Win32:Kryptik-PFA [Trj] - False Positive ? 

system · 2015-05-06T22:56:37.000Z

I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There’s also an index.xml file located in there with a catalog of moved files and rename information.

What I’m getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to “move to chest” rather than “delete” the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

system · 2015-05-06T23:03:43.000Z

have aproximately 100 PCs out of 300+ reporting false positives. Avast will not let us install anything with an exe extension on the affected PCs. >:(

system · 2015-05-06T23:08:43.000Z

CK - KHQ post:72:

I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There’s also an index.xml file located in there with a catalog of moved files and rename information.

What I’m getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to “move to chest” rather than “delete” the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a “Manipulate Virus chest” client-side task and check the box to “Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database”

system · 2015-05-06T23:34:37.000Z

HAAAAALP post:74:

CK - KHQ post:72:

I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There’s also an index.xml file located in there with a catalog of moved files and rename information.

What I’m getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to “move to chest” rather than “delete” the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a “Manipulate Virus chest” client-side task and check the box to “Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database”

This is a great suggestion for those with EAC and can boot into Windows. I am going to do this once I get the next update. But my suggestion was more for those people that had there system files and video driver files flagged and moved. Those guys can’t even boot into Windows.

schester · 2015-05-07T00:25:09.000Z

HAAAAALP post:74:

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a “Manipulate Virus chest” client-side task and check the box to “Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database”

This didn’t appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?

system · 2015-05-07T00:41:55.000Z

Here are some quick instructions on how to resolve it.

Run a VPS update to the clients from the AEA console. The patch has an update release of 150506-3 which is supposed to be the fix to the false positives.
Do a quick check to see if the clients have updated to this VPS release.
Once the clients have been updated to this VPS release then you can use the AEA to run an Auxiliary task to restore the false positives from the virus chest back to the clients.

Here is a link to the AEA User guide which may help with the above.
http://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf

Cheers
Nick

schester · 2015-05-07T00:42:42.000Z

schester post:76:

HAAAAALP post:74:

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a “Manipulate Virus chest” client-side task and check the box to “Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database”

This didn’t appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?

Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren’t there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

system · 2015-05-07T01:08:46.000Z

Unfortunately I can’t seem to find the option to restore files from the virus chest by using the Small Business Administration Console. Does anyone know how to do this? Or do I have to upgrade/migrate to the EAC to be able to do this?

We had major issues with this as it affected custom software on one of our servers and would love to be able to reverse this the quickest way possible vs. visiting every machine manually.

Thanks

Michael504 · 2015-05-07T01:12:03.000Z

danf post:71:

Yup, just swapped the entire company to Bitdefender. This was out of control bad and Avast will never see another dollar of our money.

I have had bitdefender before, slows the machine down too much and it missed stuff.

system · 2015-05-07T03:38:33.000Z

Can a system restore bring back files removed during an Avast boot scan?

Before I knew about this false positive I thought my whole computer had somehow been infected. Now I’m worried I deleted essential files. I didn’t send them to the chest like I should have. :-[

system · 2015-05-07T12:35:07.000Z

schester post:78:

Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren’t there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I’ve been doing it manually as well. What a nightmare. I just had 200 computers blow up yesterday. It cost my client a LOT of money to have everyone go down like that. It ate everything from email to database software. Really really really bad. I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly. I can’t believe how bad this is. I haven’t even gotten a generic emergency support email or a “sorry” email or anything either, disappointed that there’s basically been radio silence from Avast. I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future? Not sure. Mistakes happen. The software has been very good up until this point, and they did roll out the fix-it patch same-day. I’ve had this happen with Windows Updates as well, so no company is immune to problems of this magnitude. The Avast fix hasn’t been 100% effective for every machine, but as of this morning I have 95% of my users back up & running. I understand that mistakes happen. Just a bit upset that they didn’t even send out an email notice or anything for a status update.

polonus · 2015-05-07T12:50:32.000Z

Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, “someone pushing a wrong handle there”.
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus

mmanous · 2015-05-07T13:07:03.000Z

kaidomac post:82:

schester post:78:

Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren’t there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I’ve been doing it manually as well. What a nightmare. I just had 200 computers blow up yesterday. It cost my client a LOT of money to have everyone go down like that. It ate everything from email to database software. Really really really bad. I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly. I can’t believe how bad this is. I haven’t even gotten a generic emergency support email or a “sorry” email or anything either, disappointed that there’s basically been radio silence from Avast. I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future? Not sure. Mistakes happen. The software has been very good up until this point, and they did roll out the fix-it patch same-day. I’ve had this happen with Windows Updates as well, so no company is immune to problems of this magnitude. The Avast fix hasn’t been 100% effective for every machine, but as of this morning I have 95% of my users back up & running. I understand that mistakes happen. Just a bit upset that they didn’t even send out an email notice or anything for a status update.

