Author Topic: Win32:Kryptik-PFA [Trj] - False Positive ?  (Read 44659 times)

0 Members and 1 Guest are viewing this topic.

Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #75 on: May 07, 2015, 02:25:09 AM »
Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This didn't appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?

Offline nh

  • Newbie
  • *
  • Posts: 3
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #76 on: May 07, 2015, 02:41:55 AM »
Here are some quick instructions on how to resolve it.

1. Run a VPS update to the clients from the AEA console. The patch has an update release of 150506-3 which is supposed to be the fix to the false positives.
2. Do a quick check to see if the clients have updated to this VPS release.
3. Once the clients have been updated to this VPS release then you can use the AEA to run an Auxiliary  task to restore the false positives from the virus chest back to the clients.

Here is a link to the AEA User guide which may help with the above.
http://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf

Cheers
Nick



Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #77 on: May 07, 2015, 02:42:42 AM »
Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This didn't appear to be working at first, but looks like it may be now.

Do I want to have the task remove the files from the virus chest after restoring them?

Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

Offline kinger

  • Newbie
  • *
  • Posts: 2
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #78 on: May 07, 2015, 03:08:46 AM »
Unfortunately I can't seem to find the option to restore files from the virus chest by using the Small Business Administration Console. Does anyone know how to do this? Or do I have to upgrade/migrate to the EAC to be  able to do this?

We had major issues with this as it affected custom software on one of our servers and would love to be able to reverse this the quickest way possible vs. visiting every machine manually.

Thanks

Offline Michael504

  • Newbie
  • *
  • Posts: 5
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #79 on: May 07, 2015, 03:12:03 AM »
Yup, just swapped the entire company to Bitdefender.  This was out of control bad and Avast will never see another dollar of our money.

I have had bitdefender before, slows the machine down too much and it missed stuff.

Offline copperkat

  • Newbie
  • *
  • Posts: 1
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #80 on: May 07, 2015, 05:38:33 AM »
Can a system restore bring back files removed during an Avast boot scan?

Before I knew about this false positive I thought my whole computer had somehow been infected. Now I'm worried I deleted essential files. I didn't send them to the chest like I should have.  :-[

Offline kaidomac

  • Newbie
  • *
  • Posts: 12
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #81 on: May 07, 2015, 02:35:07 PM »
Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I've been doing it manually as well.  What a nightmare.  I just had 200 computers blow up yesterday.  It cost my client a LOT of money to have everyone go down like that.  It ate everything from email to database software.  Really really really bad.  I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly.  I can't believe how bad this is.  I haven't even gotten a generic emergency support email or a "sorry" email or anything either, disappointed that there's basically been radio silence from Avast.  I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future?  Not sure.  Mistakes happen.  The software has been very good up until this point, and they did roll out the fix-it patch same-day.  I've had this happen with Windows Updates as well, so no company is immune to problems of this magnitude.  The Avast fix hasn't been 100% effective for every machine, but as of this morning I have 95% of my users back up & running.  I understand that mistakes happen.  Just a bit upset that they didn't even send out an email notice or anything for a status update.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32758
  • malware fighter
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #82 on: May 07, 2015, 02:50:32 PM »
Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, "someone pushing a wrong handle there".
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mmanous

  • Newbie
  • *
  • Posts: 2
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #83 on: May 07, 2015, 03:07:03 PM »
Well this seemed to only work on one computer. I ran the task on the group and checked another computer that said done and the files weren't there. I then tried running the task on that single computer and waited for it and the task still reported done, but the files were not restored. From the local machine I was able to restore them and it instantly worked.

What gives?

I've been doing it manually as well.  What a nightmare.  I just had 200 computers blow up yesterday.  It cost my client a LOT of money to have everyone go down like that.  It ate everything from email to database software.  Really really really bad.  I was able to get the update pushed out to the bulk of them last night, but there were still a handful that required manually restoring files from the vault on the local machine to work properly.  I can't believe how bad this is.  I haven't even gotten a generic emergency support email or a "sorry" email or anything either, disappointed that there's basically been radio silence from Avast.  I had to go online & dig to find this thread to figure out what was going on.

Will I change antivirus vendors for the future?  Not sure.  Mistakes happen.  The software has been very good up until this point, and they did roll out the fix-it patch same-day.  I've had this happen with Windows Updates as well, so no company is immune to problems of this magnitude.  The Avast fix hasn't been 100% effective for every machine, but as of this morning I have 95% of my users back up & running.  I understand that mistakes happen.  Just a bit upset that they didn't even send out an email notice or anything for a status update.

