Author Topic: Win32:Kryptik-PFA [Trj] - False Positive ?  (Read 58969 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #60 on: May 06, 2015, 11:32:51 PM »
We have seen this on ONE system so far. I have asked the users to ignore messages about Kryptik until a new Def. file is released.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #61 on: May 06, 2015, 11:35:02 PM »
Can I ask why can't they post last good updates, and we have to wait?

Many people can not boot system up right now. Next few days will be very busy for me :(


REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #62 on: May 06, 2015, 11:36:57 PM »
I supposed to be affected by virus and i started the scan at startup. 125 files were deleted and i can't recover them.
You wasted my time and my business.
Compliments avast, you lost a loyal customer.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #63 on: May 06, 2015, 11:37:56 PM »
Can I ask why can't they post last good updates, and we have to wait?

Many people can not boot system up right now. Next few days will be very busy for me :(

From another thread look for HonzaZ's post.

https://forum.avast.com/index.php?topic=170705.45

//
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!
//

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #65 on: May 06, 2015, 11:44:20 PM »
so for us who rebooted and deleted files, what can we do?

Offline rmarfil

  • Newbie
  • *
  • Posts: 4
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #66 on: May 06, 2015, 11:46:00 PM »
System restore if you deleted files and now cannot get into OS.


so for us who rebooted and deleted files, what can we do?
« Last Edit: May 06, 2015, 11:51:03 PM by rmarfil »

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #67 on: May 06, 2015, 11:56:22 PM »
System restore if you deleted files and now cannot get into OS.


so for us who rebooted and deleted files, what can we do?

I am using my laptop where the issues happened, I know in the scan a lot of my drivers files got deleted, some opera browser stuff and skype stuff, I stopped the scan when it asked me if i was sure to delete stuff in window system folder, I know I'm dumb and I need help, so should I just do the system restore?

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #68 on: May 07, 2015, 12:15:41 AM »
nevermind, I don't have a restore point so I think I am doomed, thanks though.

Offline Michael504

  • Newbie
  • *
  • Posts: 6
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #69 on: May 07, 2015, 12:17:15 AM »
nevermind, I don't have a restore point so I think I am doomed, thanks though.

Always Quarantine first, never delete on first detect. This way you can see how the files affect the system.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #70 on: May 07, 2015, 12:51:02 AM »
Yup, just swapped the entire company to Bitdefender.  This was out of control bad and Avast will never see another dollar of our money.

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #71 on: May 07, 2015, 12:56:37 AM »
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.
« Last Edit: May 07, 2015, 12:59:50 AM by CK - KHQ »

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #72 on: May 07, 2015, 01:03:43 AM »
have aproximately 100 PCs out of 300+ reporting false positives.  Avast will not let us install anything with an exe extension on the affected PCs. >:(

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #73 on: May 07, 2015, 01:08:43 AM »
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

REDACTED

  • Guest
Re: Win32:Kryptik-PFA [Trj] - False Positive ?
« Reply #74 on: May 07, 2015, 01:34:37 AM »
I wanted to share some research and findings I have dug up. It appears that Avast quarantines its files in a folder under: C:\ProgramData\AVAST Software\Avast\chest on Windows 7/8 machines. Inside that folder is a list of files that have been renamed from there original names. There's also an index.xml file located in there with a catalog of moved files and rename information.

What I'm getting at is, can someone write a .bat file that scans the XML file, filtering everything except the Win32:Kryptik-PFA [Trj] tag, query the original file name and file location and restore users files? Users would have to be able to get to a Command Prompt and have the .bat file on a usb thumb drive.

This could save a lot of headache for people affected. See below for attached screenshot of my example. The files are the same exact size.

Keep in mind this would only work for those that chose to "move to chest" rather than "delete"  the files.

I have some bat file skills, but no knowledge of being able to query an .xml file.

Assuming you use the Enterprise Administration Console and have already deployed the latest definitions that correct the false positives: create a "Manipulate Virus chest" client-side task and check the box to "Restore all files from the Infected folder of the Virus Chest in which no infection is detected using the current virus database"

This is a great suggestion for those with EAC and can boot into Windows. I am going to do this once I get the next update. But my suggestion was more for those people that had there system files and video driver files flagged and moved. Those guys can't even boot into Windows.