Avast WEBforum

Other => Viruses and worms => Topic started by: Theberge43 on May 06, 2015, 08:56:43 PM

Title: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Theberge43 on May 06, 2015, 08:56:43 PM
Hi,

My File System Shield as started moving files to my chest this afternoon.
Most notably my Lightshot.exe program that allows me to do screenshots.

When I scan with Avast I get 256 infected files.
MBAM does not find anything.
SAS does not find anything.

They cannot be repaired.

When trying to reinstall Lightshot, it blocks it.
Here is the screenshot :

http://prntscr.com/72a5q1 - Popup
http://prntscr.com/72a5yp - Virus Chest


Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Michael504 on May 06, 2015, 09:09:20 PM
Hi,

My File System Shield as started moving files to my chest this afternoon.
Most notably my Lightshot.exe program that allows me to do screenshots.

When I scan with Avast I get 256 infected files.
MBAM does not find anything.
SAS does not find anything.

They cannot be repaired.

When trying to reinstall Lightshot, it blocks it.
Here is the screenshot :

http://prntscr.com/72a5q1 - Popup
http://prntscr.com/72a5yp - Virus Chest

I am having this same issue as of 1330 CST, Brand new computer reporting this Trojan in the Gobi wireless software on an Lenovo X1 Carbon. Definitely a false positive, need it fixed too.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 06, 2015, 09:13:18 PM
Quote
I am having this same issue as of 1330 CST, Brand new copmuter reporting this trojan in the Gobi wireless software on an Lenovo X1 Carbon. Definitely a false positive, need it fixed too.
if you think so, right click file(s) in chest and report to avast lab as FP
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kevrianate on May 06, 2015, 09:14:23 PM
I have two computers that just started showing this same issue with the business edition.  I have submitted a file from TortoiseGit that was showing as being infected.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: JPaul on May 06, 2015, 09:19:37 PM
I also have several stations reporting the same, running the business edition also.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: dsstdf on May 06, 2015, 09:20:12 PM
Tons of false positive at the college I work for.  I mean hundreds.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Viking15 on May 06, 2015, 09:24:36 PM
We also are having a wide spread report of this happening on our college campus. It seems like it started at the same time the latest definition came out. Thinking a bad set of updates are the cause.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: ibyerrum on May 06, 2015, 09:29:15 PM
Same is happening to us. First report was at 11:49am PDT. I'm getting multiple notifications reporting various files as infected by Kryptik-PFA. Most of the reports are saying that it's our KACE KDeploy.exe agent that is infected.

Definitely looks like a bad definition update.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: mmanous on May 06, 2015, 09:32:09 PM
Same here. First started around 2:43 EST when people started getting VPS file 150506-3
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Viking15 on May 06, 2015, 09:36:19 PM
We even called Avast and we were told they can't help us and we need to submit a ticket. We said we think it is due to the update and its a false positive and they said then you can write a exclude statement for it. Since it is flagging tons of files, that would be a endless battle. If you guys have not created a ticket yet, I would suggest putting one in so we can have extra pressure for them to fix the latest batch of updates.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kevrianate on May 06, 2015, 09:37:09 PM
Same here. First started around 2:43 EST when people started getting VPS file 150506-3

That is the same version as I have.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: JPaul on May 06, 2015, 09:39:55 PM
Same version here also:  150506-3  Anyone come up with anything besides adding exclusions, which as was posted is an endless battle because its different files on each machine.   
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Michael504 on May 06, 2015, 09:40:19 PM
Same Version Here
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: stephanswinford on May 06, 2015, 09:40:51 PM
Oh good, it's not just us :P

We're getting it on dozens of machines and hundreds of files as well, so excluding or reporting the files will do no good. I have a feeling that cleaning up after this false positive will be more work than cleaning up an actual trojan...
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: RickD on May 06, 2015, 09:42:30 PM
Having the same issue here.   Dozens of files are flagged.  Happened soon after today's update.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: BudG on May 06, 2015, 09:45:59 PM
 :( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :(

Getting tons of these on ALL of our Avast protected systems and started with Def Upd 150506-3 and is causing a nightmare and mass panic all across our University.  Even showing up on PCs that were imaged clean just now.  As soon as Avast is installed on a new clean image it starts alerting that it is infected by "Win32:Kryptik-PFA [Trj]" virus.


