Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: mariosalice on May 19, 2008, 04:02:10 PM
-
I am not sure what happened here, but I got major problems that ended in a full clean install of my Windows Vista 64 SP1 Ultimate.
During a recent Vista update, I got an Avast message saying that it found a rootkit using heuristic methods and it recommended not to delete this file.
The rootkit was "trustedinstaller.exe". I did know that this file is a Vista system file, and since I was updating from Microsoft I thought this was a false message.
Everything went OK, but afterward I thought I might check my system files with cmd and the command sfc /verifyonly.
I got a message about problems with system files.
This time I tried sfc /scannow. The checking stopped early (5%), saying it could not repair the system files. I restored my system to previous dates but it didn't help.
Even though my system didn't have any other problems I decided to make a backup of my files and clean install Windows Vista 64 SP1 Ultimate.
This time I installed all Microsoft updates first and then I installed Avast Pro. So I am not sure what happened the last time. Now I have disabled auto Vista updates and I also disable Avast every time I perform a manual Vista update.
-
This time I installed all Microsoft updates first and then I installed Avast Pro. So I am not sure what happened the last time. Now I have disabled auto Vista updates and I also disable Avast every time I perform a manual Vista update.
It should be fixed soon if it is a false positive.
To know if a file is a false positive, please submit it to VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI (http://virusscan.jotti.org/). VirusTotal and Jotti both have file size limit of 10Mb.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
-
Thank you.
After some system restore actions and a clean install I have no infected files to submit and I doubt the trustedinstaller.exe file was an infected file.
I got the rootkit warning message during a Microsoft update. I never had any viruses or rootkits. I think Avast Pro performs auto scans for rootkits at startup.
I use Avast the last 5 years and I never got infected.
So I am not sure what really happened during this Microsoft update installation.
-
I got the same message when updating Vista.
C:\Windows\servicing\TrustedInstaller.exe found as rootkit.
I've run it through Jotti but none of the engines found anything.
Rescanning the file with Avast doesn't find anything either so I guess this is something only during the update process.
Btw, a small issue, pressing the privacy statement in Avast home on the warning page, were it suggests me to send the file to AILWIL Software lab, leads me to a 404 webpage.
http://www.avast.com/eng/privacy_statement.html
-
I think Avast Pro performs auto scans for rootkits at startup.
And Home version too...
Indeed, seems a strange file. Glad you're clean now.
Hassad, welcome to forums, do you have this file in your computer yet? Can you send to virus (at) avast (dot) com for analysis. Can you submit it to www.virustotal.com for analysis also?
-
Thanks,
I'm sure "it" was triggered due to the upgrade.
I've sent the file and the Virustotal information to the address.
-
FYI - as of today on version 1227 this is still occuring. I did the following twice and reproduced the issue both times.
1) Clean install of Vista Ultimate Retail
2) Driver installs
3) SP1 standalone update
4) Avast install
5) Update avast to latest release
6) Run Windows update
A heuristic scan finds windows\services\trustedinstaller.exe as a suspicious file.
It's hard for me to ignore a possible rootkit warning on a fresh install.
*note* scanning the file itself comes up clean. I am guessing that whatever trustedinstaller.exe is trying to do to the OS during installation of updates is what triggers the heuristic scanner to alert the user.
Is it safe to ignore this issue for now?
-
OK This is still happening with avast! version 4.8 Home Edition Biuld Jul2008 (4.8.1229) VPS 080807-0 (all updated before allowing a new Vista install on the web).
This is on a Windows Vista Ultimate 64bit Edition SP1 immediately after installing/upgrading and adding SP1 when letting Windows Update do an automatic update of optional updates.
File is located at %WINDOWS%\servicing\TrustedInstaller.exe
VirusTotal produces a nil result on all engines (and this file has been submitted to VirusTotal before).
Have submitted copy of file. Alwil Software is normally pretty darned quick about these false positives. It is rather strange that this one is slipping through the net so long - is it because it is a 64bit system?
-
It's not really a false positive in the usual sense - there's no virus reported here (I mean, no virus name is given, right?)
What exactly does the window say?
