This has been a pretty recent event. Every time I launch this certain program, Avast detects something in the temporary folder of the program. It is a known program and I have uninstalled it and reinstalled it and received the same response.
1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
opening Livid’s Union-resident protection picked it up
2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.
C:\Documents and Settings\CeeKay\Local Settings\Temp
3. When was it downloaded or received?
It is created on program launch 4. What is the exact file name with extension.
name changes.the last two were
mxe31D.tmp
mxe26F.tmp
What was the exact wording of the message that the AV program came up with? This is important for later.
“file name.tmp” contains a sample of Win32:Malware-gen
With 8 detections on Jotti I would tend to side on the avast detection being good.
However I would suggest uploading to virustotal that has 41 scanners: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
So what is this certain program that you are launching which generates the detected files ?
I don’t really understand this “opening Livid’s Union-resident protection picked it up.” So is this the certain program I’m asking about ?
More importantly by ‘resident protection’ are you talking another antivirus/security application ?
If so then, a) having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable or, b) avast could be detecting its unencrypted signatures or, c) files that it opens for scanning.
This is a different file to the one you uploaded to Jotti and insn’t in the same file name format that you have reported before, e.g. mxe26F.tmp.
So it would have been better for comparison if that file were uploaded to VT.
Interesting that not even avast reports that file as infected on virustotal (so did your installed avast alert) ?
I think it is the same file, same shah ,same md5, same size, definitely same file. The date on VT is 31/10/09 send again, you will probably get ’ already analyzed ’ choose re-analyze
Many of the detections are generic (including avast) this make an FP a possibility, certainly more doubt.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Once submitted, periodically scan the sample in the chest (every few days) and if it is no longer detected then it looks like it was an FP and has been corrected. That should hopefully resolve the detections on the temp .tmp files, normally I would suggest excluding the file/s from scans, but this is going to be difficult given the random naming issue.
Is there any settings in the program that can change the location for temp files, if so you could exclude that folder and .tmp files from being scanned, e.g. ‘c:\Union_Temp*.tmp’ without the quotes, assuming you can change the default temp location for the program to Union_Temp, etc. The *.tmp bit would exclude all .tmp files using the * wildcard, care has to be taken to ensure you don’t leave a big gap in security; hence the creation of a unique folder for union temp files and only excluding the .tmp file type…