Hurry up Avast.  Need a fix.  Our PCs are unresponsive during this.  So, we are out of business until it is fixed!!!
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: johncase142 on May 06, 2015, 09:47:26 PM
We are getting this false positive as well. Anybody know how to roll back today's update?

Hurry up Avast!
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: BudG on May 06, 2015, 09:49:16 PM
We sure could use a way to rollback too, since avast isn't putting out a timely fix.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: john-genus on May 06, 2015, 09:51:57 PM
Also seeing this behavior with Avast! Endpoint Protection and definition update 150506-3.   Several Windows 7/8 laptops so far.

MANY system files, application files, dlls, executables are being detected as Kryptik-PFA [Trj]. 

I uploaded many of these files to VirusTotal and none  of them have been detected as a virus by any vendor.

I contacted support but they said it was necessary to open a ticket.  Please do the same if you are impacted.
https://support.avast.com/Tickets/Submit

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: mthompson2 on May 06, 2015, 09:59:25 PM
Same thing here at my company...  Three computers started showing they were infected with this same bug a little over an hour ago...  After seeing these posts about it being an FP, I forced another computer to download the definition update and sure enough, it started having the same issues as the other computers...
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: rmarfil on May 06, 2015, 10:00:12 PM
Had to disable File System Shield, not cool
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: brantc on May 06, 2015, 10:00:28 PM
Seeing this at my University as well. Here are some examples:

File "C:\ProgramData\Package Cache\OfficeAddInPackageId868.2.927\OfficeAddIn(x86).msi" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\aticfx32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\aticfx32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\inf\SEU\3020\video\P5FCH_A00-00\win7x64\production\Windows7-x64\Display\B161848\amd_opencl32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\inf\SEU\9020\Video\Win78_64_15.31.14_3220_DELL_setup_ZPE\Graphics\Intel_OpenCL_ICD32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\atiumdva.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\System32\DriverStore\FileRepository\nvdm.inf_amd64_neutral_1fffd3be59f5125f\nvwgf2um.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.

Since there are so many different files, whitelisting isn't a great option. I went ahead and turned off "File System Shield" as a temporary fix. Hoping to hear back from Avast Support soon.

Please send a ticket to AVAST Support. Hard to tell if they're monitoring this


Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Viking15 on May 06, 2015, 10:02:01 PM
Looks like we will be doing a lot of this once the new update is pushed out. Just be careful what you restore.

1. Open the avast! program
2. Select “Maintenance”
3. Select “Virus Chest”
4. Sort by time moved to Chest
5. Select files you wish to restore
6. Right-click and select “Restore”

After the file restoral, copies of the files will remain in the Virus Chest.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: ttr_matrix on May 06, 2015, 10:03:58 PM
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kevrianate on May 06, 2015, 10:05:35 PM
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(

It seems to be a bad update which is causing false positives.  The only real remedy for right now is to disable Active File Scanning and restore the files from the Virus Chest.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: CK - KHQ on May 06, 2015, 10:07:51 PM
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(

That's correct. Avast sent out an update that is flagging many files as being infected with: Win.32.Kryptik-PFA (Trojan).
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: ttr_matrix on May 06, 2015, 10:10:11 PM
Ok thanks CK - KHQ & kevrianate.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: dsstdf on May 06, 2015, 10:10:40 PM
If you are running Avast Enterprise Admin Console, it won't be so bad after they release an updated definition file.  In the console, you can create a new client side update task that restore all files from the chest that does not fail the current definition set.  This will restore all the false positives flagged today on all your machines.  I hope a new set comes out soon.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: msuettinger on May 06, 2015, 10:11:28 PM
I'm also getting several computers reporting Win32:Kryptik-PFA [Trj] on the Avast for Education edition.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: MegaRich on May 06, 2015, 10:12:22 PM
I'm seeing this message on all the servers and workstations I administer so I'm sure it's a false positive.

