AVS 605-0/False Positives

[John_E]

I do lurk here sometimes but this is my first post. I'm not great with this stuff but try to see what's going on if it concerns my system. Been running Avast Home for about 1 year and really like it. Currently on version 4.6.744 (know there's a new one out just haven't yet). Also have VPS 605-0 installed.
No computer changes recently and everything is working OK except following behavior.

I have Panda ActiveScan installed and when running Avast on demand scan I get the false positive on pskavs.dll as usual (described in this forum) as being Win32:CTX. So, I made it an exception in the on demand scanner. No problem for months.

Sometime on Saturday (US), and I almost sure after installing VBS 605-0 that morning, I suddenly get Resident Scan Virus Warnings on a System Restore .ddl containing the Win32:CTX virus. The computer was sitting idle. This happened again Sunday and this morning shortly after booting up. Computer idle in both cases. I'm thinking it has to do with Panda's file but am getting concerned cause I don't know what's going on here and Avast has never done this before. Could this be happening when System Restore automatically creates a restore point after booting and it sees the Panda file or what?

Running:
XP Home SP2 (fully patched)
Avast
NAT Firewall (yeah I know I should have sw wall-someday)
AdAware SE

Very carefull where we go on net and with e-mails. Knock on wood, never had malware I've known about except tracking cookies since mid 1980's. First time for everything!

Since computer is otherwise behaving perfect and I see reference in other threads about false positives I'm tempted to sit tight for now. All thoughts/suggestions from those here that really know about these things are appreciated.

Thanks...

[Vlk]

Try updating to 0605-1 (released an hour ago). Does that solve the problem?

BTW this goes to everyone who had a FP with the latest VPS (not necessarily the same one as John_E).


Thanks,
Vlk

[igor]

I think the warning was simply the system backing up the Panda Active Scan files into System Recovery. I.e. it's nothing to worry about (and nothing that the new VPS file would fix).
To avoid the warning, I'm afraid you'd have to get rid of Panda and empty the system recovery. Or, you may put the file to Resident Shield exclusions, if necessary - but I'm not sure if it'll stay under one filename.

[John_E]

Thanks guys. I was hoping the problem was along those lines. I will do the new updates shortly. Can I exclude the entire System Restore directory and if so how (exact syntax)?

I really don't want to delete my restore points just in case...and is that a dangerous thing to do unless you have to use a restore point?

Thanks again for your quick response.

[fatboy_jt]

Right click on the avast on access scanner icon and go to program settings, then select exclusions. on this screen, browse for the restore folder (may be hidden) and select. Avast will then ignore this folder.  Hope that helps (had same problem with Ad-Aware and this was the only way i could make it run.)

[John_E]

OK, updated VBS to 605-1 resulting in same behavior. Followed fatboy_jt's advice and excluded entire C:\System Volume Information folder. So far no Avast alerts this a.m.

I neglected to mention the first time I did receive a virus alert I elected to move the indicated restore file "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP345\A0023083.dll" to the chest. Should I restore it, thinking it may mess up System Restore if it can't find what it thinks is there or just leave it in the chest?

Never the less, something has changed resulting in Standard Shield Avast alerts pointing to that Panda file where before only an on demand scan would do so. I would dump Panda ActiveScan except I use it as a back-up on-line scanner. The new Trend on-line scanner (6.5 ActiveX version) does not run properly on my system and I can't find a way to uninstall it either. By the way ActiveScan shows my system clean.

Thanks for all your help...

(Can't believe I misspelled "Positives" in original post - sorry)

[DavidR]

Personally I would disable system restore, reboot, do a scan and if everything is clean, enable system restore. A new restore point will be created when you enable system restore again, so it should be a problem.

If you leave something in system restore that is infected (and you wouldn't know if you exclude this location), when you have to use system restore in the future you could well be restoring a virus infection that could bite you in the a*s some time in the future.

Many viruses locate themselves in the system folders, because they are protected by windows and system restore, so when you delete it a copy is saved in system restore, that is why many AVs tell you to disable system restore if the infection is in a system folder. So for me excluding the System Volume Information folder could leave you vulnerable in the future.

P.S. the forum has a Spell Checker and you can Modify a post in the future if required.

[John_E]

DavidR, I think I understand what you mean, however, that puts me back to square one if I don't uninstall Panda ActiveScan first. Otherwise it will falsely "infect" the system restore again due to that unencrypted .dll Panda uses. Although I trust Avast, a back-up on line scanner once in a while seems to be recommended by most security people. Used Trend House Call for years but the new version does not behave well for me.

Whether I go that route or not what about the restore .dll I've already put in the Avast chest? Could that corrupt system restore? I guess this may be more of a XP question but this stuff is over my head. My system is running fine right now and hate to mess it up with the wrong decision. Think I'm getting too old for this stuff!

John

[DavidR]

DavidR, I think I understand what you mean, however, that puts me back to square one if I don't uninstall Panda ActiveScan first. Otherwise it will falsely "infect" the system restore again due to that unencrypted .dll Panda uses.

Yes it would put you back to square one if you leave Panda's ActiveScan in place. I was also talking generally about the issue of viruses (FPs or otherwise) being in the system folders, if you don't disable SR then you will end up with a virus in a restore point.

However, now you know the problem with Panda and you know its location anything that crops up in the active scan folder you can probably assume is a false positive because of the unencrypted sugnatures. So you don't have to delete or move them, therby initiating a restore point because it is deleted/moved so no false detection in system volume information.

Personally I wouldn't use Panda's on-line scanner there are many others out there, I believe you could try housecall using a non IE browser, firefox, etc. and use the Java method rather than activeX method employed by housecall & IE.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt