Windows 7 Professional - WinDefend

Viruses and worms
1

Hello,

I’m testing Windows 7 Professional at work - general deployment planned for next year.
I have Avast! Pro 4.8 running on this machine, managed from an ADNM.

At each weekly scan, about 6 detections appear:

avast! [LPT00057]: File “Process 3200, memory block 0x045B0000, block size 262144” is infected by “Win32:Zbot-AVH [Trj]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

avast! [LPT00057]: File “Process 3200, memory block 0x04450000, block size 262144” is infected by “Win32:Small-gen2 [Trj]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

avast! [LPT00057]: File “Process 3200, memory block 0x043D0000, block size 434176” is infected by “Win32:Small-HUF [Trj]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

avast! [LPT00057]: File “Process 3200, memory block 0x042E0000, block size 262144” is infected by “JS:Pdfka-SP [Expl]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

avast! [LPT00057]: File “Process 3200, memory block 0x04230000, block size 262144” is infected by “Win32:FakeAlert-GY [Trj]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

avast! [LPT00057]: File “Process 3200, memory block 0x04190000, block size 262144” is infected by “BV:AutoRun-E [Wrm]” virus.
“Mario’s Scan” task used
Version of current VPS file is 100408-1, 08/04/2010

When I lookup the process with PID 3200 I find under Services: Windows Defender (WinDefend) while under processes I see svchost.exe listed under PID 3200.
I have already done a scheduled boot scan, but I still see these detections this morning after the bootscan was finished.

Should I consider this as a false positive ? Does Avast! find virusses in the Windows Defender library (similar to Avast finding virusses in the ClamWin libs).
If I should register Windows Defender as an exception (so not to be scanned), what exactly should I register ?

Thanks,
Mario

2

yeah these are FPs resulting from the scanning of Windows Defender signatures. It has happened in V5 a while ago and got solved. I think you should upgrade to V5 :wink: … unless not possible from ADNM I have no idea…

3

I think I remember a post here saying that version 5 and ADNM were not supported (yet), but I’m not sure…
In the mean while - can I avoid these detections ? I don’t like to show up in the statistics ;o)

Cheers,
Mario

4

there’s not much you can do…it’s just a memory scan so nothing gets blocked. But Avast should solve this with a new update. Funny these FPs don’t come out anymore with a memory scan in V5 though, as the VPS is shared with 4.8…may be engine related. I don’t belong to the Avast team, so you should wait until a dev notices this thread and brings some feedback. In the meantime you can always submit a ticket on Avast main web site.

5

Thanks,

I will do that.

Cheers,
Mario