Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Snagglegrain on July 25, 2009, 12:05:00 AM

Title: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 12:05:00 AM
Hello

Has anyone recently had avast! flag a Windows Installer file named c415ae.msp as infected with Win32:Bifrose-EGW[Trj]?

I zipped and password-protected the file and sent it to support a few hours ago, but have not heard back.

As an aside, I also noticed that when I tried to email the file to avast from the Chest (by clicking the email icon on the toolbar), nothing happened... that is, the Submit file dialog did not appear.  :(  It does appear for other files in the Chest.  Any ideas?

I eventually added the file to the exclusions lists, in order to email it and also upload it to VirusTotal.  VT, by the way, only had avast! and one other vendor flagging this file.

Any info and help would be appreciated.  :)
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: polonus on July 25, 2009, 12:26:22 AM
Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 25, 2009, 12:29:28 AM
Yes, lots of them, in the viruses and worms forum. http://forum.avast.com/index.php?topic=47063.0 (http://forum.avast.com/index.php?topic=47063.0) as polonus mentioned.

No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 12:36:24 AM
No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   :-\
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 12:42:53 AM
Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus
Sorry, looks like I posted this in the wrong forum.  :-[  I'll know better next time.   :)
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 12:49:51 AM
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update
Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."


Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 25, 2009, 01:25:29 AM
No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   :-\

It can't be virus like behaviour inside the chest, a protected area, even if it was possible it doesn't make sense that it would effect one file type and not another.

The other problem there have been others who have been able to submit the file.
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 10:43:23 PM
The other problem there have been others who have been able to submit the file.
David, did you notice that Fallen-Parts encountered the same behavior (http://forum.avast.com/index.php?topic=47063.msg396673#msg396673) as I did when trying to email one of these fp's from the Chest?
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 25, 2009, 10:45:20 PM
Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."
It's all good now!   :P
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 25, 2009, 11:47:22 PM
The other problem there have been others who have been able to submit the file.
David, did you notice that Fallen-Parts encountered the same behavior (http://forum.avast.com/index.php?topic=47063.msg396673#msg396673) as I did when trying to email one of these fp's from the Chest?

Yes I did, weird. Not something I could check out as I have had no detections.
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 26, 2009, 12:31:30 AM
If you really want to check it out, I could email you a zipped copy of the fp file I had, and if it's possible to roll back detections to yesterday, you might be able to see the behavior for yourself??
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 26, 2009, 01:09:33 AM
I don't go that far to check things out on my own system thanks.
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 26, 2009, 01:10:46 AM
I don't blame you!
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 26, 2009, 02:24:23 AM
Well I have found out what your problem is ;D

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: Snagglegrain on July 26, 2009, 06:28:00 AM
Well I have found out what your problem is ;D

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.
You are 100% absolutely correct!  Good thinking, David.  I tested it on my settings as well, and have made the (10mb) change... that's a nice round number. ;)  I'm glad you figured that out.  Thank you.   :)
Title: Re: Win32:Bifrose-EGW[Trj]
Post by: DavidR on July 26, 2009, 02:36:11 PM
<snip>
You are 100% absolutely correct!  Good thinking, David.  I tested it on my settings as well, and have made the (10mb) change... that's a nice round number. ;)  I'm glad you figured that out.  Thank you.   :)

You're welcome.