Author Topic: False positive? (mscorlib.ni.dll) (Read 11462 times)

dcross · « **on:** March 02, 2011, 12:25:27 AM »

Avast is currently flagging a file called mscorlib.ni.dll as Win32:Spyeye-BG (exact location: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll) on two of my computers (both running Windows 7). As one of these computers was clean last night (ran quick scan and full scan and both were clear) and the other has not been used for several days I suspect that this is an FP. The fact that the 'last modified' timestamp on the files in question corresponds in both cases with the installation of last week's Windows updates on the computers would also seem to support this.

Am I right to think that this is a false positive?

Pondus · « **Reply #1 on:** March 02, 2011, 12:29:09 AM »

upload the file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here

alternative
VirScan http://virscan.org/
Jotti http://virusscan.jotti.org/en

alun_sundry · « **Reply #2 on:** March 02, 2011, 12:39:29 AM »

This is the same thing I've just referred to in my very recent post so I'd be interested to see how this goes.

dcross · « **Reply #3 on:** March 02, 2011, 12:42:25 AM »

I can't access the folder C:\Windows\assembly\NativeImages_v2.0.50727_32. When I type the address in I get a message saying that Windows can't find it. I suspect that it may be because it's in the Assembly folder.

nine9s · « **Reply #4 on:** March 02, 2011, 12:46:10 AM »

I can only find the file in a Command prompt and it is 11 megabytes big. I can not find it through explorer or other normal means.

Can you update a file that large to that test site? And how do you access it to upload?

Hermite15 · « **Reply #5 on:** March 02, 2011, 12:48:51 AM »

guys there's already a thread http://forum.avast.com/index.php?topic=72687.0

a mod can merge the posts here with the other thread and close the one here?

DavidR · « **Reply #6 on:** March 02, 2011, 02:14:11 AM »

Quote from: dcross on March 02, 2011, 12:42:25 AM

I can't access the folder C:\Windows\assembly\NativeImages_v2.0.50727_32. When I type the address in I get a message saying that Windows can't find it. I suspect that it may be because it's in the Assembly folder.

It is created on the fly from mscorlib.dll, so it is only there for a short time, if you don't send it to the chest and just block, the file would disappear anyway.

There has just been another VPS update 110302-0, so I don't know if that resolves this problem.

EDIT:

Quote from: jsejtko on March 02, 2011, 02:23:03 AM

Hi all,

This issue is fixed in the current vps update. I'm sorry for any inconvenience.

J.

aqk · « **Reply #7 on:** March 02, 2011, 02:16:27 AM »

Yeah, I was also just notified of this mscorlib.ni.dll when my Avast was updated today.
The file was moved to the Avast virus chest.

Avast told me it had originated in "Bitmeter" a network traffic monitor system from http://codebox.org.uk which I had installed a few days ago.

AFAIK, the Bitmeter still runs satisfactorily on my system...

-Tony King aqk.ca

jsejtko · « **Reply #8 on:** March 02, 2011, 02:23:03 AM »

Hi all,

This issue is fixed in the current vps update. I'm sorry for any inconvenience.

J.

Author Topic: False positive? (mscorlib.ni.dll) (Read 11462 times)

dcross

False positive? (mscorlib.ni.dll)

Pondus

Re: False positive? (mscorlib.ni.dll)

alun_sundry

Re: False positive? (mscorlib.ni.dll)

dcross

Re: False positive? (mscorlib.ni.dll)

nine9s

Re: False positive? (mscorlib.ni.dll)

Hermite15

Re: False positive? (mscorlib.ni.dll)

DavidR

Re: False positive? (mscorlib.ni.dll)

aqk

Re: False positive? (mscorlib.ni.dll)

jsejtko

Re: False positive? (mscorlib.ni.dll)