-
Hard to tell now that I have hit ignore and told Windows Update to repeat lol (I can't find out how to "un-ignore" the file so that I can get it scanned - right now if I instruct Avast! to scan that file it doesn't produce any advisory presumably because the on-access scanner has set it to ignore.
No, there was no name of known malware. This was a heuristic find. It appears to be after downloaded optional Vista Ultimate 64bit updates and DURING the installation process. The only optional update affected is "Windows Sound Schemes" which suggests that this is an odd result of the heuristics. But I had them set on the default preferences.
The ODD thing is that there was NO advisory on this file when I did the same installation a week or so ago. Anyway, the answer is to note the file name, hit Ignore and repeat the update if a user wants it.
The point for the Avast! team is that if numerous Vista Ultimate 64bit users hit this advisory every time they do an update after installation of the OS, it is not encouraging them to trust Avast! which is a shame.
-
Well, I'd still like to know what exactly the dialog says. There's a "Type" field there, for example (like, "hidden process", "hidden service", ...)
-
Once I had done a web search for what Avast! means by "Ignore", I felt safe to click it without ending up having the file ignored by my OS and therefore crashing my OS.
If you can tell me how, after clicking ignore, I can stop Avast! ignoring the file so that I can scan it and tell you what the heuristic advisory was, I would be pleased to post the message here. Otherwise, I don't see how I can repeat the message even though I still have the file.
Thanks.
-
Did you allow it to be submitted for analysis ?
Windows errors related to trustedinstaller.exe?
trustedinstaller.exe is a Windows Modules Installer from Microsoft Corporation belonging to Microsoft® Windows® Operating System. This enables management of Windows updates
It seems a very poor choice of name to me as why would a trusted installer need to be a hidden service, if it is only used for windows updates, you would think it could be started when an update is available and has to be installed.
-
I don't know if it is an FP or not there simply isn't enough information, since I don't use Vista I cant check the file location.
It just looks suspicious and assuming there was the checking of digital signatures on suspect/infected files (something we discussed in another topic), that should show if it is a valid signature making the likelihood of infection less.
-
Anybody having this problem - can you please download the following file:
http://public.avast.com/~glucksmann/CheckInst.exe
Start it from the command-line and post the output here.
Thanks.
-
As I stated before, this is NOT a false positive. I submitted the file to VirusTotal and got the all-clear response from all programs.
However, I submitted the file to the avast! team so that they could discover why the heuristic analysis was producing an advisory on a file which is part of the Windows Vista updates.
I still hope that Avast! will change something in that advisory message. First of all, this particular file has the kind of name which looks suspicious - how could Microsoft come up with a more stupid name for a system file - TrustedInstaller - isn't that just the kind of name a virus writer would come up with? lol
More importantly, many users (the vast majority?) will not have seen this advisory before. To be offered a choice where the "recommended" action is "Ignore" is not conducive to following the recommendation. Surely many will have the unanswered question in their minds: "Does ignore mean ignore the file or ignore this message?" A slightly more useful recommendation would include wording such as "Recommended Action: Ignore (which will allow the operating system to continue without action by avast! but the user should take note of the filename in case it is reported again"
Again, this was NOT a report that there was a virus.
-
Have you tried downloading and using the file Igor gave the link for ?
If so can you post the output.
-
Have you tried downloading and using the file Igor gave the link for ?
If so can you post the output.
Signature of "C:\Windows\servicing\TrustedInstaller.exe" verified.
Details:
Signature type: Catalog
Program name: Microsoft Windows
Program URL: http://www.microsoft.com/windows
Issuer : Microsoft Windows Verification PCA
Subject : Microsoft Windows
Signing Timestamp : 01/20/2008 00:49
(Note that I also sent the TrustedInstaller.exe file to the Alwil team as requested.)
-
:o
http://search.microsoft.com/results.aspx?form=MSHOME&setlang=en-us&q=trustedinstaller.exe+virus&mkt=en-us
-
Signature of "C:\Windows\servicing\TrustedInstaller.exe" verified.
As I stated before, this is NOT a false positive.
Isn't this contradictory? A signed file should be a clean file (if the source is secure).
