afraid that rather than wait another hour for the VirusTotal queue to check, I deleted them right away.
…which begs a question: if Skype always writes that file (and BTW it’s only 1k), why did the alarm suddenly start on 20th June? Could it be that that day’s Avast update (and subsequent) are misidentifying it, when previous ones ignored it? That should help you pin the false pos down I hope.
The file will always be created if it is a chat log, you have to exclude it from scans as I said in my first reply. There are two locations to exclude, you have probably failed to add it to the standard shield exclusions or the path you have given is incorrect, what is the exact path you entered ?
they are possibly java exploits.
Ensure you have the latest version of JRE (JAVA Runtime Enviroment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
things change, signatures are added to the VPS or the compilation of the log might change and a data string then matches a signature. The only way to resolve that is by submitting the sample as a false positive detection as I indicated in my first reply.
I’ve excluded the path I gave you in my second post (in Standard Shield) - but what’s the other location you refer to?
The only option I seem to have in the Instant Messaging section of Avast - which is where the ‘virus’ was reported - is to turn off Skype scanning entirely, which I’d rather not!
I’ve just zipped, protected and emailed the offending file to virus(at)avast.com, copying them our conversation too, so we’ll see what they have to say.
The other location relates to on-demand scan and is in Program Settings, Exclusions, Add (also in the first reply). However if this is being detected in the Instant Messaging provider then I’m not sure that the standard shield exclusion would work. I don’t use IM applications so I don’t talk from personal experience.
I don’t know if using the short folder name might work, C:\Docume~1\Barry ~1\Applic~1\Skype\greenb~1\chatsync\d9\d9baf4e01c09e52d.dat
Or using the * wildcard C:\Documents and Settings\Barry Croft*\d9\d9baf4e01c09e52d.dat
I have to admit that I try to avoid folder names with spaces if possible, so you could also try enclosing the path in quotes “C:\Documents and Settings\Barry Croft\Application Data\Skype\greenbeard955\chatsync\d9\d9baf4e01c09e52d.dat”
I’ve now put ALL the above permutations into Avast’s Standard Shield exclusions, but the alarm still goes off every time I start Skype. Possibly the problem is that protection won’t stay on ‘custom’ - I select it, but next time I open it it’s defaulted to ‘high’. Sigh.
What’s needed is a fix for that false pos. Needless to say I’ve had no reply yet.
As I said if the alert is coming from the Instant Messaging provider, then the exclusions will probably have no effect as it isn’t the standard shield or on-demand scan detecting it.
The slider has no effect in the IM provider as there are no customising actions that can be performed other than disabling the IM Program/s in the list. This may be what you have to do in the meantime or terminate the IM provider.
Did you resubmit the file after the problem you had trying to send it ?
You need to zip and password protect the sample otherwise it will be detected.
If the submission is marked as a False Positive in the email subject
Send the sample to virus@avast.com zipped and password protected with password (‘virus’, will do) in email body and false positive in the subject. Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
You will not normally receive a reply unless they need more information. Any reported false positive is usually corrected quickly, but you have to have followed the submission as above to ensure that it doesn’t get intercepted and avast not receive it.
Well there may be other things that enter the mix, if this was for instance an exe file avast would stop it being loaded. So I don’t know how avast would totally stop it from executing even if you select No Action, it won’t allow files it detects as infected to run.
How this would work with a .dat file which isn’t executable I don’t know if it would block access to it, but that would show up if there was no chat log I guess and theoretically every time something accessed it the standard shield would alert depending on settings (High sensitivity, scan created/modified files, all files or scan only files with a selected extension).
So I’m a little baffled as to why it only alerts once a day, because surely it is accessed and modified many times a day,which is why I suggested disabling.
You could uncheck scan files on open, but since this is a standard shield setting it would have no effect on the issue you are reporting. So personally I would leave it alone unless there is another reason why you want to do this ?