Avast WEBforum
Other => Viruses and worms => Topic started by: 23cricket on December 10, 2011, 05:11:36 PM
-
Hi,(this is my first post here)
This morning Avast reported that my 3 computers were infected by Win32:Trojan-gen in Flash_Disinfector.exe. I have used this file for over a year to "inoculate" my USB drives against malware, etc. on the recommendation of moderators at the help sites: forums.techguy.org and www.geekstogo.com. I notice that it is also recommended in places here in this forum. The file has not been modified or updated since downloading it. It is now sitting in the avast "chest" whilst I try to figure out if it is indeed (after all this time) a threat.
False positive? Any advice would be sincerely appreciated!
Thanks!
-
What scan was it that you did ?
Whilst it is highly unlikely to be infected, first always confirm (one way or another) and report to avast (if a false positive). The win32:Trojan-gen is a generic signature (the -gen bit) and more prone to FP.
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.
####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.
@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
-
Update:
I have had this for some considerable time, and I have had no alert, just scanned it and just ran it no alerts.
Flash_Disinfector.exe - 129KB (132,597 bytes)
MD5: A37C8C8523B2027897BE24C9DEC7CF35
-
Thanks!
Will get to it and report back.
-
No problem, welcome to the forums.
-
Thank you @DavidR!
The results from VirusTotal are 10/43. See the report at: http://www.virustotal.com/file-scan/report.html?id=1357175d260de3ca70b7f824667eda5e381906a25d7bf1277e8622641225ae77-1323538341 . I have submitted a report to the lab including links to this thread and the VirusTotal report. I looks very likely that it is a FP. I will follow your suggestions and await a fix.
Appreciate it!
-
Were did you get your copy of Flash_Disinfector.exe as it is a relatively old piece of software which hasn't changed as far as I'm aware.
I got mine via here, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ (http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/), so that is coming from the source/maker and the bleeping computers site download and that matches my copy MD5.
The MD5 of the file you uploaded to VT (MD5: a37c8c8523b2027897be24c9dec7cf35) matches that which I posted. and I still don't get any alert on this with the latest VPS 111210-1. So I can't see why avast would alert on it in VT, possibly as the last update on VT for avast! is showing as 2011.12.09 (yesterday).
Is avast still alerting on your system ?
EDIT: Scans by avast, MBAM and SAS on it find nothing.
-
Hi DavidR,
Abuse reported here: http://amada.abuse.ch/?search=a37c8c8523b2027897be24c9dec7cf35
&
http://www.threatexpert.com/report.aspx?md5=a37c8c8523b2027897be24c9dec7cf35
polonus
-
The problem is anal(ysis) reports like this are lacking in something, isolated from what the purpose of the file is for.
Whilst this kind of behaviour might be considered suspect, they are unable to put it into context.
You only have to look at the VT results to see many simply haven't a clue what it is or how to categorise it. PUP would be one area as it is essentially a tool, but one that would have to be re-engineered to make it malicious and then it wouldn't have the same MD5.
This is also why I asked the OP what scan this was as if it included PUPs in the scan it may have been win32:trojan-gen [PUP], but I didn't get an answer to that question.
-
Hi DavidR,
So first thing to do send to virus AT avast dot com to add to detection if found to be real malware. This is our forum responsibilty to our fellow avast users and to help towards better avast detection.
Second important thing is to know from where the suspicious file was downloaded. I always like to have my VT results come in pairs: 1. VT URL scan and 2. the subsequent file scan. This could near down the malware a bit more. Notice also that some malware is changing overnight and migrating quickly once found up/reported. Also malware can act differently when running in scanners or analysis tools then when trying to infect a vicitim.
Well alerting to it can be a good thing after all, because there is the possibility the malware will be dead (not responsive) soon or not up any longer from where it resided or infected from. I follow the VirusWatch listing daily to see what the migration patterns are and what malware has gone to be "daily dirt". The malcreant is a "collosal" opponant, and he is looking right over our shoulders, so stay secure you all,
polonus
-
It isn't that straight forward, if you look at the VT results you will see that avast has alerted on it, yet not on my system.
Not to mention that the Flash_Disinfector.exe is a legit tool which we have recommended many times on these forums and essentially it remains unchanged.
-
Hi DavidR,
I am with you on every word you write there, but is not it good to advise the users only to download from a reliable source online? In that case they do not even run the minimal risks of getting additional crap or worse,
polonus
-
I really don't understand what it is that you are getting at here.
The MD5s match the one I have and the one he uploaded to VT.
-
Well then everything is OK,
pol
-
Hi Folks,
Sorry for the slow reply - just got back from a xmas shopping melee with my sweetheart <yikes!>
At this time (19:20 EST) avast is no longer alerting on the file. I tested against the one that I extracted from the virus chest and from a fresh copy obtained from <download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe> . The last alert I received was at 13:58 EST today. MBAM ans SAS have never reacted to it (nor avast until today) for the entire time that I have had it. I originally downloaded the file on 11-03-2010 from bleepingcomputer.com via a recommended link from forums.techguy.org . It has not been modified or changed since that time as far as I can tell.
The scan that picked it up was a regularly scheduled full system scan which I run every 3rd day on my 3 computers. I did not set up the scans to detect PUPS. The alert showed on all 3 computers this morning which is interesting as they do not communicate with each other or share any resources other than the router for internet access.
@DavidR and @polonus, I appreciate all your help and attention!
Many thanks!
-
You're welcome.