I've already had a few users reboot their workstations before letting me know and, the boot time scan is completely mangling the OS, so enjoy that.

I've submitted the false positive as of about an hour ago. Hoping something comes quickly.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Brendan_Ops on May 06, 2015, 10:14:30 PM
Be sure to open a support ticket so that they know this is a serious, wide-spread issue!
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: MegaRich on May 06, 2015, 10:16:17 PM
You think that having iTunes and firefox wiped out is bad, it's removed all the NVidia drivers from a sizeable chunk of the computers I have deployed.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 06, 2015, 10:23:13 PM

Please send a ticket to AVAST Support. Hard to tell if they're monitoring this
They are, several from avast team have been online and read it .... so you can be sure they are busy at the virus lab now

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: CK - KHQ on May 06, 2015, 10:24:47 PM
Like others have said in this forum, go into Avast settings and turn off 'File System Shield.' When Avast pushes a good update, turn it back on.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: alan.morgan on May 06, 2015, 10:25:43 PM
I am so thankful to find this thread. fortunately it didn't start showing up until after school got out, so hopefully there will be an update and it will be ready to go in the morning.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Halifax Library on May 06, 2015, 10:30:45 PM
It quarantined nvapi.dll on one machine and nvd3dum.dll on my own workstation an hour ago.  Fortunately just the two so far, but I had to do a system restore to get my monitor to work again--to say nothing of the near heart attack I almost had when I saw it "spreading" through the network and ran to air gap our servers.  :)
Good to see I'm not alone; thanks for setting my mind at ease.

PS: Just took one of my servers out while I was typing this.  Going to be a long day, methinks.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: rmarfil on May 06, 2015, 10:35:47 PM
And as dsstdf mentioned, after an update comes out you can restore false positives from chest using admin console.

Under Client-side task create new Updating task and for Task Type select Manipulate Virus Chest and under Virus Chest check the first box.

Should say " Restore all files from Infected folder of the Virus Chest in which no infection is detected using current virus database
(useful after false positive incident)
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Viking15 on May 06, 2015, 10:36:52 PM
Does anyone know a way to turn of the File System Shield globally through the AEA? Being at a campus with lots of pc's that get managed from there I was hoping we could do this in one spot and then turn it back on globally as well.

If anyone knows where this is found, that would be great.
thanks
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Robert West on May 06, 2015, 10:37:31 PM
Fortunately, we're still in pilot phase with the AEA product.  Our clients have version 150506-3, my regular (IT technician's) PC showed this alert too.  Ran a boot time scan which deleted a bunch of files -- it's amazing how many executables can be deleted and you still have a functioning PC!  :P It appears to have mostly attacked my ATI video card driver files, Chrome files, and Adobe Flash files.

MBAM scan came back clean.  Pretty sure this is just a bad vdb update -- false positive.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: rmarfil on May 06, 2015, 10:38:54 PM
Right Click Computer Catalog or specific group and then properties.  Click on File System Shield and uncheck box for Enable File System Shield.


Does anyone know a way to turn of the File System Shield globally through the EAS? Being at a campus with lots of pc's that get managed from there I was hoping we could do this in one spot and then turn it back on globally as well.

If anyone knows where this is found, that would be great.
thanks
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: BudG on May 06, 2015, 10:39:25 PM
Just received this from Avast Support Ticket I had created:

06 May 2015 22:35

Hello,

 We are currently aware of a problem that's causing false positives to all our clients.
 We're working on a fix, and will push it out ASAP.

