Other > Viruses and worms

Win32:Agent-LGN [Trj]

(1/1)

Jan Draijer:
Win32:Agent-LGN [trj]

PHP scriptcompiler Bambalam generates false report when in compress mode. Checked this by compiling in protected environment with same result. How can I bypass the protection? The name and path of the executable is not always the same.

Regards Jan

DavidR:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add
and Program Settings, Exclusions.
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Jan Draijer:
Thank you DavidR,

Did the on line scan http://virusscan.jotti.org/ with the next detection all the others were negative. An example is mailed to the virus doctors of Avast. I am quite sure I did not infect the executable so it must be a part of the original code that is detected. The scanners all did find a different virus  ???

Results:
Avast  Found Win32:Agent-LGN 
Panda Antivirus  Found Trj/Agent.FNM 
VBA32  Found MalwareScope.Trojan-Spy.BZub.2 

Thank you for your help,
Jan


DavidR:
The win32:Agent is a bit of a strange bird really as it has a great number of variants, usually a trojan downloader though. What is strange about it is that it has been detected by signature rather than by a generic (family style) signature or heuristics by those that did detect it.

I still think there is a likelihood it is a false detection so you were correct in sending a sample for analysis. I trust you gave as much info as possible and putting False Positive in the subject and body of the email, hopefully that will be filtered and dealt with quickly.

Navigation

[0] Message Index

Go to full version