Was using vnc to connect to my home pc (through my BSD-server) from work.
After an hour or so the connection just died, couldn’t log in on my server or ping or anything.
After a while it was back up again. I guess my ISP had some problems…sometimes the net goes down for a little while.
Anyway, when I get back from work I see this Malware-warning from Avast…in WinVNC.exe, and after I moved that to the chest I get another one for some VNC dll-file.
How the hell could a virus come in and all of a sudden infect my vncserver and nothing else???
Dont know what this Radmin-B is, and as seems to be usual with Avast I dont get any info about it either.
Should I worry, or is it just some mistake by Avast, claiming my tightvnc-server to be/have a virus/malware?
Many thanks if someone can help
As it is now, with two of the files in the chest, I cant run the vncserver and cant log in to my windows-machine remotely.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
It is a program I’ve used for half a year or so (same version, backupped on the server and last time reinstalled after format of XP-machine like a month ago).
Have made full system scans, last one about a week ago, and nothing found.
Now all of a sudden, in that particular file, it warns for this malware (that I dont have a clue what it could be).
I’ll do as you said, take it out of the chest, and try one of those online-scanning sites you linked to.
The path sure is right, since I cant restart the service (winvnc is installed as a service in XP) anymore.
Oh crap, I try to upload, but when I do Avast screams at me and the only thing I can choose (except put in chest or delete or move) is “No Action”, which seems to disable the file someway cause when I upload it scans and says “no virus found” but on filesize it says 0 bytes, so Avast probably ruins my upload of the file.
I’ll try to disable Avast…not very good maybe, but what else to do :S
For some strange reason I cant open a gif or png from firefox if I put it on my webserver…very strange. Oh well…I guess the feedback from this online scanner can be interpreted as WinVNC not being a virus, but Avast and some others treat it as a dangerous program that you shouldn’t have installed if you dont know what it is.
Right???
And one explanation it showed up all of a sudden is that Avast just recently made the decision to put a “warning” on this application…right again???
I have had Tightvnc installed for years with Avast. All of a sudden today it is reporting that C:\Program Files\TightVNC\WinVNC.exe is malware.
Malware Name: WIN32:Radmin-B
VPS version 5-22-06
I suspect that this is bogus and someone screwed up with the latest definition but came here to find out and this is the first thread I found on it. Can anyone confirm that this is a bogus alert?
edit: bah, I now have to disable avast because after clicking no-action it keeps complaining about vnchooks being a virus.
Thats great
I now feel 99.9% confident there is no virus, its just Avast that is extremely overprotective and unclear
Great to have this forum though. As soon as there is a problem, log in and ask, wait a maximum of 5 minutes, and you have an expert opinion/explanation on it
I think that it is more likely to be the fact it could possibly be used for alternate purposes rather than bogus/false detection, the same sort of thing happens with key loggers it is difficult to identify the purpose. So these things happen 5 AVs alerted on it, since Kaspersky, McAfee, Microsoft and another AV also detects this in one form or another I wouldn’t directly call it a bogus/false detection outright.
If you are happy with it, do as I suggested add it to the exclusions and send samples to avast so that they can improve the VPS signatures but it may be that it won’t change because of the potential for misuse.
Saying “this might be a unwanted program” is a bit better than saying “You have malware Radmin-B, no more information available”.
That could scare the shit out of anyone
Thanks a lot for the help
EDIT: Great, now I cant start the service again cause Avast fucked it up. I’ll have to reinstall VNC
You are like me and use it to access your home PC. However this could be very bad for IT admins that use Tightvnc for PC support on their supported desktops along with Avast. Can you imagine, particularly if there are alot of PCs with both products.
That is unless the Pro addition does not include tightvnc in the definition. But even forgetting that what about all the people like you that are away on travel or business that use Tightvnc to access their home PC.
I suppose alot of people are out of luck right now, until they get back to their desktop. Do not get me wrong I think Avast is great product but I question the reasons having Tightvnc suddenly added as a virus or malware when it is not.
You’re sure right about that.
And the hazzle to get it working again afterwards
Firstly it somehow ruined the installation, so I had to reinstall.
Then, even though I put the whole folder in “excluded” that didn’t help, cause that was just for manual scanning. To exclude the files from resident protection I had to go in under several options and manually type in the path…I’m not even sure I did it right (how to use wildcards and such) but I put in “C:\Program\TightVNC*.*” and it seems to work now…who knows though…
Actually, there is one more action you can perform when Avast! puts up a malware warning. It’s easy to miss because it doesn’t have a big button to click on like the others.
Click the “X” in the upper right hand corner of the dialog in order to close it. Avast! will then allow whatever program it blocked to continue executing.
You are then responsible for any infection you get as a result.
Hmm, I had the same problem and thought I tried the X but remember it kept alerting anyway. I suppose closing on the X will not help since vnc is always loaded in memory. I ended up excluding the VNC directory and vnc is working fine now.
edit: U2KZoo51 post is a perfect example of what I was saying a few posts back. Very bad policy to list legitimate applications as malware.
The seond, third etc. dialog pops up because Avast found a different component of VNC, or because some portion of VNC was swapped out and then re-read to be swapped in.
In other words, close three or four of these alerts, and you won’t get any more for a few minutes.
But of course the medium-term solution is to put your VNC folder in the exclusions list for the on-access scanner.
I found this discussion very helpful. Until this morning I have had a very few Avast Malaware warnings. Immediately after the regular Avast virus database update, I got a Malaware warning for tightnvc. Then I got a warning about Malaware in memory and the desirability of shutting down and doing a scan pre-WinXP startup. This showed up 3 more viruses: Win32:Adware-gen, Win32:Radmin and Win32:Kuang2 infecting very old and little used files.
I am suspicious that maybe there’s something wrong with the current Avast virus definition database. :-\
I have ot agree. I’ve been using TightVNC to admin every desktop on my network for a number of years now. This shouldn’t be a virus warning. At worst, it should be a warning that an application you may not want installed is there. Having to click the X to disable the warning seems rather cryptic when there are so many other options in the dialog (I hadn’t even considered that a posibility until someone mentioned it).
I had to disable Avast! for the time being because putting the VNC directory into the Exceptions didn’t help the running process. Hopefully the next VPS update removes this restriction. If not, I’ll have to start looking into another solution.
You need to put the VNC path in two places, possibly with * or . on the end:
Right-click on the Avast sphere. Then, On-Access Protection Control → Standard Shield → Customize → Advanced → Add. Once you’ve put in the path, Enter and OK your way out.
Right-click on the Avast sphere. Then, Start Avast! Antivirus → up-arrow in upper left corner → Settings → Exclusions → Browse. Then browse to the path for your VNC app, and Enter/OK your way out
