Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: zygomatic on April 17, 2012, 09:34:28 AM
-
This is the second time for this to happen.
Windows 7 Ultimate 64bit notifies me that there's an update for Defender. I download it and the installation starts. All of a sudden there's a red alert from Avast 7 (7.0.1426) saying that a virus has been moved to the chest. I take a look at the installation of the definitions (Windows Defender) and it failed. The virus type is Win32:Gremo. Then, I run the update manually and the installation finishes without a problem. And it all happened on two separate occasions.
Help! :(
Oh, by the way, what should I do with the viruses once they're inside the chest?
-
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.
-
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.
-
I use avast! Free 7.0.1426 (virus definition: 120417-0) on Windows 7 64bit Professional and I'm experiencing almost the same issue as the thread starter, just a different virus.
Avast reports a Win32:Bolzano-W virus residing in a randomly named folder within C:\
It is accessed by the process C:\windows\system32\mpsigstub.exe.
Here is the log (C:\windows\temp\mpsigstub.log) of the failed automatic Windows Defender signature update. It failed because avast! interfered and i chose to put the file into quarantine:
----------------------------------------------------------------------------------
Command: MpSigStub.exe /program c:\46a30492c161b189d597ef56838f1a\MpMiniSigStub.exe WD /q
Start time: 17.04.2012 10:36 (version 11.1.3927.0)
=================================== ProductSearch ==================================
Microsoft Windows Defender (Windows 7):
Status: Active
Product: 6.1.7600.16385
Engine: 1.1.8202.0
Signatures: 1.123.1683.0
================================ PackageDiscovery ================================
Package files discovered:
c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p (?.?.?.?)
AS BDD:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.123.1936.0
AV delta VDM: Not included
================================ PatchApplication ================================
Using directory c:\46a30492c161b189d597ef56838f1a for temporary storage,
ERROR 0xffffffef : ApplyVdmPatch(C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94C82271-A582-4C10-A343-809FF71783D9}\mpasdlta.vdm, c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p, c:\46a30492c161b189d597ef56838f1a\F4FFFCE3-ABB1-44C4-9D6E-CDDDF0D9B623mpasdlta.vdm)
Watson Report: Position:
HRESULT: 0xffffffef P1
FailedFunction: PatchApplication P2
Operation: AS BDD P3
SourceComponentVersion: 11.1.3927.0 P4
SourceComponentName: mpsigstub.exe P5
ProductVersion: 6.1.7600.16385 P6
ProductName: Microsoft Windows Defender (Windows 7) P7
Set BddUpdateFailure to 1
ERROR 0xffffffef : One or more of the packages found failed to update for Microsoft Windows Defender (Windows 7).
ERROR 0xffffffef : One or more of the products found failed to update; returning this error
Deleted c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p
ERROR 0xffffffef : MpSigStubMain
End time: 17.04.2012 10:39
----------------------------------------------------------------------------------
And here is the successful update, after looking for windows updates manually and installing the defender update. avast! did not interfere here at all.
----------------------------------------------------------------------------------
Command: c:\b938e948a89fd0342ec5\MPSigStub.exe WD /q
Start time: 17.04.2012 10:43 (version 11.1.3927.0)
================================= CacheMpSigStub =================================
Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe
=================================== ProductSearch ==================================
Microsoft Windows Defender (Windows 7):
Status: Active
Product: 6.1.7600.16385
Engine: 1.1.8202.0
Signatures: 1.123.1683.0
================================ PackageDiscovery ================================
Package files discovered:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)
AS Delta:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.123.1936.0
AV delta VDM: Not included
================================= MpUpdateEngine =================================
Package files for the engine update:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)
Updated from c:\b938e948a89fd0342ec5 (0x0)
================================= ValidateUpdate =================================
MpSigStub successfully updated Microsoft Windows Defender (Windows 7) using the AS Delta package.
Original: Updated to:
AS delta VDM: 1.123.1683.0 1.123.1936.0
Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted c:\b938e948a89fd0342ec5\mpasdlta.vdm
End time: 17.04.2012 10:43
----------------------------------------------------------------------------------
-
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.
Well, I'm glad that we've settled this one. The fact that I'm not the only one having this issue puts me at ease also.
If any of you guys would be kind enough to tell me what to do with these viruses residing in the chest. There are the two that came from the Defender and another one called SWF:Dropper {Heur} caught on the internet in a separate incident...
-
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?
For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.
-
I'm also running W7 64 bit but can't reproduce this problem. Is WD useless? IMO no as it covers stuff most AV's miss though if I start having problems I will disable it.
Bill
-
have not seen WD do anything avast/MBAM is not already doing
-
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?
For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.
A screenshot of the virus chest is attached and I hope that it answers your question...
-
I have just experiencing the Win32:Gremo inside the chest! on my Windows Vista 32 bit laptop during an auto defender scan.
After reading some of the above comments I decide to stop the real time scanning of the Defender as useless but to let it a daily programmed definitions updating and quick scanning.
If the problem continue I will stop Defender entirely.
The chest is already free from the Gremo... manually!
-
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.
I agree with disabling Windows Defender
As far it its detection rate goes. I don't know which version of WD is being used with W7 but with W8 which has the full blown anti-malware program the WD detection rate is excellent. The reason I disabled WD in W8-CP and switched back to avast! AIS after avast! 7 came out was not because of a better detection rate but because WD was significantly slowing down web page loading and file transfers. avast! 7 is a lot lighter than WD.
After I disabled WD, installed avast! 7 and scanned avast! found only a couple of corrupted files which I deleted. It found nothing else and this was after using WD on W8-DP and W8-CP on my main computer for about six months. Note: I also ran Malwarebytes scans weekly during that six month period and it didn't find anything at all during that time. Of course it never finds anything with avast! running either ;D
Just my experience
cheers :)
-
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?
For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.
A screenshot of the virus chest is attached and I hope that it answers your question...
Yes, the first two appear to be temporary files in what is an installation folder and they look like virus definitions updates. I would expect the folder and files to have been cleared after the update. But the interception by avast, may have stopped the clearing of those folders.
The third one, an old detection in the chrome browser cache can safely be removed from the chest.
Generally there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
-
Thank you very much guys! You've been most helpful! :) :) :)
-
You're welcome.
-
If you have Avast,
1.) Turn off Windows Defender in Windows Vista, 7, or 8-You don't need it, and it is likely to create conflicts like the OP suggested.
2.) If you have Windows XP, uninstall Windows Defender, (You can't remove it from the other systems in #1, just disable it.)
Jack