 Thank you for your patience,
 Avast Corporate
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Theberge43 on May 06, 2015, 10:41:53 PM
Me too. Same message.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: dsstdf on May 06, 2015, 10:42:31 PM
Robert West,
Right click on Computer Catalog
Click on properties.
Click on File System Shield
Uncheck Enable File System Shield
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: jbarth on May 06, 2015, 10:49:16 PM
This is simply unacceptable and AVAST needs to fix this immediately, I am glad that so far we have not rolled out to the entire campus. This is the type of thing that causes people to find a new product as the warm and fuzzy feeling is definitely not there at this time.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Robert West on May 06, 2015, 10:51:18 PM
Thanks for the tip dsstdf.  Will do.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 06, 2015, 10:56:01 PM
see post from HonzaZ   https://forum.avast.com/index.php?topic=170705.msg1211958#msg1211958

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Michael504 on May 06, 2015, 10:57:21 PM
Go to your virus chest and restore those files AFTER turning of the file shield, there is nothing wrong with them

Fortunately, we're still in pilot phase with the AEA product.  Our clients have version 150506-3, my regular (IT technician's) PC showed this alert too.  Ran a boot time scan which deleted a bunch of files -- it's amazing how many executables can be deleted and you still have a functioning PC!  :P It appears to have mostly attacked my ATI video card driver files, Chrome files, and Adobe Flash files.

MBAM scan came back clean.  Pretty sure this is just a bad vdb update -- false positive.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Victor T on May 06, 2015, 11:05:41 PM
is there anything I can do? I restarted my pc and ran avast and deleted a ton of files, then at some point it asked me if I wanted to delete stuff in the windows system which I declined and stopped the scan. It deleted a ton of stuff from my drivers, I saw something about chrome, opera and skype too.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: andrew153 on May 06, 2015, 11:06:03 PM
I hope they fix it soon.  I partially destoryed  one computer because i let it delete everything during a boot scan.  Then i started to realize.  Hey something was up.  When all the sudden my whole network started to get the same virus hit.

My remote users using Logmein were all locked out.  And on those systems.  They barely do anything except word processing remotely.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: knatesuda on May 06, 2015, 11:07:11 PM
Hello from Russia with the same problem. Thanks to this forum for the description of the problem.  :(
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: jborillo on May 06, 2015, 11:07:50 PM
This bad definition file has wreaked more havoc than any other virus/trojan I've dealt with.

Users, through no fault of their own, try and do the right thing and quarantine/move to chest/delete the "infected" files and essentially make their PC's unusable.

It will be a long day/night for many of us.

Even if they release an updated definition, we will still all be dealing with the fallout for hours if not days.

Here is a reply from a ticket I submitted earlier.

//
Hello,

We are currently aware of a problem that's causing false positives to all our clients.
We're working on a fix, and will push it out ASAP.

Thank you for your patience,

Max Marak
Avast Corporate
//
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: BudG on May 06, 2015, 11:08:48 PM
Also check out this forum thread...

https://forum.avast.com/index.php?topic=170705.45

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: schester on May 06, 2015, 11:10:58 PM
Having problems here with a number of computers. Those that aren't restarted seem to be OK, but if they run a boot time scan that seems to be the start of the real problems.

Anyone have a good fix for what was destroyed during the boot time scan? I don't know yet what the user may have specified to do with the files, but it sounds like at least one computer isn't booting now.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Lisandro on May 06, 2015, 11:12:23 PM
@Avast Lab: any news about this?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: jfogel on May 06, 2015, 11:14:45 PM
So far it's only hit two of the machines I have here, but in both cases it's flagged ATI driver dll files causing the ATI display manager to throw a fit.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Ron64 on May 06, 2015, 11:17:30 PM
This is a mess, really bad we need this fixed NOW.....
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: keklund on May 06, 2015, 11:22:43 PM
Calling an all-hands-on deck here at my department.

This is REALLY bad - second-guessing our decision to go Avast at this point.

