Author Topic: pav.sig  (Read 6839 times)

0 Members and 1 Guest are viewing this topic.

beck

  • Guest
pav.sig
« on: November 24, 2003, 02:55:54 PM »
I scheduled a complete scan of all files on the system I installed Avast on. So now I have yet more questions.

In the Chest, I have kernel32.dll, winsock.dll, wsock32.dll. They don't show a virus on their line. Why are they in there?

Avast also reported the Win95:Matyas virus on pav.sig file and moved it to the Chest. I read the Matyas infects .exe files. I have no idea what this pav.sig file is. It was in windows\system32 and windows\system32\activescan. Since it's in the Chest, I can't look at the file to try to figure out what it belonged to. Anyone know how I should proceed now?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:pav.sig
« Reply #1 on: November 24, 2003, 03:02:07 PM »
The three system files (kernel32.dll and winsock libraries) are put to the Chest during the installation of avast. It is just a security measure - these files are often the target of viruses; if you happen to be infected in the future, you may restore the original files from Chest.

The pav.sig file is a file used (of left) by Panda antivirus (or their cleaning tool). They store the virus signatures in an unencrypted form inside - therefore other antivirus programs report is as infected. You may consider it a false alarm, i.e. there's no reason to worry about it.

Waldo

  • Guest
Re:pav.sig
« Reply #2 on: November 24, 2003, 03:13:31 PM »

The pav.sig file is a file used  by Panda antivirus. They store the virus signatures in an unencrypted form inside -

Isn't there a great risk involved storing unencrypted (plain) signatures in the database ?

I mean > couldn't scriptkiddies or virus creators use the plain signatures to make malware that can easely bypass detection from the Panda scanner  ?

If you know the source code of the signatures, you don't need to be Einstein to make a trojan or virii or worm that goes undetected.

Panda is a good product (high detection rate) and offers many nice functions, but they need to work on there database !

Kind regards,

Waldo


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:pav.sig
« Reply #3 on: November 24, 2003, 03:27:06 PM »
Well, I don't think it's risky... just indecent.

First, you don't know where the signature is inside the file, in fact. Suppose that avast announces a virus there... but how would you find out where did avast spot the signature?
Second, no matter if the signature is encrypted or not, it's not that hard to find out what given antivirus is looking for. Modifying the malware is just a creation of new variant... similar to packing by some strange packer etc. - i.e. nothing new, in fact.

beck

  • Guest
Re:pav.sig
« Reply #4 on: November 24, 2003, 03:27:14 PM »
Thank you for your help!

As you can tell, I'm testing anti-virus software to find my new one of choice. Yes, I had tried Panda, so that is explained.

I must have setup Avast properly since everything seems to work. :)  And what a good idea to keep protected copies of those .dll files.

stevejrc

  • Guest
Re:pav.sig
« Reply #5 on: November 24, 2003, 07:07:45 PM »
I found same thing with Panda Platinum (install file). Also I uninstalled Panda coz since I installed service pack 4 it wouldnt remember my settings and firewall allowed programs. I tryed re-installing it but no help. Anyway Sygate and Avast work fine and are recommended in most serious forums and review sites.