Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: Pierolle on September 30, 2008, 01:17:50 PM
-
Hello,
well avast! just detected a virus/trojan. But after I've moved the virus to the chest, what should I
do next? Sure I could let it be there to make sure windows/my programs is still working as they
should. But then what? Should I keep it in the chest or delete it?
Thanks.
-
We thrive on information and with the lack of it we are guessing.
I take it that your aren't using the server version of avast ?
What Operating System are you using ?
What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
-
Hi,
the name is Ravenhearst.exe. It can be found in a map which I got with my new computer (Acer GameZone).
And thats abit strange, I mean, why would Acer put a virus in their own program? Anyway,
It says that its a Win32: Trojan. Anyway, if the file isn't in the system files, I can just have it in the chest for
some time and then scan again - delete?
(Whole adress; C:\Program Files\Acer GameZone\MCF Rave...) <- and thats the whole adress I can find, and yes, avast! also shows three dots at the end.
Thanks!
BTW, how do I rescan in the chest? Just press the scan button when you open the virus chest?
-
That is the reason why we ask about the file, location and malware name as I think that it is win32:Trojan-gen
The three ... dots signify that there is more info (concatenated) you can expand the column width by left click and hold whilst dragging the mouse pointer to the right (this works in most windows applications with columns.
The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So you should confirm the detection, see below.
When you open the chest, Infected Files section, highlight the file, right click on it and select scan.
- The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
- The User Files section is where the user can add files they suspect of being malware but not detected by avast.
- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.
####
-
O.O
Heh, alright. But anyway, I don't really care so much about that file since I don't play it. So to make
it simple, if I rescan it and it's still a Virus (And as I said, if I don't care about the file), I can delete it?
-
It isn't so much if you care as you don't use it, but submitting it to virustotal to confirm or deny the validity of the detection. Sending it to avast to correct the detection for all other users of avast who might just have this file as well if it is a false positive.
-
Can't I just in someway send it to Avast! and let them check it? xD
-
The point is if it isn't a false positive there is no point in sending it.
-
Can't I just in someway send it to Avast! and let them check it? xD
Yes you can... but like David said if it is not a false, i.e., if it is really infected, well, sending will not help you, you need to get rid of the file. As we don't know (you need to submit the file to virustotal and give us more info), the safer now will be moving the file to Chest and test it within there (right clicking it).
-
Okay.
So first, I have tested the file once again in the chest and still avast! says it's a virus. So here is what I should do;
Go to Virus Total and check the file, if it's a virus, delete. If it's not, send it to avast(!)?
To David, but if I move/copy the file to another map to check it on VirusTotal, then I'm "releasing it"? And the pic you had in your second post I believe, was that from VirusTotal or what?
And can't I just create the folder on the desktop?
-
You would be taking a copy, Extract (as opposed to Restore (which sends it to the original location) to a temporary location (the c:\suspect folder I suggested creating and excluding) where it can be uploaded to virustotal without avast alerting again.
Whilst outside the chest in a different location to the original location presents virtually no risk as nothing knows it is there and there is no command to run it from that location, it is effectively inert.
The image isn't of virustotal but showing how to expand the column width so you can see the full text.
Using windows explorer it is easier to create a folder in the C:\ folder than to create one on the desktop. It also makes it easier to upload the file to virus total as when you click browse (in VT) to indicate where the file is located on your HDD it will be much easier to find the c:\suspect folder where the files it than find the desktop and any folder on that, it is buried. Just try and find your desktop folder in windows explorer.
Believe me when I give you a suggestion I'm trying to give the easiest option. You can also believe me that I'm not going to suggest doing something that is harmful to your system (certainly not without full notification), like Extracting a file from the chest, that is absolutely necessary as you can't upload the file in the chest it is a protected area.
-
Go to Virus Total and check the file, if it's a virus, delete. If it's not, send it to avast(!)?
You can send the file to virus@avast.com in any case...
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
Maybe it will be good to add in the email body a link to this thread.
