Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: fragman on November 09, 2009, 01:52:37 AM
-
I'm a new user of this great program. Today I ran a thorough complete scan with archive included. It detected one virus:Steinberg\Vstplugins\Jamstix\mappings\Brushpak - Stick Kit (DrumPak #1).rdm [L] Win32:VB-RU [Wrm] (0). After moving it to the virus chest, I deleted it. After searching the internet. the author of the program said that this could not be a virus because it was a data file. It was suggested that a small string of code could be matching that of the virus. So now I'm wondering if this was a false alarm. I do have this file backed up so it would be easy to replace it. Can anyone help?
-
Deletion isn't really a good early option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.
That bit out of the way, the author sounds quite knowledgeable as it is entirely possible that a string within the file matched a signature. As to how to check if it was a false positive, this is only possible since you backed up the file otherwise that isn't possible.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
So having created the suspect folder and excluded it restore your back-up copy to that folder, avast may alert when you try to do this so it might be best to pause the standard shield to do this.
-
I guess I was a little hasty in deleting this file. Since this was my first virus detection, I was worried. But my computer was backed up in an Acronis image which I mounted and then copied the offending file back to my computer without problem. Right clicking and scanning with Avast reproduced the virus alert and I then deleted the file. I'll checkout the VirusTotal tip. Thanks...
-
No problem, glad I could help.
Post the link to the VT results and we can advise further.
Welcome to the forums.
-
Virus Total results: 2/40 with Avast and GData detecting as Win32:VB-RU. So I'm not really sure what this all means. http://www.virustotal.com/analisis/e3882855a99002e41cbc582e015b6b62bb0f11c2cfa3578af0c211a5a7d06b25-1257732173
Here a link to another person with the same problem and discussion by the author on the next page:http://www.kvraudio.com/forum/viewtopic.php?t=218301&highlight=avast
-
GData uses avast as one of its two scanners, so we are effectively down to 1 detection so there is a high probability that it is an FP.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Periodically check it (scan it in the chest), there should still be a copy in the chest. When it is no longer detected then you can Restore it from the chest, also remove it from the Standard Shield and Program Settings, exclusions.
-
DavidR
I'm sending the file from the virus chest as a false positive. I guess I'll delete it temporarily after the next update. Will someone at Avast analyze the file to determine if it really is a false positive? Thanks again for the help.
-
You're welcome.