Author Topic: VBS:malware-gen  (Read 18774 times)

0 Members and 1 Guest are viewing this topic.

keithhmh

  • Guest
VBS:malware-gen
« on: August 14, 2008, 06:12:27 PM »
I have just installed Avast for MAC and it immediately threw up VBS:Malware-gen on the very first scan. If it is a generator what else might it have done that has not been seen by Avast. In the Avast literature it says that no one product will find all the problems. Do you recommend a particular partner product?

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: VBS:malware-gen
« Reply #1 on: August 14, 2008, 06:16:53 PM »
What file did it report as infected?
"People who are really serious about software should make their own hardware." - Alan Kay

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #2 on: August 14, 2008, 08:10:40 PM »
I wrote down  the file name (3BDAE9BBd01) but I am afraid I destroyed the path when I unintentionally cleared it from the virus chest - sorry

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #3 on: August 14, 2008, 10:33:57 PM »
The other problem is that whenever I run a scan when I come back to the MAC I get two message windows, one saying deamon has died scanning / and the other saying that com.avast.macavast.MAD has unexpectedly quit do I want to relaunch. I have run 3 cans since downloading my license and i get this every time. I don't particularly sit in front of my iMAC for an hour or so to catch it at the point it gives up. Any thoughts on what I should try next?

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #4 on: August 14, 2008, 10:43:14 PM »
I found the following in the log,


14.08.08 05:35:19.811 Got expiration "13.10.2009"
14.08.08 05:35:19.813 Licence OK
14.08.08 05:39:15.111 Checking for update (manually: 0)
14.08.08 05:39:15.415 Update failed (507), falling back...
14.08.08 05:42:57.336 File operation: Move to Chest, 1 objects
14.08.08 05:42:57.825    real operation: Move to Chest on "/Users/Keith/Library/Caches/Firefox/Profiles/27v46w6i.default/Cache/3BDAE9BBd01" (chested (null)) success 1
14.08.08 05:44:15.688 Got expiration "13.10.2009"
14.08.08 05:44:15.689 Licence OK
14.08.08 05:44:30.334 Scanning 1 paths (auto 0):
14.08.08 05:44:30.335   /
14.08.08 07:25:47.786 Daemon launched
14.08.08 07:25:52.265 Scanned: aborted 0, items: 975224, files: 776731, viruses: 0, warnings: 427
14.08.08 07:25:54.199 Daemon pid 2969 priority 0 reports trial 0 (0.000000 days)
14.08.08 07:25:54.270 Got expiration "13.10.2009"
14.08.08 07:25:54.272 Licence OK


Hope it helps

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: VBS:malware-gen
« Reply #5 on: August 17, 2008, 04:18:28 PM »
Try Applying the patch thats detailed in the following thread:
http://forum.avast.com/index.php?topic=36197.msg303743#msg303743
"People who are really serious about software should make their own hardware." - Alan Kay

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: VBS:malware-gen
« Reply #6 on: August 20, 2008, 03:03:42 PM »
Try Applying the patch thats detailed in the following thread:
http://forum.avast.com/index.php?topic=36197.msg303743#msg303743


yes, it might be this long-path problem - apply the fix, and tell us whether the bug disappeared.
VBS:malware-gen is a generic detection for VB scripts.

pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #7 on: August 22, 2008, 03:31:01 PM »
I applied the patch and ran again. The "Deamon died" problem went away but now the scan didn't stop. I left it going and when I got back 3.5 hours later it was showing  2680793 items in 2179100 files and still going. (It showed repeats of files with err 13)

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: VBS:malware-gen
« Reply #8 on: August 25, 2008, 12:29:26 PM »
I applied the patch and ran again. The "Deamon died" problem went away but now the scan didn't stop. I left it going and when I got back 3.5 hours later it was showing  2680793 items in 2179100 files and still going. (It showed repeats of files with err 13)

Hallo,

as long as hard link is not allowed for directories (and softlinks aren't followed) the "loop in recursion" shouldn't occur. But, there might be some archives, cd-images and other things, that can make the count of items higher - maybe 3.5 hr for the whole disk wasn't enough in your case.

Please, check this:
- is the daemon that's in use really 0.0.69 (hover mouse cursos over the VPS xxxx-xx-xx in left upper corner to see this)?
- is it really cycling over and over - which files is it processing in a loop?

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #9 on: August 26, 2008, 11:17:33 AM »
It is definitely  0.0.69

I set it scanning last night and it was still going this morning

By copying the list to Excel I saw that the scan had gone into the Time Machine volume even though I had selected 'scan volume' and specified 'Macintosh HD'. That is why I was seeing some duplicate file names. Interestly enough it found the trojan WIN32:small-HUF on the 2008-07-13 backup but it hasn't found it in the main volume and I don't remember ever seeing it found before.

It was in my virtual windows hard drive under Parallels

/Volumes/Time Machine Backups/Backups.backupdb/khimac/2008-07-13-055956/Macintosh HD/Users/Keith/Documents/Parallels/Microsoft Windows 2000/win2000.hdd
/Volumes/Time Machine Backups/Backups.backupdb/khimac/2008-07-13-055956/Macintosh HD/Users/Keith/Documents/Parallels/Microsoft Windows 2000/win2000.hdd/win2000.hdd.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds

I re-ran 'scan folder' and that stopped O.K.
 

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: VBS:malware-gen
« Reply #10 on: August 26, 2008, 06:59:45 PM »
I can see why it would scan the Time machine backup as its mounted in the /Volumes folder on the Hard Disk. You would need to exclude /Volumes/Time Machine Backups  from the scanner to stop this.
"People who are really serious about software should make their own hardware." - Alan Kay

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #11 on: August 27, 2008, 10:05:42 PM »
I am sorry to have to ask for your patience again but how do I exclude /Volumes/Time Machine Backups  from the scan

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: VBS:malware-gen
« Reply #12 on: August 28, 2008, 03:10:01 AM »
I am sorry to have to ask for your patience again but how do I exclude /Volumes/Time Machine Backups  from the scan

You know what, thats a good question. I dont see a way to  :-\
"People who are really serious about software should make their own hardware." - Alan Kay

keithhmh

  • Guest
Re: VBS:malware-gen
« Reply #13 on: August 28, 2008, 09:58:33 AM »
I am going to start another topic specific to this because I can't let it just run as long as it is - perhaps someone out there has solved it somehow