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: amit12 on May 06, 2015, 11:28:14 PM
is there a resolution to this. I have over 30 computers on the network went all down after they got this message. Avast says you have to clean the machine we click yes it restarted the machine and all i get is a blank screen on all of them
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Halifax Library on May 06, 2015, 11:29:20 PM
I'm not going to criticize too much; every AV vendor has had major false positive incidents.  This one has been the most disruptive I've personally had to deal with, though.

If you've decided not to turn off file system shield, make sure you tell your end users to click "No" if Avast asks to schedule a boot time scan and restart.  Otherwise, you'll probably end up having to do a System Restore (or worse) to get your machine back to a usable state.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: john.hough on May 06, 2015, 11:32:38 PM
I took the action of notifying them not to have it do the reboot/scan and then went into the AEA and set it so that the Shield took no action on anything related to file scans.  I have it emailing me the notifications so I have a list of computers I may need to visit.  Just waiting on the updated definition now.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: ichibanrob on May 06, 2015, 11:32:51 PM
We have seen this on ONE system so far. I have asked the users to ignore messages about Kryptik until a new Def. file is released.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Max95 on May 06, 2015, 11:35:02 PM
Can I ask why can't they post last good updates, and we have to wait?

Many people can not boot system up right now. Next few days will be very busy for me :(

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Andrea131 on May 06, 2015, 11:36:57 PM
I supposed to be affected by virus and i started the scan at startup. 125 files were deleted and i can't recover them.
You wasted my time and my business.
Compliments avast, you lost a loyal customer.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: jborillo on May 06, 2015, 11:37:56 PM
Can I ask why can't they post last good updates, and we have to wait?

Many people can not boot system up right now. Next few days will be very busy for me :(

From another thread look for HonzaZ's post.

https://forum.avast.com/index.php?topic=170705.45

//
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!
//
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 06, 2015, 11:40:21 PM
Fix on the way   https://forum.avast.com/index.php?topic=170705.msg1212026#msg1212026
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Victor T on May 06, 2015, 11:44:20 PM
so for us who rebooted and deleted files, what can we do?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: rmarfil on May 06, 2015, 11:46:00 PM
System restore if you deleted files and now cannot get into OS.


so for us who rebooted and deleted files, what can we do?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Victor T on May 06, 2015, 11:56:22 PM
System restore if you deleted files and now cannot get into OS.


so for us who rebooted and deleted files, what can we do?

I am using my laptop where the issues happened, I know in the scan a lot of my drivers files got deleted, some opera browser stuff and skype stuff, I stopped the scan when it asked me if i was sure to delete stuff in window system folder, I know I'm dumb and I need help, so should I just do the system restore?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Victor T on May 07, 2015, 12:15:41 AM
nevermind, I don't have a restore point so I think I am doomed, thanks though.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Michael504 on May 07, 2015, 12:17:15 AM
nevermind, I don't have a restore point so I think I am doomed, thanks though.

Always Quarantine first, never delete on first detect. This way you can see how the files affect the system.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: danf on May 07, 2015, 12:51:02 AM
Yup, just swapped the entire company to Bitdefender.  This was out of control bad and Avast will never see another dollar of our money.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: CK - KHQ on May 07, 2015, 12:56:37 AM
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: NorCalTechSupport on May 07, 2015, 01:03:43 AM
have aproximately 100 PCs out of 300+ reporting false positives.  Avast will not let us install anything with an exe extension on the affected PCs. >:(
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: HAAAAALP on May 07, 2015, 01:08:43 AM
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: CK - KHQ on May 07, 2015, 01:34:37 AM
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This is a great suggestion for those with EAC and can boot into Windows. I am going to do this once I get the next update. But my suggestion was more for those people that had there system files and video driver files flagged and moved. Those guys can't even boot into Windows.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: schester on May 07, 2015, 02:25:09 AM
Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This didn't appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: nh on May 07, 2015, 02:41:55 AM
Here are some quick instructions on how to resolve it.

1. Run a VPS update to the clients from the AEA console. The patch has an update release of 150506-3 which is supposed to be the fix to the false positives.
2. Do a quick check to see if the clients have updated to this VPS release.
3. Once the clients have been updated to this VPS release then you can use the AEA to run an Auxiliary  task to restore the false positives from the virus chest back to the clients.

