Available options in "Suspicious File Found" window

[NON]

Hello,

Recently I got a question about repeated "Suspicious Files Found" messages.
I was very surprised that there are only "Ignore" and "Delete" options, not "Move to Chest".
And to make matters worse, that file is on special partition (maybe recovery partition) and we can't extract certain file from there (there is no drive-letter)

How to submit files to avast virus lab without using Virus Chest? There seems no option like "Send this file to virus lab" (at least OP says so).


The topic in international forum is nearly ended (OP didn't come recently), so this is just for future reference...

[DavidR]

Because these aren't detected by the file system shield but the anti-rootkit module (see image example) and are suspicious rather than a conformed detection.

So was your detection in this format ?
What was the file name and location mentioned ?

[NON]

Thanks for the reply.

Because these aren't detected by the file system shield but the anti-rootkit module (see image example) and are suspicious rather than a conformed detection.

Then there is no doubt that boot-time scan detects nothing... I took it for granted that "Suspicious" is the same as in File System Shield Settings.

So was your detection in this format ?
What was the file name and location mentioned ?

OP didn't attach screenshots, but probably it is.

File location is
\??\C\Program　Files\Fujitsu\NetworkPlayer\Kernel\DMP\nt3　sys

... OP must have missed ":", I thought "??\" as the drive letters and "C" as an directory name
So, it seems I took huge misunderstanding... what the heck...


Anyway, are these information (detected file name, etc) auto-uploaded to avast virus lab?

[DavidR]

Well I don't know what the special characters in the path might be, but assuming the file name is nt3.sys, I can find zero hits for it in a google search (other than the topic in the Japanese forum), which is strange for a sys file.

[NON]

Well I don't know what the special characters in the path might be, but assuming the file name is nt3.sys, I can find zero hits for it in a google search (other than the topic in the Japanese forum), which is strange for a sys file.

Yeah I also doubted this zero hits, but just now I searched for the path "Kernel\DMP" and found many article related to this. File path does the trick

It seems correct filename is "ntk3.sys" (OP must have missed again ), which related to CyberLink Software. Maybe innocent files.


BTW can't avast add "Submit this file to virus lab" option on the dialog? Since dialog requests to do so, there should be some easy way to submit...

[DavidR]

Well, I would have gone a bit further in searching for \NetworkPlayer\Kernel\DMP\ or even Fujitsu\NetworkPlayer\Kernel\DMP\ to make sure it was relevant for this particular use.

That aside, I believe there is a means of submitting the file, as there is an Advanced section in the image I posted. By opening that there is an option to submit, see attached image.

Now I don't know if this option is current as a) I have never experienced this anti-rootkit detection problem and b) the image examples I'm using for this example have previously been posted on the forums by other avast users.

So the Op will have to click the inverted triangle to expand the Advanced details.

[Nesivos]

Well I don't know what the special characters in the path might be, but assuming the file name is nt3.sys, I can find zero hits for it in a google search (other than the topic in the Japanese forum), which is strange for a sys file.

I believe Windows NT3 is an operating system for Fujitsu computers, which is indicated above in the path name

How to Enable Automatic Logon in Windows NT 3.x.....

http://support.microsoft.com/kb/97597

Window NT 3 search in Google generated these results

http://www.google.com/search?q=windows+nt+3&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

[DavidR]

Unfortunately if you do a specific search for the file name "nt3.sys" (the quotes are essential id searching for that file name/string), you will as I said find only those relating to the topic in the avast Japanese sub-forum. So putting a space in there is going to throw up a totally different subset of hits.

This however, is a bit of a moot point, if as said the OP may well have meant ntk3.sys as NON mentioned in his last post.

[NON]

Thanks for the reply.

That aside, I believe there is a means of submitting the file, as there is an Advanced section in the image I posted. By opening that there is an option to submit, see attached image.

Yes "Rootkit Found" window has submit option, but "Suspicious Files Found" window does not, like your first image.
I already asked OP to check advanced settings things, but OP says there is no such option.

Now I don't know if this option is current as a) I have never experienced this anti-rootkit detection problem and b) the image examples I'm using for this example have previously been posted on the forums by other avast users.

Yeah I saw a rootkit alert once nearly a year ago but I forgot to take a screen-shot, so I can't remember it correctly.
I have never experienced suspicious files alert.

I found "ntk3.sys" on my computer and sent it to VirusTotal. No detection.
Already sent via Virus Chest.
http://www.virustotal.com/file-scan/report.html?id=8405e0e3e83cdcbf7302f489e5ca41b7bc6993015ed42df3110b0172438451c4-1289315748


@Nesivos
Thanks for the info, but OP says he/she uses Vista, not old NT 3.x

[Nesivos]

ntk3;ntk3;c:\program files\Fujitsu\NetworkPlayer\Kernel\DMP\ntk3.sys [2009/02/13 14:05 120048]

http://bit.ly/c5CkZw

Ntk3.sys with description NTIPPKernel Driver is a driver file from company Cyberlink Corp. belonging to product CyberLink NTIPPKernel Driver.
In total there are 1 launchpoints for this file .
There are 3 different variations of the file in our database and the file is digitally signed from CyberLink - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from CyberLink

http://www.runscanner.net/lib/ntk3.sys.html

The Cyberlink Media Player may be pre-loaded on some of the Fujitsu computers.

[DavidR]

<snip>
I found "ntk3.sys" on my computer and sent it to VirusTotal. No detection.
Already sent via Virus Chest.
http://www.virustotal.com/file-scan/report.html?id=8405e0e3e83cdcbf7302f489e5ca41b7bc6993015ed42df3110b0172438451c4-1289315748
<snip>

Unfortunately that is likely to find nothing as a) the file on his system may not be identical to yours b) it isn't running on a live system and c) it isn't being scanned by an anti-rootkit scan, which is different to the standard on-demand or resident on-access scans.

If there is no advanced option to submit the suspect file, the OP could submit the file as a possible "false positive - anti-rootkit" for further analysis, giving as much info as possible and best to give the link to this topic.

[NON]

@Nesivos

The Cyberlink Media Player may be pre-loaded on some of the Fujitsu computers.

Yeah that software seems pre-installed on Fujistu computers.

@DavidR

Unfortunately that is likely to find nothing as a) the file on his system may not be identical to yours b) it isn't running on a live system and c) it isn't being scanned by an anti-rootkit scan, which is different to the standard on-demand or resident on-access scans.

Oops, I forgot about that.

If there is no advanced option to submit the suspect file, the OP could submit the file as a possible "false positive - anti-rootkit" for further analysis, giving as much info as possible and best to give the link to this topic.

I'll write an e-mail and reply for OP to submit the certain file to avast lab via Virus Chest.
Now I can specify where the file is, it's not on recovery partition but on drive C.


I'll update this topic when I get new infomation. Thanks for all your support.

[DavidR]

You're welcome.