-
Signature of "C:\Windows\servicing\TrustedInstaller.exe" verified.
As I stated before, this is NOT a false positive.
Isn't this contradictory? A signed file should be a clean file (if the source is secure).
If you are asking me, my response is that my statement that "this is not a false positive" merely means that avast! did not report the file as containing malware. My understanding is that a "positive" is defined as avast! finding a file which is KNOWN to contain malware whereas this was just an advisory based on heuristic analysis which, I believe, is not considered a "positive".
Although there was an advisory report from avast! about the file, that does not mean that it is not a "clean file" does it? avast! is certainly not reporting that it is not clean.
Having said that, I still believe that Alwil would do well to increase the information given on the dialog box so that users would have no doubt that "Ignore" is a good idea!
If you are asking the avast! team, sorry that I responded!
-
False positive is a clean file that the security program detects as being infected.
It's clean but wrongly detected, so, false positive.
Signed files (from safe sources like Microsoft) are clean.
Maybe we're talking the same with different speeches.
-
I would call it a false positive. Avast! say that it isn't - it was merely heuristic. I think that is technically correct, but very misleading hence my suggestion that they change the wording of the advisory dialog box that is used when heuristic analysys "suggests" that there may be a problem.
-
I have had the same issue this morning when doing windows Updates. I ran the little program and it said the file was okay. I also uploaded it to VirusTotal for them to run a scan on it. Nothing turned up. I did submit it but clicked on ignored.
I agree that the file name should be changed by Microsoft.
thanks
mbrown
-
Hi,
Just happened to be doing an update, got the Avast message about trusted installer.
It's still doing the update, I ran the checkinst program & got:
Signature of "C:\Windows\Servicing\TrustedInstaller.exe" NOT verified [800B0100]
Is that good or bad?
File was allowed to be submitted.
Regards,
Paul.
-
Hi,
Just happened to be doing an update, got the Avast message about trusted installer.
It's still doing the update, I ran the checkinst program & got:
Signature of "C:\Windows\Servicing\TrustedInstaller.exe" NOT verified [800B0100]
Is that good or bad?
File was allowed to be submitted.
Regards,
Paul.
Well the short answer is good news - it isn't bad. If you want to be absolutely sure, use the free online virus checkers to check that one file (see elsewhere on this site for a list of the ones you might try.)
If you want to understand why avast! will report it and CONTINUE to report it, here is the long answer...
Basically, all worthwhile antivirus programs have files full of known viruses which you update regularly. This allows them to quickly and easily identify the presence or otherwise of any of those viruses somewhere in your system and, because they are known, avast! can recommend specific action and usually offer a means of cleaning files. Otherwise it offers you the chance simply to delete them or, if you need to be able to study the problem and maybe check whether the problem is real or not, they offer the chance to isolate the file into the chest which means no program can access the file.
IF you get a file which is reported by the method explained, i.e. avast! is identifying that there is a virus on the basis of the up-to-date virus definitions, and you then check that file (using free online AV checkers a list of which you can find suggested elsewhere in these forums) and discover that ONLY avast! is reporting it, you use the report system to send it to the avast! team and they make sure that (a) it is NOT a virus and (b) they adjust their later virus definition files to ensure that it isn't reported again (another reason for keeping your definitions regularly updated). That would be termed A FALSE POSITIVE. That means that a virus is being reported based on an up-to-date virus definitions file when in fact there is no virus.
The difference with the TrustedInstaller.exe file (apart from the fact that it just SCREAMS of being the type of name a Virus creator would choose ;D ) is that it is not being identified and reported based on the virus definitions file. It has to do with your own settings of avast! and I strongly recommend you NOT to change them now that you, hopefully, understand them. Your avast! settings are enabling what is called heuristic analysis. This is a GOOD thing and is NOT available in every antivirus program. So what is it and why should you allow avast! to use it? Well, the answer lies in the way in which those virus definition files get updated by avast! so that you can update them on your system. Imagine a brand new virus - one that is not simply a rehashed existing known-about virus which is already in the definitions files of all the major antivirus programs including avast! So it infects some systems. People have problems and the clever guys at the various antivirus program centres work out what it is, how to identify it and immediately every AV program company updates their virus definitions to include it. You update your files and, assuming your system hasn't yet been infected (which it shouldn't have if you didn't disable heuristice analysis), you can't get that virus because avast! with updated definitions will find it before it can do damage.