Here is a link to the AEA User guide which may help with the above.
http://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf

Cheers
Nick


Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: schester on May 07, 2015, 02:42:42 AM
Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This didn't appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?

Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kinger on May 07, 2015, 03:08:46 AM
Unfortunately I can't seem to find the option to restore files from the virus chest by using the Small Business Administration Console. Does anyone know how to do this? Or do I have to upgrade/migrate to the EAC to be  able to do this?

We had major issues with this as it affected custom software on one of our servers and would love to be able to reverse this the quickest way possible vs. visiting every machine manually.

Thanks
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Michael504 on May 07, 2015, 03:12:03 AM
Yup, just swapped the entire company to Bitdefender.  This was out of control bad and Avast will never see another dollar of our money.

I have had bitdefender before, slows the machine down too much and it missed stuff.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: copperkat on May 07, 2015, 05:38:33 AM
Can a system restore bring back files removed during an Avast boot scan?

Before I knew about this false positive I thought my whole computer had somehow been infected. Now I'm worried I deleted essential files. I didn't send them to the chest like I should have.  :-[
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kaidomac on May 07, 2015, 02:35:07 PM
Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I've been doing it manually as well.  What a nightmare.  I just had 200 computers blow up yesterday.  It cost my client a LOT of money to have everyone go down like that.  It ate everything from email to database software.  Really really really bad.  I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly.  I can't believe how bad this is.  I haven't even gotten a generic emergency support email or a "sorry" email or anything either, disappointed that there's basically been radio silence from Avast.  I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future?  Not sure.  Mistakes happen.  The software has been very good up until this point, and they did roll out the fix-it patch same-day.  I've had this happen with Windows Updates as well, so no company is immune to problems of this magnitude.  The Avast fix hasn't been 100% effective for every machine, but as of this morning I have 95% of my users back up & running.  I understand that mistakes happen.  Just a bit upset that they didn't even send out an email notice or anything for a status update.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: polonus on May 07, 2015, 02:50:32 PM
Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, "someone pushing a wrong handle there".
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: mmanous on May 07, 2015, 03:07:03 PM
Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I've been doing it manually as well.  What a nightmare.  I just had 200 computers blow up yesterday.  It cost my client a LOT of money to have everyone go down like that.  It ate everything from email to database software.  Really really really bad.  I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly.  I can't believe how bad this is.  I haven't even gotten a generic emergency support email or a "sorry" email or anything either, disappointed that there's basically been radio silence from Avast.  I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future?  Not sure.  Mistakes happen.  The software has been very good up until this point, and they did roll out the fix-it patch same-day.  I've had this happen with Windows Updates as well, so no company is immune to problems of this magnitude.  The Avast fix hasn't been 100% effective for every machine, but as of this morning I have 95% of my users back up & running.  I understand that mistakes happen.  Just a bit upset that they didn't even send out an email notice or anything for a status update.

I've had zero luck running the restore task as well.  I temporarily disabled Windows Firewall on both my AEA server and the client I was trying to run the restore task to. It still didn't work with both firewalls turned off.

I also discovered that I was unable to use the Remote Virus Chest feature (I've never had a need before now). For those that don't know, you need to open port 135 and 16108 for the Remote Virus Chest to work. This can be configured in Group Policy. Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> Windows Firewall: Define inbound port exceptions. At least now I don't have to go office to office or use VNC to manually restore.

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: amit12 on May 07, 2015, 03:12:34 PM
This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don't even want to talk to you. what a POS customer service.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kaidomac on May 07, 2015, 03:44:22 PM
Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, "someone pushing a wrong handle there".
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus

The difficulty is two-fold:

1. Receiving email viruses that come out same-day
2. Quantity of users

As much as I hate not having time to test A/V updates on a test group beforehand, it's important to have the updates come in as fast as possible because I've run into issues not doing that - as soon as a virus fix is identified by Avast, added to the database, and rolled out to users, they are protected.  So to me, it's worth the risk for the occasional hiccup like this to have the most up-to-date protection possible, because it has bitten me before in bad ways with zero-day exploits.  Plus, I support several companies & several branches as well, so it's not really feasible to babysit everything 24/7 due to workforce budgets being what they are.

