Author Topic: Trojans in PageFile (Read 3449 times)

MauriceW · « **on:** June 12, 2008, 10:19:11 AM »

My setup is multibooting to alternate installations of XP Pro SP3 on different partitions, used for different purposes.

I have discovered that if one tries to scan Pagefile.sys with Avast! in the current active OS, access is denied (not surprisingly).

However on my setup, I can scan the PageFile.sys on partitions other than the currently active one, and I found that some of them gave alerts for Trojans (Win32:Delf-FZG & Win32:Femd-R) neither of which were known on the CA nor the Symantec sites.

Due to the size of the Pagefile.sys files, the only option was to delete them, which I did, knowing that they would be re-created next boot of that OS.
(I could also defragment the partition before restarting it, so that the new Pagefile.sys would not be fragmented).

Whilst my setup is indeed far from usual, this experience raises the question that malware could get into the pageing file and be undetectable by most malware checking applications.

I'd be interested to have comments from the experts.

Maurice

FreewheelinFrank · « **Reply #1 on:** June 12, 2008, 10:50:45 AM »

Please search the forum for "pagefile.sys false positive".

Lisandro · « **Reply #2 on:** June 12, 2008, 09:10:48 PM »

Pagefile.sys won't hurt your system. It will be renewed in next boot and avast will detect the infection (if any). So, I'm not sure this is true:

Quote from: MauriceW on June 12, 2008, 10:19:11 AM

malware could get into the pageing file and be undetectable by most malware checking applications.

The pagefile.sys won't be 'used' by other applications.

MauriceW · « **Reply #3 on:** June 13, 2008, 01:17:17 AM »

FreewheelinFrank,
As expected, this is not a new phenomenon.
The hits produced by the search didn't produce any clear advice as to what to do.
It seems simplistic to assume all warnings are "False Positive".

Contrary to one claim, unless you deliberately change a setting in the registry, the pageing file is not cleaned at each shutdown so any malware in there would persist. ( There is a penalty in shutdown speed if you activate this)

Tech,
Surely the whole point of the pageing file is that items therein may be reused later, including any that are contaminated.

Thankyou both for your comments.

I note that ?:\Pagefile.sys is added by default to the Standard Shield exclusions? (Is this just to reduce "False Positives")

I intend following this up and will post back if I can find any sound guidance.

Maurice

P.S. Perhaps I should add that I am not noticing any unusual / abnormal behaviour in my systems that would indicate infection.

FreewheelinFrank · « **Reply #4 on:** June 13, 2008, 01:22:48 AM »

Quote

The hits produced by the search didn't produce any clear advice as to what to do.
It seems simplistic to assume all warnings are "False Positive".

Here's some pretty clear advice from one of the avast! team:

Quote

it gives no sense to scan pagefile.sys file... it could contain a lot of garbage and match the detection

http://forum.avast.com/index.php?topic=36028.msg302254#msg302254

MauriceW · « **Reply #5 on:** June 13, 2008, 03:49:12 AM »

Thanks Frank,

I'm not really worried - just interested to know whats going on.

I can appreciate that lots of FPs would be a nuissance

You can close this thread if you want.

Maurice

Author Topic: Trojans in PageFile (Read 3449 times)

MauriceW

Trojans in PageFile

FreewheelinFrank

Re: Trojans in PageFile

Lisandro

Re: Trojans in PageFile

MauriceW

Re: Trojans in PageFile

FreewheelinFrank

Re: Trojans in PageFile

MauriceW

Re: Trojans in PageFile