Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: REDACTED on August 07, 2012, 07:04:06 AM

Title: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: REDACTED on August 07, 2012, 07:04:06 AM
I ran into an interesting issue today. We have a Mac Pro running Mac OS X 10.7.4, Parallels 7.0.15104 and Avast 7.0 (37264). We use this station to run six virtual copies of Windows so the web department can test out sites using various versions of Internet Explorer, Firefox, etc. under Windows XP, Vista and 7. Aside from this, the Mac isn't used for anything else -- but since it's got a public-facing Internet connection, I'm running antivirus software on the Mac host system just to be safe. The Windows environments are all running Microsoft Security Essentials -- we want them to be as close to "standard" Microsoft systems as possible, so running an Avast product isn't really an option.

Today, I notice the screen had some Avast "infection detected" warnings on-screen. I reprinted two of them below -- as you can see in the file path, one refers to the W7-IE9 environment and the other to W7-IE8 environment, so these are in two separate virtual systems. There was a third warning for the XP-IE8 environment as well but I didn't copy it down and it seems there's no log of it anywhere I can find anymore.

I verified that Security Essentials in all these environments were up-to-date, then ran full scans. None of them had any log of a past malware detection, nor did they turn up anything during the full scan.

I'm not sure if we had a malware incident or not. For one, the two reports listed below refer to two different pieces of malware. I googled for info on the malware listed, and the Bleah-D appears to be a decade-old boot sector infector. Although it's certainly possible one of my web developers was proofing a site that is infected, I don't think a website would be infected with a boot-sector virus. And if they were proofing an infected site under multiple environments, I'd think the warnings would show the same infection, not different ones. So I'm wondering if these were some kind of false positives.

Anyone got any ideas? Thanks in advance.


avast! Filesystem shield has detected a threat.
Infection: Marburg/Segi
File: /Users/spectrum/Documents/Parallels/W7-IE9.pvm/{6a770076-d08e-4bb6-b52c-8ed58f91aba7}.mem
Process: /Library/Parallels/Parallels Service.app/Contents/PlugIns/Parallels VM.app/Contents/MacOS/prl_vm_app
UID: 501

avast! Filesystem shield has detected a threat.
Infection: Bleah-D
File: /Users/spectrum/Documents/Parallels/W7-IE8.pvm/{15de1555-2102-4e81-bf3a-9e99e956af04}.mem
Process: /Library/Parallels/Parallels Service.app/Contents/PlugIns/Parallels VM.app/Contents/MacOS/prl_vm_app
UID: 501
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: Jan Gahura on August 07, 2012, 08:31:14 AM
Hi,

I'll ask guys from our viruslab, but I personally think this is most likely a false positive.

Scanning virtual machines from outside doesn't make much sense as you typically can't really say which file contains the infection. It's almost impossible to clean a malware in a virtual machine from outside. I'd advice to put your parallels to exclusions.

Regards,
Jan
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: psfblair on October 31, 2012, 08:12:48 PM
Any final word on this? I have a similar problem with VMWare Fusion. I'll post details in a different thread so that people searching on it can find it.
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: Alemaker on February 23, 2013, 04:52:23 AM
I just installed Avast Free for Mac and got the same "infected" file on my Parallels 8 Windows 7 (with MSFT Security Essentials on it also) pvm. Any clarification appreciated.
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: jamesglewisf on February 26, 2013, 01:12:43 PM
I have the same problem every time I suspend parallels instead of shutting down windows and exiting parallels.
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: Milos on February 27, 2013, 09:13:46 AM
Can you upload the detected file to our ftp://ftp.avast.com/incoming/ ? Pack the file to decrease the size and post the uploaded filename.

Thank you,
Milos
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: BrianMc on February 28, 2013, 01:47:29 AM
New MacBook Pro, Snow Leopard (10.8.2) with Avast Free V7 (38403) (5 days with mail update today) virus definitions 13022701. Loaded Parallels 8, then Windows 8.
Got virus note that file is in virus chest.  Sorry I did not grab and paste the note so others would recognize it.

Virus chest line (with myname substituted to protect my identity):

 {b8206da5-5287-4578-a233-b92c139fb234}.mem original loc: /users/myname/Documents/Parallels/Windows 8.pvm

Maybe pvm = parallels virtual machine? 

FWIW: An Explorer address line input does not find the /Parallels folder in /Documents and it is not hidden.

It appears to be the same issue as above. Not sure what happens with file isolated in the virus chest I have yet to load apps.

Thought you'd be interested.

BrianMc
Title: Re: Avast for Mac detects malware in Parallels Windows environments (maybe)
Post by: specimen9999 on February 28, 2013, 02:02:04 AM
Since I'm a Parallels Product Expert I might as well explain what .mem files are.

The .mem files inside the .pvm (yes, Parallels Virtual Machine) packages are the RAM contents dumped to a file when suspending the virtual machine. So avast is detecting a virus pattern in the memory contents of a Virtual Machine. This could be a false positive, or an actual virus was loaded into memory, but if it isn't found anywhere else on the Virtual Disk, it's most likely a false positive, anyway, .pvms should probably be excluded from scanning, no point on having avast! for mac scanning the Windows environment.

Pedantic note: "Snow Leopard (10.8.2)", 10.8.2 is Mountain Lion not Snow Leopard (10.6.x).