I’ve had zero luck running the restore task as well. I temporarily disabled Windows Firewall on both my AEA server and the client I was trying to run the restore task to. It still didn’t work with both firewalls turned off.

I also discovered that I was unable to use the Remote Virus Chest feature (I’ve never had a need before now). For those that don’t know, you need to open port 135 and 16108 for the Remote Virus Chest to work. This can be configured in Group Policy. Computer Configuration → Policies → Administrative Templates → Network → Network Connections → Windows Firewall → Domain Profile → Windows Firewall: Define inbound port exceptions. At least now I don’t have to go office to office or use VNC to manually restore.

system · 2015-05-07T13:12:34.000Z

This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don’t even want to talk to you. what a POS customer service.

system · 2015-05-07T13:44:22.000Z

polonus post:83:

Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, “someone pushing a wrong handle there”.
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus

The difficulty is two-fold:

Receiving email viruses that come out same-day
Quantity of users

As much as I hate not having time to test A/V updates on a test group beforehand, it’s important to have the updates come in as fast as possible because I’ve run into issues not doing that - as soon as a virus fix is identified by Avast, added to the database, and rolled out to users, they are protected. So to me, it’s worth the risk for the occasional hiccup like this to have the most up-to-date protection possible, because it has bitten me before in bad ways with zero-day exploits. Plus, I support several companies & several branches as well, so it’s not really feasible to babysit everything 24/7 due to workforce budgets being what they are.

The second issue is quantity of users. Even with backups, reverting 200 users who have physical machines & are not on a Terminal Server is a logistics nightmare. I spent all last night trying to fix things remotely & have had to go on-site to patch up all the little bits & pieces remaining. Reverting to a prior backup is possible, but then the users lose all of their work for the day (times however many users you have), versus just restoring from the vault. Although restoring from the vault hasn’t fixed 100% of the issues I’ve run into, so I’ve had to do some further work, like re-installations of certain software.

Very frustrating all around.

system · 2015-05-07T13:50:03.000Z

amit12 post:85:

This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don’t even want to talk to you. what a POS customer service.

I have not had great CS from Avast in general, which is probably my only real complaint. The pricing & feature set is great, it does a great job of detections (other than this snafu), and it doesn’t slog down your PC. I use different A/V packages depending on the client, but aside from the mediocre customer service, I’ve grown to really like the product & service because it runs well & runs reliably. So again, not sure if I will dump them after this, but their response to this issue has been rather dismal, which is very annoying when I’m stuck explaining to a paying customer why all of their computers are down & why their $100-an-hour engineers can’t work. I think they have a great product & I understand that occasionally things go wrong, but Avast needs to step it up with their customer service responses. What I’m hearing today is "Why didn’t we just stick with Norton?

system · 2015-05-07T13:53:23.000Z

has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

Pondus · 2015-05-07T14:08:19.000Z

jbarth post:88:

has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

see post #67 also here https://forum.avast.com/index.php?topic=170730.0

system · 2015-05-07T14:16:39.000Z

jbarth post:88:

has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

This is what has worked for me:

Make sure your server & clients have the latest Avast updates
Reboot the clients twice (from what I can tell: it grabs then update, then applies the update with the vault issues etc.)
2a. Restore anything from the vault that is still not working (I’ve had a dozen computers or so that didn’t play nice)
2b. Reinstall anything that won’t restore (maybe half a dozen computers that needed apps reinstalled)

As of 10am this morning, I am back to 100%. That was a long night

system · 2015-05-07T14:38:13.000Z

I agree that “mistakes happen” , especially with this type of software.

However, Avast owes it to their users to explain why this happened, and what they are doing to prevent it in the future. This was not some minor problem… but was a very serious issue that had a large impact for many paying customers. If Avast expects us to STAY as their customers, they need to respond and help us understand what they are doing internally to prevent this from happening again.

Further, considering how obviously broken that definition update was, it is clear that Avast does not do any testing of their updates prior to pushing them to production release. That’s not great.

Announcements