The second issue is quantity of users.  Even with backups, reverting 200 users who have physical machines & are not on a Terminal Server is a logistics nightmare.  I spent all last night trying to fix things remotely & have had to go on-site to patch up all the little bits & pieces remaining.  Reverting to a prior backup is possible, but then the users lose all of their work for the day (times however many users you have), versus just restoring from the vault.  Although restoring from the vault hasn't fixed 100% of the issues I've run into, so I've had to do some further work, like re-installations of certain software.

Very frustrating all around.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kaidomac on May 07, 2015, 03:50:03 PM
This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don't even want to talk to you. what a POS customer service.

I have not had great CS from Avast in general, which is probably my only real complaint.  The pricing & feature set is great, it does a great job of detections (other than this snafu), and it doesn't slog down your PC.  I use different A/V packages depending on the client, but aside from the mediocre customer service, I've grown to really like the product & service because it runs well & runs reliably.  So again, not sure if I will dump them after this, but their response to this issue has been rather dismal, which is very annoying when I'm stuck explaining to a paying customer why all of their computers are down & why their $100-an-hour engineers can't work.  I think they have a great product & I understand that occasionally things go wrong, but Avast needs to step it up with their customer service responses.  What I'm hearing today is "Why didn't we just stick with Norton?  :P
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: jbarth on May 07, 2015, 03:53:23 PM
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 07, 2015, 04:08:19 PM
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??
see post #67      also here  https://forum.avast.com/index.php?topic=170730.0



Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kaidomac on May 07, 2015, 04:16:39 PM
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

This is what has worked for me:

1. Make sure your server & clients have the latest Avast updates
2. Reboot the clients twice (from what I can tell: it grabs then update, then applies the update with the vault issues etc.)
2a. Restore anything from the vault that is still not working (I've had a dozen computers or so that didn't play nice)
2b. Reinstall anything that won't restore (maybe half a dozen computers that needed apps reinstalled)

As of 10am this morning, I am back to 100%.  That was a long night  :(
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: john-genus on May 07, 2015, 04:38:13 PM
I agree that "mistakes happen" , especially with this type of software.

However, Avast owes it to their users to explain why this happened, and what they are doing to prevent it in the future.   This was not some minor problem... but was a very serious issue that had a large impact for many paying customers.   If Avast expects us to STAY as their customers, they need to respond and help us understand what they are doing internally to prevent this from happening again.

Further, considering how obviously broken that definition update was, it is clear that Avast does not do any testing of their updates prior to pushing them to production release.   That's not great.

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Victor T on May 07, 2015, 07:34:30 PM
Well, my laptop is "working fine", running like nothing happened, but still my intel/nvidia drivers aren't running, or at least when I try to open them it gives me an error, like there are missing files and stuff, my cousin which happens to be a tech with this stuff is going to help me, but for sure I'm changing my AV, avast worked well for me, but this is just a no, even though my laptop is "fine", it isnt. I'm one of the people that had to reboot and had files deleted thinking it would help.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Jim85 on May 07, 2015, 07:54:57 PM
BTW - this happened before.  December 2009:

"On Thursday 12.3.2009 avast! had a bad false positive issue. At around 12:15 AM GMT (4:15 PM PST) we released VPS update 091203-0 which started flagging hundreds of innocent files as a 'Win32:Delf-MZG' Trojan (or, in less common cases, as 'Win32:Zbot-MKK). Among the files affected were high-profile programs produced by Adobe, Realtek, sound card drivers, various media players etc." - A VPS update 5 hours later solved it.