-
David,
sure I believe you. But I rather ask some stupid questions then doing something wrong. I'm not that of a pro. :p
Anyway. So I'll do exactly as you've posted. I'll let you know how it went! (It'll take some minutes I believe!)
-
By the way, I can delete the extracted file yes? <- Nevermind, I had avast! take the file in again by detecting it
[Edit:]
It's done. It got 5/36, so some programs took it as a virus. Delete? :)
-
Personally I would leave the extracted files alone until we have completed thie whole process.
If you can either copy and paste the results or copy and paste the URL in the address bar of the VT results page.
This information, e.g. what other scanners detected it and what they called the detections, helps us greatly.
-
Oh darn.. Now make it all over again! >.>
Anyway, big thanks for the help. So, I'll upload the URL tomorrow I believe, after that, please tell me
I'm ready to delete the file? I'm so tired of it! :p
[And I have the extracted file in the Virus chest now, but I'll just do the same thing over again,
right?]
-
..David....? :'(
-
I'm ready to delete the file? I'm so tired of it! :p
There is no rush to delete files that are into Chest... but if it passes some days and it's still being detected as infected, and your computer is working, well, you can delete the file into Chest.
-
<snip>
Anyway, big thanks for the help. So, I'll upload the URL tomorrow I believe, after that, please tell me
I'm ready to delete the file? I'm so tired of it! :p
[And I have the extracted file in the Virus chest now, but I'll just do the same thing over again,
right?]
You're welcome, just repeat the exercise extract the file to the suspect folder and upload to VT again. This is why I suggested leaving it there until the process is complete and we aren't there yet.
The more info we have on the VT detections the easier it is to say for sure or with any degree of confidence if it is an FP and if so them we send the file to avast for further analysis to correct the virus signatures.
-
Sorry David that I haven't posted in a while. But I've been kinda busy in real life, working. Anyway,
here's the link. Finally! :)
http://www.virustotal.com/sv/analisis/b730eed1339c0e89377dbd815eb298c6
Now what? ^^
-
G-Data detection is the same as avast (as it uses avast engine).
Seems a false positive... but it will be good if avast team take a look and correct the detection. Until there, it will be safe to keep it into Chest.
-
Sorry David that I haven't posted in a while. But I've been kinda busy in real life, working. Anyway,
here's the link. Finally! :)
<snip>
Now what? ^^
Well I too would say there is a strong possibility of it being an FP. With 4 results (3 counting gdata and avast as 1) either generic or suspicious (heuristic) which are more prone to FP.
The only exception being (see below) and that to appears not to be a specific signature detection, so I would say submit the file to avast for further analysis.
ClamAV - - PUA.Packed.Armadillo
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
-
It says I cannot send it since it's too big. :(
-
Increase the size , avast Program Settings, Chest, Max size file to send, etc. so that it is large enough to cope the actual file size.
-
OMFG! I'M ******* GETTING MAD HERE AT THIS DAMN OUTLOOK! -.-'
Please, I can't get it to work. Give me another way to get this file sent. And what about the text, is this good enough;
Hello.
DavidR on Avast! Support Forums told me to send you this file since it could be a false positive. I'd be glad if you could check it. [Forum Thread Name; How to deal with a virus? [CHECK DAVID]].
Thanks.
-
Well you could try zipping and password protecting the sample and sending it from outlook conventionally e.g. attach the zip to the email, as in my post, Reply #21 above.
As for the text, the more important things are the password in email body, a link (from the address window of the topic, the same way you captured the URL for the VT results) to this topic and the link to the VirusTotal results might help. Place possible false positive in the email subject.
You don't need to go into much detail as the link to this topic would provide the detail.
-
But it's outlook who isn't working. I don't know why, I've tried and tried but isn't it possible sending it by Hotmail or something else?
And how do I ZIP & Pass protect the file? :)
-
I don't know why outlook isn't working but the chest may add an extra complication, which is why I suggested trying outside.
You don't say 'why' it isn't working ?
