Author Topic: Win32:Kryptik-PFA [Trj] - False Positive ?  (Read 58953 times)

0 Members and 1 Guest are viewing this topic.

Offline BudG

  • Newbie
  • *
  • Posts: 13
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #15 on: May 06, 2015, 09:45:59 PM »
 :( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :(

Getting tons of these on ALL of our Avast protected systems and started with Def Upd 150506-3 and is causing a nightmare and mass panic all across our University.  Even showing up on PCs that were imaged clean just now.  As soon as Avast is installed on a new clean image it starts alerting that it is infected by "Win32:Kryptik-PFA [Trj]" virus.


Hurry up Avast.  Need a fix.  Our PCs are unresponsive during this.  So, we are out of business until it is fixed!!!

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #16 on: May 06, 2015, 09:47:26 PM »
We are getting this false positive as well. Anybody know how to roll back today's update?

Hurry up Avast!

Offline BudG

  • Newbie
  • *
  • Posts: 13
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #17 on: May 06, 2015, 09:49:16 PM »
We sure could use a way to rollback too, since avast isn't putting out a timely fix.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #18 on: May 06, 2015, 09:51:57 PM »
Also seeing this behavior with Avast! Endpoint Protection and definition update 150506-3.   Several Windows 7/8 laptops so far.

MANY system files, application files, dlls, executables are being detected as Kryptik-PFA [Trj]. 

I uploaded many of these files to VirusTotal and none  of them have been detected as a virus by any vendor.

I contacted support but they said it was necessary to open a ticket.  Please do the same if you are impacted.
https://support.avast.com/Tickets/Submit

« Last Edit: May 06, 2015, 10:02:12 PM by john-genus »

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #19 on: May 06, 2015, 09:59:25 PM »
Same thing here at my company...  Three computers started showing they were infected with this same bug a little over an hour ago...  After seeing these posts about it being an FP, I forced another computer to download the definition update and sure enough, it started having the same issues as the other computers...

Offline rmarfil

  • Newbie
  • *
  • Posts: 4
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #20 on: May 06, 2015, 10:00:12 PM »
Had to disable File System Shield, not cool

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #21 on: May 06, 2015, 10:00:28 PM »
Seeing this at my University as well. Here are some examples:

File "C:\ProgramData\Package Cache\OfficeAddInPackageId868.2.927\OfficeAddIn(x86).msi" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\aticfx32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\aticfx32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\inf\SEU\3020\video\P5FCH_A00-00\win7x64\production\Windows7-x64\Display\B161848\amd_opencl32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\inf\SEU\9020\Video\Win78_64_15.31.14_3220_DELL_setup_ZPE\Graphics\Intel_OpenCL_ICD32.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\SysWOW64\atiumdva.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.
File "C:\Windows\System32\DriverStore\FileRepository\nvdm.inf_amd64_neutral_1fffd3be59f5125f\nvwgf2um.dll" is infected by "Win32:Kryptik-PFA [Trj]" virus.

Since there are so many different files, whitelisting isn't a great option. I went ahead and turned off "File System Shield" as a temporary fix. Hoping to hear back from Avast Support soon.

Please send a ticket to AVAST Support. Hard to tell if they're monitoring this



REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #22 on: May 06, 2015, 10:02:01 PM »
Looks like we will be doing a lot of this once the new update is pushed out. Just be careful what you restore.

1. Open the avast! program
2. Select “Maintenance”
3. Select “Virus Chest”
4. Sort by time moved to Chest
5. Select files you wish to restore
6. Right-click and select “Restore”

After the file restoral, copies of the files will remain in the Virus Chest.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #23 on: May 06, 2015, 10:03:58 PM »
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(

Offline kevrianate

  • Jr. Member
  • **
  • Posts: 25
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #24 on: May 06, 2015, 10:05:35 PM »
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(

It seems to be a bad update which is causing false positives.  The only real remedy for right now is to disable Active File Scanning and restore the files from the Virus Chest.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #25 on: May 06, 2015, 10:07:51 PM »
Hello, I come from france, I am not sure I understand all of this topic.

Can you say me if I am wrong: Avast program download an update today: 150506-3 and since this update; avast detect a lot of files infected by "Win:32Kryptik-PFA" ; it's true?
But it is a false trojan?
And at this moment there is no issue?

Because I can t do anything, all my application don t work; java, games, etc...

Please, Avast, make somthing, help us !  :(

That's correct. Avast sent out an update that is flagging many files as being infected with: Win.32.Kryptik-PFA (Trojan).

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #26 on: May 06, 2015, 10:10:11 PM »
Ok thanks CK - KHQ & kevrianate.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #27 on: May 06, 2015, 10:10:40 PM »
If you are running Avast Enterprise Admin Console, it won't be so bad after they release an updated definition file.  In the console, you can create a new client side update task that restore all files from the chest that does not fail the current definition set.  This will restore all the false positives flagged today on all your machines.  I hope a new set comes out soon.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #28 on: May 06, 2015, 10:11:28 PM »
I'm also getting several computers reporting Win32:Kryptik-PFA [Trj] on the Avast for Education edition.

Offline MegaRich

  • Newbie
  • *
  • Posts: 8
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #29 on: May 06, 2015, 10:12:22 PM »
I'm seeing this message on all the servers and workstations I administer so I'm sure it's a false positive.

I've already had a few users reboot their workstations before letting me know and, the boot time scan is completely mangling the OS, so enjoy that.

I've submitted the false positive as of about an hour ago. Hoping something comes quickly.