Author Topic: Big Fat Trouble  (Read 8583 times)

0 Members and 1 Guest are viewing this topic.

Roccobot

  • Guest
Big Fat Trouble
« on: June 23, 2005, 01:05:46 AM »
I'm using Avast! Home 4.6. Today it found a trojan on my HD and the program asked me what to do. The fact is that I AM 100% SURE that it's a "false positive". But the alert window didn't have the "Do Nothing" Action. I've pressed the OK button, and as result, the file is "locked" (it's an executable, if I try to execute it, Windows says something like: "You haven't the required privileges to open file"). And now? Is my precious file lost??! I want it back!!! Is there a way to unlock it, I hope...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86942
  • No support PMs thanks
Re: Big Fat Trouble
« Reply #1 on: June 23, 2005, 01:29:00 AM »
- What OS are you using?
- What was the virus name, what was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?
- What makes you 100% sure it is a false positive?

If you are unsure the best action is first do no harm (e.g. don't delete) move it to the chest and investigate as you are doing now. Check out this thread - http://forum.avast.com/index.php?topic=14473.msg122170#msg122170 - it may help clear the confusion about the OK button (your file hasn't been deleted, just avast stopping the file being activated (locked, I believe temporarily) to prevent a virus being run. You may even want to comment on the thread as a user, perhaps a little confused by the OK button!

The do Nothing action is virtually hitting the OK button, but I would say if you hit the cross 'X' at the top right of the alert window, it too would do nothing, but you may get the alert again.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Note: The file will have to be outside the chest to have it upload and be scanned by Jotti.
« Last Edit: June 23, 2005, 01:30:35 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Roccobot

  • Guest
Re: Big Fat Trouble
« Reply #2 on: June 23, 2005, 03:09:32 AM »
I'm using WinXP Home SP2 (updated); and the virus (actually, it's a trojan) is "Win32:Trojano-1205 [Trj]". The "infected" file is named WXPro.exe and has been compiled by me. It's not a virus, it's not a trojan. 100%. For my privacy, Id prefer not to send it to anyone. But, at the end, the question is very simple: Can I do absolutely nothing when I find a Virus/Trojan? And... if I've already pressedthe ill-famed OK button, what can I do to "restore" my file? Help, please!

cvsa

  • Guest
Re: Big Fat Trouble
« Reply #3 on: June 23, 2005, 11:31:42 AM »
put it in the ignored files (standard shiel/personalized/advanced settings) ;)

Spyros

  • Guest
Re: Big Fat Trouble
« Reply #4 on: June 23, 2005, 12:06:32 PM »
The "infected" file is named WXPro.exe and has been compiled by me.
Did you use any "exotic" packers? That could trigger an alarm.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86942
  • No support PMs thanks
Re: Big Fat Trouble
« Reply #5 on: June 23, 2005, 01:09:43 PM »
I'm using WinXP Home SP2 (updated); and the virus (actually, it's a trojan) is "Win32:Trojano-1205 [Trj]". The "infected" file is named WXPro.exe and has been compiled by me. It's not a virus, it's not a trojan. 100%. For my privacy, Id prefer not to send it to anyone. But, at the end, the question is very simple: Can I do absolutely nothing when I find a Virus/Trojan? And... if I've already pressedthe ill-famed OK button, what can I do to "restore" my file? Help, please!

I'm not sure what you mean by restore, get the file to work as before or restore it back to its original folder? - but I would assume permissions based on your original post.

By pressing the OK button the file should be in the folder it last was. Whilst I'm not sure exactly what avast does with the file to stop the virus (suspected or otherwise) from running, but perhaps 'Hiding' it and or changing the 'Permissions', which you should be able to restore/change as the 'administrator'?

You could check in the Chest also to see if it may have been moved? but I wouldn't have thought it would be there unless you chose that action.

Before you attempt any of the above you should add the file to the standard shield exclusions list otherwise when you try to do anything with the file the alert will pop-up again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Roccobot

  • Guest
No More Trouble
« Reply #6 on: June 23, 2005, 02:44:50 PM »
Thanks, CVSA! That's exactly what I was looking for! Now it's OK!!!