I've had zero luck running the restore task as well.  I temporarily disabled Windows Firewall on both my AEA server and the client I was trying to run the restore task to. It still didn't work with both firewalls turned off.

I also discovered that I was unable to use the Remote Virus Chest feature (I've never had a need before now). For those that don't know, you need to open port 135 and 16108 for the Remote Virus Chest to work. This can be configured in Group Policy. Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> Windows Firewall: Define inbound port exceptions. At least now I don't have to go office to office or use VNC to manually restore.


Offline amit12

  • Newbie
  • *
  • Posts: 3
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #84 on: May 07, 2015, 03:12:34 PM »
This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don't even want to talk to you. what a POS customer service.

Offline kaidomac

  • Newbie
  • *
  • Posts: 12
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #85 on: May 07, 2015, 03:44:22 PM »
Hi kaidomac,

Lucky for those that skipped that update. When some things go wrong, they often go wrong big scale.
All vendors suffer from these mishaps some day or other, "someone pushing a wrong handle there".
Prepare for it in the future with a pre-update emergency back-up scheme, but that is wisdom in hindsight.

polonus

The difficulty is two-fold:

1. Receiving email viruses that come out same-day
2. Quantity of users

As much as I hate not having time to test A/V updates on a test group beforehand, it's important to have the updates come in as fast as possible because I've run into issues not doing that - as soon as a virus fix is identified by Avast, added to the database, and rolled out to users, they are protected.  So to me, it's worth the risk for the occasional hiccup like this to have the most up-to-date protection possible, because it has bitten me before in bad ways with zero-day exploits.  Plus, I support several companies & several branches as well, so it's not really feasible to babysit everything 24/7 due to workforce budgets being what they are.

The second issue is quantity of users.  Even with backups, reverting 200 users who have physical machines & are not on a Terminal Server is a logistics nightmare.  I spent all last night trying to fix things remotely & have had to go on-site to patch up all the little bits & pieces remaining.  Reverting to a prior backup is possible, but then the users lose all of their work for the day (times however many users you have), versus just restoring from the vault.  Although restoring from the vault hasn't fixed 100% of the issues I've run into, so I've had to do some further work, like re-installations of certain software.

Very frustrating all around.

Offline kaidomac

  • Newbie
  • *
  • Posts: 12
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #86 on: May 07, 2015, 03:50:03 PM »
This is just great. i called support and they are saying i need to submit a support ticket. which i did yesterday I have over 100 pc down and they don't even want to talk to you. what a POS customer service.

I have not had great CS from Avast in general, which is probably my only real complaint.  The pricing & feature set is great, it does a great job of detections (other than this snafu), and it doesn't slog down your PC.  I use different A/V packages depending on the client, but aside from the mediocre customer service, I've grown to really like the product & service because it runs well & runs reliably.  So again, not sure if I will dump them after this, but their response to this issue has been rather dismal, which is very annoying when I'm stuck explaining to a paying customer why all of their computers are down & why their $100-an-hour engineers can't work.  I think they have a great product & I understand that occasionally things go wrong, but Avast needs to step it up with their customer service responses.  What I'm hearing today is "Why didn't we just stick with Norton?  :P

Offline jbarth

  • Newbie
  • *
  • Posts: 4
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #87 on: May 07, 2015, 03:53:23 PM »
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #88 on: May 07, 2015, 04:08:19 PM »
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??
see post #67      also here  https://forum.avast.com/index.php?topic=170730.0




Offline kaidomac

  • Newbie
  • *
  • Posts: 12
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #89 on: May 07, 2015, 04:16:39 PM »
has this junk been resolved yet? I have not seen a thread indicating that it has. Quite frankly I am quite astounded that the product in itself with that update acted as a Trojan by definition.
So what is the final statement? Is this problem fixed yet??

This is what has worked for me:

1. Make sure your server & clients have the latest Avast updates
2. Reboot the clients twice (from what I can tell: it grabs then update, then applies the update with the vault issues etc.)
2a. Restore anything from the vault that is still not working (I've had a dozen computers or so that didn't play nice)
2b. Reinstall anything that won't restore (maybe half a dozen computers that needed apps reinstalled)

As of 10am this morning, I am back to 100%.  That was a long night  :(