However, imagine the worst case scenario - a file containing that brand new not-yet-in-the-definitions virus arrives on your system. If you don't have heuristic analysis enabled, avast! will almost certainly not identify it as being harmful (although it is possible that it will, the important thing is that you shouldn't rely on it). So your system gets infected. This is bad. And because it is a new virus, the clever teams may not have come up yet with a simple way to clean your system. Not just bad - nasty! BUT if you had heuristic analysis enabled, avast! would say "Hey! This file contains something which, while not being listed in my definitions, has all the attributes of malware - even a virus - so I had better let my owner know that there MAY be a problem so that he has the choice to (a) make sure my definitions are up to date and (b) check this file out using something else or (c) go and read if someone else on the forums has had the same problem."
The problem is that heuristic analysis MUST identify a small number of system files which don't include any malware but they do things which look like what a new virus might do. The most likely candidates are always going to be files which install system things and change system files in order to do it and there are a bunch of these in Windows systems for the obvious reason that Microsoft try to make Windows systems idiot-proof yet able to be used by idiots like you and me ::) Some of these, avast! developers can stop avast! identifying within the heuristic part of the engine but sometimes, to do so, they would effectively be disabling the heuristic analysis system to be pointless. Hence TrustedInstaller.exe shows up as potentially having a problem thereby allowing you to do what you have done and maybe to check it out with other AV systems before you proceed.
If you read this far, thanks for your patience - I figured that if you wanted to understand it, it would be worth setting it out in non-technical detail. Hope that explains it so that you understand your avast! and its settings a bit better.
If any avast! experts want to add anything correcting any mistakes I may have made, please please add them below! Thanks!
-
As I have often said, heuristics is guessing.
Very useful, but never "beyond reasonable doubt".
-
As I have often said, heuristics is guessing.
Very useful, but never "beyond reasonable doubt".
That's one way of looking at it. But if more users understood how avast! attempts to protect their systems, they would also know something of the limitations of AV protection generally.
I like to think of the inclusion of heuristic analysis as providing users with information to allow them to make a reasoned decision about protecting their own systems. If you look at operating systems and software today, the approach is more and more to protect the system from the user. Some of us like to think we are smart enough to make a few decisions ourselves ::)
-
Yes there is guessing, S.W.A.G. (Scientific Wild Assed Guess) and educated/informed guess based on a set of circumstances/parameters. This should take much of the guess out of guesswork ;D
-
Yes there is guessing, S.W.A.G. (Scientific Wild Assed Guess) and educated/informed guess based on a set of circumstances/parameters. This should take much of the guess out of guesswork ;D
Nice! And you are right, but it depends from which direction you are looking. From the standpoint of the system, heuristics APPEAR to be guessing. But look from the viewpoint of the potential virus creator:
"Without heuristics to get past, all I have to do is to create a virus which does what I want it to do and which does not demonstrate any significant qualities of any previous virus."
"With heuristics to get past, I have to create a virus which does not demonstrate any of the core qualities which a virus must possess."
Given the choice between enabling heuristics and getting the odd report like TrustedInstaller.exe and disabling heuristics (or using an AV program without them), I think I will go with the occasional bit of research! lol
-
I just wanted to pop in and say that I'm glad you guys are here. I agree that "trustedinstaller.exe" is an obviously dumb name for a truly trusted file -- too much like something a hacker would come up with to fool the gullible. I've had Vista for a bit over a year and this is the first time Avast has popped up on me during a Windows update. It was nice to be able to confirm that my first instinct was right, and let the update continue.
BTW, Briton, I love your avatar -- I need a female version of it. ;D
-
Welcome to the forums ArmyAunt.
-
I just wanted to pop in and say that I'm glad you guys are here.
<snip>
BTW, Briton, I love your avatar -- I need a female version of it. ;D
Thanks for the comments. I am sure you can make an avatar somewhere out there ;)