Win32:Radmin-B [Tool] ???

[dbhankins]

Hmm, I had the same problem and thought I tried the X but remember it kept alerting anyway.

The seond, third etc. dialog pops up because Avast found a different component of VNC, or because some portion of VNC was swapped out and then re-read to be swapped in.

In other words, close three or four of these alerts, and you won't get any more for a few minutes.

But of course the medium-term solution is to put your VNC folder in the exclusions list for the on-access scanner.


Dan

[cautiousoldguy]

I found this discussion very helpful.  Until this morning I have had a very few Avast Malaware warnings.  Immediately after the regular Avast virus database update, I got a Malaware warning for tightnvc.  Then I got a warning about Malaware in memory and the desirability of shutting down and doing a scan pre-WinXP startup.  This showed up 3 more viruses: Win32:Adware-gen, Win32:Radmin and Win32:Kuang2 infecting very old and little used files.

I am suspicious that maybe there's something wrong with the current Avast virus definition database. 

[pcgod]

Hmm, I had the same problem and thought I tried the X but remember it kept alerting anyway.  I suppose closing on the X will not help since vnc is always loaded in memory. I ended up excluding the VNC directory and vnc is working fine now.

edit: U2KZoo51 post is a perfect example of what I was saying a few posts back.  Very bad policy to list legitimate applications as malware.

I have ot agree. I've been using TightVNC to admin every desktop on my network for a number of years now. This shouldn't be a virus warning. At worst, it should be a warning that an application you may not want installed is there. Having to click the X to disable the warning seems rather cryptic when there are so many other options in the dialog (I hadn't even considered that a posibility until someone mentioned it).

I had to disable Avast! for the time being because putting the VNC directory into the Exceptions didn't help the running process. Hopefully the next VPS update removes this restriction. If not, I'll have to start looking into another solution.

[dbhankins]

You need to put the VNC path in two places, possibly with * or *.* on the end:

Right-click on the Avast sphere.  Then, On-Access Protection Control -> Standard Shield -> Customize -> Advanced -> Add.  Once you've put in the path, Enter and OK your way out.

Right-click on the Avast sphere.  Then, Start Avast! Antivirus -> up-arrow in upper left corner -> Settings -> Exclusions -> Browse.  Then browse to the path for your VNC app, and Enter/OK your way out


Dan

[pcgod]

Right-click on the Avast sphere.  Then, On-Access Protection Control -> Standard Shield -> Customize -> Advanced -> Add.  Once you've put in the path, Enter and OK your way out.

Aah, that's the part I was missing. Hidden a bit. Looks like it's happy now. Thanks

[DavidR]

I found this discussion very helpful.  Until this morning I have had a very few Avast Malaware warnings.  Immediately after the regular Avast virus database update, I got a Malaware warning for tightnvc.  Then I got a warning about Malaware in memory and the desirability of shutting down and doing a scan pre-WinXP startup.  This showed up 3 more viruses: Win32:Adware-gen, Win32:Radmin and Win32:Kuang2 infecting very old and little used files.

I am suspicious that maybe there's something wrong with the current Avast virus definition database. 

What was the file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
What actions have you taken from the options given delete, move, ignore, etc. ?

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

[pcgod]

What was the file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
What actions have you taken from the options given delete, move, ignore, etc. ?

It was finding both WinVNC.exe and VNCHooks.dll in C:\Program Files\TightVNC\. Both are valid files installed by the TightVNC installer. Avast popped up the same warning when reinstalling from protected backup and from the latest version from the website. When I get home, I'll verify the checksums of the files.

There is no "ignore" option listed explicitly. Only clicking the X will allow the program to continue. I tried "delete", "Move to chest", and "No action"... all three actions cause the application to stop functioning.

If other programs are seeing this as malware, it's a disturbing trend. Is it only TightVNC users that are seeing this, or do users of other flavors of VNC (RealVNC, etc.) see this as well?

[DavidR]

Then that follows the detections in the Original Post of this topic.

Delete is never a good first action, move to chest is best as you can restore/recover files if required. The ignore I mentioned should read 'No action' that won't move delete, etc. but it won't allow the program to execute/run.

I think it was 5 other AVs also detect this, I don't know what other VNC programs might also be detected. Adding the detected files to the exclusions lists as previously mentioned should allow you to use it without the detections.

[cautiousoldguy]

What was the file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
What actions have you taken from the options given delete, move, ignore, etc. ?

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

Thanks for this.  The file was the same as that in the original post.  I put everything in the Chest until I could get more info, including this thread.  What intrigues me is that after getting the latest virus database update the tightvnc warning has disappeared.

I'm also intrigued as to why the Kuang2 warning only just showed up - it must be a year since I last used Panda Activescan so there's been plenty of time for it to be detected.  Anyway this known problem with avast! is documented at http://www.avast.com/eng/virus_detection_and.html so that's good to know.

I've dealt with the other alerts by judicious use of the del key.

[pcgod]

When I get home, I'll verify the checksums of the files.

For those that are curious, below are the md5 checksums of both files in question (TightVNC Version 1.2.9 iirc)

Code: [Select]

12320b551bf9555c02cc114aceabde96  pcgod/VNCHooks.dll
f58f2f89a111b08a26ead3a8fd56b65c  pcgod/WinVNC.exe
12320b551bf9555c02cc114aceabde96  megan/VNCHooks.dll
f58f2f89a111b08a26ead3a8fd56b65c  megan/WinVNC.exe
The first is from my laptop, which never accesses anything other than the VNC server on my linux desktop, no sharing, and is basically locked down tighter than a drum. Second is my wife's machine which was reporting the problem.

fwiw, from another thread, it seems they are going to pull the virus definition that identifies TightVNC as possible malware.

[DavidR]

What intrigues me is that after getting the latest virus database update the tightvnc warning has disappeared.

Nothing intriguing there when people send samples to avast indicating they believe they are false positive detections avast will analyse the file/s plus the signature to try and improve the signatures detections.

I'm also intrigued as to why the Kuang2 warning only just showed up - it must be a year since I last used Panda Activescan so there's been plenty of time for it to be detected.  Anyway this known problem with avast! is documented at http://www.avast.com/eng/virus_detection_and.html so that's good to know.

I've dealt with the other alerts by judicious use of the del key.

Unless this detection for Kuang2 is for a specific file and location (which you didn't state) then it may have nothing to do with Panda so to determine that we need to know the file name and location, that is why I asked for them for all detections not just the Radmin virus detection.

Deletion isn't a good first option as this instance of Radmin shows, send it to the chest where it can do no harm and can be restored if required and investigate.

[cautiousoldguy]

Nothing intriguing there when people send samples to avast indicating they believe they are false positive detections avast will analyse the file/s plus the signature to try and improve the signatures detections.

Oops.  Not used to that level or speed of customer service. 

Unless this detection for Kuang2 is for a specific file and location (which you didn't state) then it may have nothing to do with Panda so to determine that we need to know the file name and location, that is why I asked for them for all detections not just the Radmin virus detection.

I admit to being sloppy, but I had established what was going on and didn't send the file names because I was using an independent unaffected machine for this thread.

Deletion isn't a good first option as this instance of Radmin shows, send it to the chest where it can do no harm and can be restored if required and investigate.

Agreed, that's what I meant by judicious.

Thanks for the feedback.

[DavidR]

No problem, welcome to the forums.