Since you mention Hotmail, I can only assume that you send and download email to your Hotmail account using Outlook ?
Hotmail isn't a normal SMTP or POP3 account but web mail, which is normally accessed by your browser, although MS allows Outlook (and OE) to be able to send and receive Hotmail, but it doesn't use SMTP or POP3 protocols, but uses WEBDEV or something like that to convert hotmail. Because it doesn't use the SMTP/POP3 protocols avast can't access this account.
You need to have a zip program, 7zip, winzip or RAR, I would say 7zip is the easiest to work with when it comes to setting a password as it is clear on the screen.
-
Outlooks says I need to choose some kind of server (?) and choose name, register here and there, connect here, oh, couldn't connect outlook need to be running. I don't know, I'm just getting mad with it. Anyway, maybe you got some experience from starting outlook for the first time?
Maybe you want a screenshot?
-
I don't use Outlook so can't really be any practical help.
How do you normally receive and send email ?
-
Hotmail, and I don't use mail that often.
-
That is the problem, because Hotmail is web based email that doesn't use the standard SMTP protocol but a propriatary MS protocol so Outlook can send to it, but avast can't handle that protocol.
So you would have to start by creating an email using Outlook to virus@avast.com, zip and password protect the sample, then send it to avast.
Another problem that I foresee is that although zipped and password protected Hotmail may block the sending of the email because the Ravenhearst.exe is an executable file and whilst it can scan the file it blocks by type a really crude and pathetic strategy. So before zipping the sample you may need to rename it Ravenhearst_exe.txt as that file type shouldn't be blocked.
Whilst this is a lot of hassle it might be the only way of getting past Outlook and Hotmail to submit a sample. There is no such problem if you had a conventional POP3/SMTP email account (like one provided by your ISP, etc.) then it could have been sent from the avast chest, no zip/password hassles.
-
"Connection to Microsoft Exchange Server is not available. Outlook needs to be online
or connected for this to be finished."
Any idea whats wrong? :(
-
By the way, I'm going to try calling Microsoft tomorrow when I'm free. And let's
see what they say. I'll let you know. :)
-
Sorry I just ran off like that. Just been alot. Anyway, I believe this office program is only working with the comp we bought it with (?). So, do you want me to send it some other way or just delete it? I just really dont got the time to fight with Microsoft atm. :P
[I have WinRaR, haven't paid for it tho, but it's still working unzipping files]
-
Hey, great news!
I was scanning my computer while I was watching a movie, and when I got back - no viruses found! What?!
But I have the file in my Suspect map! So I rescanned the file in the chest, and avast! did not find any virus.
So, I guess this is the end! :)
Anyway, I really would like yo thank you for the time you've spent on helping me! :]
If I delete the file by pressing the button up in the corner, will avast! delete the whole file from my comp, and not just from the chest, yes?
-
You're welcome.
In the interim someone else may have had this problem and ben able to send the sample to avast and the detection was corrected.
Right click on the file in the chest and select restore, that will place it back in the original location (after all it is no longer considered infected), confirm that a copy has been placed in the original location and then delete the file in the chest (this only deletes the file in the chest nothing else).
-
But I don't want the file, I mean, it's a game I got with my computer. But if I delete it, by just clicking the delete button in the corner, will there be any kind of copy somewhere?
But I've uninstalled the game months ago, but I still have the file, so it wouldn't make any difference if I restored it.
-
I wasn't aware that you had uninstalled the game (or didn't remember if you mentioned it, it has been a long topic) when I said you could restore the file to its original location. If the game isn't there nor would the original location so it would fail on the restore you can obviously delete it from the chest.
-
Okay, they're deleted. But the file is totally gone from the comp now also?
-
?
-
Okay, they're deleted. But the file is totally gone from the comp now also?
Yes, if you sent a file to Chest, it's not on your computer anymore. Only on Chest.
If you delete the file from Chest, it's gone forever.
-
If you have done as Tech outlines, then yes the file is completely gone.
-
Thank you.
-
You're welcome.