False Postive VBS Malware Gen - Deleted Valuable Files

[REDACTED]

Avast detected about 500 false positives today. Listing them all as VBS-Malware-Gen  These files included minecraft save games, jpeg images (That I took), documents from Word, Text, and Open Office, as well as hundreds of other valuable and much-needed files, docs, images, and save files.  I called "Premium Support" and they want to bill me to resolve the issue.  BILL ME! 

Avast Pro -  Licensed
Program Version - 17.1.1.2286  (Build 17.1.3394.42)  CURRENT as of February 22nd, cannot be updated.
Virus Definitions Version - 170222-3  CURRENT as of February 22nd, cannot be updated.

I would submit the entire list, of which 99% are false positives, but do not know how to submit the entire report, in mass, to the correct department.  Additionally, I can no longer trust AVAST with my security needs because of this incredible breach of trust. Calling tech support is a horrific waste of time.  The connection is poor, the tech support people don't understand the issue and just want billing information.  That makes the entire tech support of AVAST useless beyond a brick at resolving this issue.

I must go through the list and individually report each false positive, and restore the file.  Who has the time for this?  500 plus false positives!  I am extremely concerned that this issue has happened, and am unsure of how to keep it from happening again. Ergo, I cannot trust Avast and will have no choice but to remove it and discontinue my subscription if not resolved.

How can I report the entire list at one time to correct department?
How can I prevent this from happening again?  (Added individually to the exclusion list is insane, these files number in the hundreds!)

[TheOwner]

That happen due broken definitons update https://forum.avast.com/index.php?topic=197572.0
It is fixed now. Look in your chest for files, if is not there, i think no one help you. If yes, all items called VBS Malware Gen you can safely restore. And for sure run full scan again.

[REDACTED]

Thank you. It should be noted that my virus definitions and program are CURRENT and cannot be updated. I just tried, again, and it says I am current.  I am, however, working on restoring the wrongfully removed files now.

[TheOwner]

You have latest version which are fixed. That broken update was 170221-1

[REDACTED]

Thank you again, but I updated to this version, then ran my scan, and it was that scan that detected all those VBS files.  Of which, none are actual VBS malware. 

[bob3160]

Thank you again, but I updated to this version, then ran my scan, and it was that scan that detected all those VBS files.  Of which, none are actual VBS malware. 

I've just reported this to Avast which should get their attention and hopeful;y a reply.

[HonzaZ]

Could you post a printscreen of a detection?
Could you attach some of the detected files?

[Jiří Šembera]

You can also check your definitions folder at %programfiles%\AVAST Software\Avast\defs\. If folder 17022101 is present (that's the faulty VPS), try restarting Avast Service by running

Code: [Select]

net stop "avast! Antivirus" && net start "avast! Antivirus" in cmd.exe (as Administrator, also self-defense has to be turned off). Or you can just reboot your computer. This will ensure Avast loads only the latest VPS.

Edit: In case of a reboot, please make sure you have the latest VPS to prevent any damage caused by the faulty VPS during boot-time scan (if scheduled).

[DavidR]

<snip>
Could you attach some of the detected files?

The forum software only allows certain file types: Allowed file types: jpg, png, txt, log, gif.

Changing a file type to attach could well corrupt the file anyway.

Not to mention if they were allowed the last thing we would want is an alert within the forums by Avast.

[REDACTED]

I had EXACTLY the same experience as Raymond84.  For starters, I see that the New Avast (I am using 17.1.2286 build 17.1.3394.46) automatically updates the virus definitions.  It occurs to me that I wouldn't have had this happen to me if my computer had not downloaded the new corrupt virus definition database, so I would like to know how to disable it so that I can wait 2 weeks before downloading any new definitions so that Avast has time to work out the kinks :/

Additionally, I am trying to figure out how to restore all these files without going 1 at a time.  Among the several choices when I right click on a line in the chest, I get "delete" "restore" "extract" "refresh all files"... now going 1 at a time, I figured out that "restore" puts the file back, but is "refresh all files" the same as "restore"?  Or does that refresh the list?  I wish that Avast would post more help on how to fix this problem that THEY created, since SOOOOOO many people were instantly affected due to their auto-update of corrupt virus definitions.

[DavidR]

@    phredri
The default action for the VPS updates has for some considerable time always been set to Automatic. There are also the Streaming signature updates coming out every few minutes, these rely on VPS updates being set to automatic. It may also disable some of the protection modules, CyberCapture and Hardened Mode (aggressive) I believe.

You can set the Virus Definitions to manual, in the avastUI > Settings > Update. That however also disables the streaming updates also.  Lastly the volume of new malware samples in a two week period is absolutely massive and would reduce your protection greatly. One area of greater risk would web browsing as the Web Shield would be benefiting from the new signature information.

So this isn't a decision to be taken in haste.

[HonzaZ]

<snip>
Could you attach some of the detected files?

The forum software only allows certain file types: Allowed file types: jpg, png, txt, log, gif.

Sorry, what I actually meant was linking the VT analysis, or linking a file sharing service with the files... I should be more precise next time

[REDACTED]

@    phredri
The default action for the VPS updates has for some considerable time always been set to Automatic. There are also the Streaming signature updates coming out every few minutes, these rely on VPS updates being set to automatic. It may also disable some of the protection modules, CyberCapture and Hardened Mode (aggressive) I believe.

You can set the Virus Definitions to manual, in the avastUI > Settings > Update. That however also disables the streaming updates also.  Lastly the volume of new malware samples in a two week period is absolutely massive and would reduce your protection greatly. One area of greater risk would web browsing as the Web Shield would be benefiting from the new signature information.

So this isn't a decision to be taken in haste.

I appreciate that info, but you didn't shed any light on the functions that I asked about, ie "restore" vs "refresh"

[DavidR]

@    phredri
The default action for the VPS updates has for some considerable time always been set to Automatic. There are also the Streaming signature updates coming out every few minutes, these rely on VPS updates being set to automatic. It may also disable some of the protection modules, CyberCapture and Hardened Mode (aggressive) I believe.

You can set the Virus Definitions to manual, in the avastUI > Settings > Update. That however also disables the streaming updates also.  Lastly the volume of new malware samples in a two week period is absolutely massive and would reduce your protection greatly. One area of greater risk would web browsing as the Web Shield would be benefiting from the new signature information.

So this isn't a decision to be taken in haste.

I appreciate that info, but you didn't shed any light on the functions that I asked about, ie "restore" vs "refresh"

I didn't address it because I'm not clear what the hell Refresh is/means/does.

I can't recall having seen it in earlier avast versions. To me refresh in other contexts could mean reload, but clicking on Refresh doesn't seem to do anything. It doesn't rescan them as if I specifically select the scan option I get a confirmation of the scan and its result.

[bob3160]

Reported to Avast. Let's wait for them to answer this. It's a new option.