On April 2011, a VPS update was causing WebShield to report widespread viruses on random websites.  Was fixed 5 hours later with a new VPS update.

Again in March 2013 - Avast accidentally flagged Adobe Acrobat as a virus and killed the software for many users - fortunately a repair of the Acrobat software resolved it after a VPS update (3 hour response time).
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: john477 on May 07, 2015, 10:05:32 PM
This is a disgrace and not something I expect from my anti virus software. This has created me untold work because I trusted Avast and means I have totally wasted my week trying to fix this rubbish. I truly find it unbelievable and it beggars belief how it got through your release management processes. Yours, a very disgruntled customer. If you put as much effort into ensuring this sort of thing doesn't happen as you have into scrambling the verification this would not happen, I am sure.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: bob3160 on May 07, 2015, 10:53:20 PM
This is a disgrace and not something I expect from my anti virus software. This has created me untold work because I trusted Avast and means I have totally wasted my week trying to fix this rubbish. I truly find it unbelievable and it beggars belief how it got through your release management processes. Yours, a very disgruntled customer. If you put as much effort into ensuring this sort of thing doesn't happen as you have into scrambling the verification this would not happen, I am sure.
This doesn't happen often but unfortunately I don't know an AV that it hasn't happened to.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Pondus on May 07, 2015, 11:08:34 PM
Panda had a big one some weeks ago

www.404techsupport.com/2015/03/panda-cloud-and-antivirus-false-positive-hits-hard/

www.theregister.co.uk/2015/03/11/panda_antivirus_update_self_pwn/

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: bob3160 on May 07, 2015, 11:19:40 PM
Panda had a big one some weeks ago

www.404techsupport.com/2015/03/panda-cloud-and-antivirus-false-positive-hits-hard/ (http://www.404techsupport.com/2015/03/panda-cloud-and-antivirus-false-positive-hits-hard/)

www.theregister.co.uk/2015/03/11/panda_antivirus_update_self_pwn/ (http://www.theregister.co.uk/2015/03/11/panda_antivirus_update_self_pwn/)
I don't think we need to rehash the occurrences.
It's bad enough when it happens and, as I said it's happened to all of them.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: kevrianate on May 08, 2015, 04:03:56 PM
Has ANYBODY received a reply on any of their support tickets on this issue?  That is not settling well with me.

Edit: My bad, I did receive a "we are working on it" response but not a "we have fixed our screwup" response.
Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: temporaldisturbance on May 11, 2015, 02:00:47 AM
It's not just one "bad" update. The last version of Avast 8.x family was stable, fast, had a good UI, wasn't filled with upsells and ads.

That's the version I used on mine, my father's and mother's computers.

Several weeks ago it flagged WS_FTP's DRM module on father's computer as a virus.

Then, more recently, it quarantined Opera browser and some other executables on mother's computer.

At about the same time, it flagged random NVidia driver DLLs on my computer as well.

I restored all files from quarantine and immediately got rid of Avast on all machines. This is planned obsolescence, a move to force us to upgrade to 9.x.

At first, I gave it a shot. Then I loaded the latest 9.x version and saw that it not only kept the messy and yet somehow function-reduced UI from earlier 9.x releases, but it's full of upsells and then an ad pulled out of system tray asking me to buy Avast...

And of course, on my sister's PC, which had "automatic program update" enabled, despite having an initially minimalistic install of 8.x, 9.x came along and installed "grime fighter" and all the other garbage.

That's not how upgrades are supposed to work.

Goodbye Avast, you were good while you were good. Now you joined the ranks of pretty much every other "free" antivirus which are, at best, "potentially unwanted programs" themselves.

Title: Re: Win32:Kryptik-PFA [Trj] - False Positive ?
Post by: Chad-bisd on May 11, 2015, 08:49:24 PM
So far I've lost my lightspeed mobile filter and user agent as well as chrome.dll now.  It's taking out computers 1 by 1 now.  Originally thought this was the 150506-3 update, but now even 150511-0 update is killing stuff.