Roccobot

  • Guest
Big Fat Trouble Reprise
« Reply #7 on: June 23, 2005, 09:43:10 PM »
Another problem: Avast! have found another virus/trojan that is 100% false positive (the file has been compiled by me). After prssing OK at the virus alert dialog, Avast! "locks" the file, as I told (simply, makes it inaccessible). But this time, even if I put it (or the entire folder) in the exclusions list, Avast! keeps finding and locking it. Is there a way to continue my work without stopping the Avast! protection provider for my HD, and having the possibility to open my file?
Thanks...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86942
  • No support PMs thanks
Re: Big Fat Trouble
« Reply #8 on: June 23, 2005, 11:41:32 PM »
Instead of clicking OK try simply closing the alert window as I mentioned in my first post. Hopefully that won't trigger the locking and allow you to add it to the exclusions.
I assume that you are using ntfs, perhaps the file is locked using the security in ntfs (I don't know I don't have my HDDs on ntfs), so as the administrator you should be able to unlock it.

How did you get around the lock on the first file? surely that should work for the second.

I know you are reluctant to send the files to avast but there must be something in the way you are compiling them or the program used to compile them to make avast detect something. You still haven't said what virus avast thinks it is?

This really needs some input from the Alwil team but I would suggest you compile another program (simple not confidential) and see if that too is detected and if so send that to avast as mentioned in my first post.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Roccobot

  • Guest
Precisation
« Reply #9 on: June 24, 2005, 01:27:37 AM »
The trojan found in the second file is the same: "Win32:Trojano-1205 [Trj]" (the file is an executable). But after I put the first file in the Exclusions list, Avast! stopped bugging me... For the second one, this procedure doesn't work (incredible...). I am not a virus creator, so these files that I compiled can't be viruses/trojans. They are simple programs I am writing for my university courses (and, yes: I use NTFS). Maybe the heuristic scan thinks that my two files are viruses? Anyway, I don't want Avast! to continue locking them. Is possible that the best antivirus program hasn't the fabolous feature "Do ABSOLUTELY nothing when you find a virus"? I only want this! Is the simplest thing in the world! What can I do?

Roccobot

  • Guest
One more thing
« Reply #10 on: June 24, 2005, 01:34:59 AM »
If I close the window clicking on the classic "x" on the top right corner, the result is the same. Like when I choose OK, the file is "locked". The only way I've found to get around this is to stop the local scan provider...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11818
    • AVAST Software
Re: Big Fat Trouble
« Reply #11 on: June 24, 2005, 12:26:09 PM »
What is the full path of the "infected" file, and what exactly did you put into the list of Standard Shield exclusions?
Could/did you send us the file for analysis, please? (so that we could fix the false alarm)
Thanks.

Roccobot

  • Guest
Re: Big Fat Trouble
« Reply #12 on: June 24, 2005, 02:07:12 PM »
I think you don't need to fix the false positive, 'cause I'm the only guy in the world that has this EXACT file. It's a little application written and compiled by me... and, as I told, I'd prefer not to send it to anyone. But the matter is another: why Avast!, even if not deletes or moves the "suspect" file, absolutely wants to prevent acces to it? Why can't I say to the antivirus: "Don't touch that file!!!" ?
The full path is D:\Archivio\Compiled\RSH.exe (drive D:\ has NTFS file system, and isn't the system drive).
I've tried to put in the exclusion list the file alone, and the entire folder (string "D:\Archivio\Compiled\*").
But, in any case, when I open the folder from the Windows Explorer, the alert window appears and (doesn't matter if I press OK or I simply close the Window) the file is locked by Avast!, I suppose for "prevent acces to dangerous file" or something like it.
The only thing I want to do is to configure Avast! to ignore that file.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11818
    • AVAST Software
Re: Big Fat Trouble
« Reply #13 on: June 24, 2005, 02:33:08 PM »
Sorry, avast! will not let an infected file be started (unless you stop the Standard Shield provider, of course). That would be too dangerous option. If a false alarm appears, we will fix it (if we have the file).

When you set the exclusion and avast! detects the file anyway - what is the exact path displayed in the Virus dialog?

If it's really impossible to you to send us the file, can you at least give us some more info about? In particular,
- what virus is detected in the file?
- did you use any executable packers to pack the file?
- what compiler did you use to build it?

Roccobot

  • Guest
Re: Big Fat Trouble
« Reply #14 on: June 24, 2005, 06:00:19 PM »
Quote
Sorry, avast! will not let an infected file be started (unless you stop the Standard Shield provider, of course).

You are right, Igor, but my file is NOT infected, and this is exactly the problem... My little app is a simple command-line program to resolve a mathematical problem (it was created by the standard compiler of Visual Studio 6, and without using other packers). I'm not a virus creator, and the file doesn't contain viruses/trojans/worms/other dangerous stuff. That's all. I don't want to know why Avast! thinks that there is a trojan. I only want it to stop bugging me without a valid reason.