Heuristic scanner detects TrustedInstaller.exe as suspicious

[jskrivseth]

This was discussed briefly in another thread. It is still a problem as of today. Avast 4.8.1229 detects TrustedInstaller.exe as suspicious. I have tested this with 3 clean installs and the process is as follows:

0) Disconnect ethernet cable (paranoid much?)
1 ) Install Vista x64 from Retail media
2 ) Install SP1 standalone update from known virus-free source
3 ) Install drivers from known virus-free source
4 ) Install Avast 4.8.1229 from known virus-free source
5 ) Connect ethernet cable and let avast auto update
6 ) Check for Windows Updates
7 ) Download only the important/critical updates
8 ) Avast detects TrustedInstaller.exe as suspicious during the download process

I have followed this process 3 times. 2 of the 3 times Avast detected TrustedInstaller.exe as suspicious. I have a very hard time ignoring the warning and walking away. TrustedInstaller.exe is one of very few processes to have full admin rights under Windows Vista.

Please let me know if this warning can be safely ignored and please fix the heuristic scanner. Thanks.

I should note that subsequent scans of the file c:\windows\servicing\trustedinstaller.exe doesn't result in a warning.

[jskrivseth]

Can anyone confirm or deny this?

[DavidR]

What version of the avast VPS are you using ?

I ask this because this has previously been reported and as far as I know resolved. Try a forum search for TrustedInstaller.exe and see what that reveals.

[jskrivseth]

I let Avast automatically update the VPS before running Windows updates. The VPS version yesterday before Windows update was 081013-0. Should I reboot by chance after letting Avast update the VPS?

[DavidR]

I doubt that a reboot would change anything.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[jskrivseth]

I doubt that a reboot would change anything.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Thanks for the response. However, I don't think these suggestions fit the problem. First, the file is not in the virus chest and wouldn't be. This was a "suspicious file" alert triggered by a heuristic scanning method. By definition the file is not infected with any explicitly known virus. The recommended action is to ignore the warning and submit the file to alwil for screening, which I did. The file c:\windows\servicing\trustedinstaller.exe comes up clean from every scan I have tried. The file itself is clean before and after Windows update, so the on-access scanner triggers the alert *only* during the download of the file from Windows Update and the alert is non-deterministic. It is completely random whether or not the alert will pop.

[DavidR]

I thought that it was detecting the file on your system and not the one being downloaded...

I assume that the windows update process is downloading a new version of that file to be used with the remainder of the update, etc. and it is that new version that is being detected. The avast virus log viewer should confirm the location of the suspect file, check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. Report the findings.

Normally I would say you could pause the web shield, which would allow the file to be downloaded (then the standard shield would object but the file is on your system), but because this is a windows update and it is an installation process I wouldn't advise it.

How to get round that would be the problem and I can't really offer a suggestion. I don't use Vista nor 64bit OS, so I can only hope one of the Alwil team can pick up on this topic and see if they can get a copy from another (MS) source.

[Lisandro]

Do these links help?
http://forum.avast.com/index.php?topic=35613.0
http://forum.avast.com/index.php?topic=38584.0

[jskrivseth]

Thanks for the help guys!

The alert is not logged since it is detected by a heuristic method and hence no known virus warning is generated. So the Avast log viewer shows nothing other than my VPS updates under any of the categories.

On a side note, I reinstalled again doing down-to-the-letter exactly the same steps as before, except for one thing. I rebooted after doing the VPS update. This should have no impact, but every time I have rebooted after VPS updates, the warning is not triggered. This time, no warning was triggered. Though to be fair I have only done this exact procedure (including rebooting after VPS updates) twice.

I suppose it is possible that Windows Update repositories may contain different revisions of TrustedInstaller.exe and perhaps sometimes Windows Update decides differently as to which patches will be applied in a given order. Perhaps the afflicted TrustedInstaller.exe is in a patch that is not needed after installing a superceding patch. Perhaps there is no direct dependency and this is just luck-of-the-draw.

In any case, I have imaged my OS install so I hopefully won't have to deal with this oddity ever again. I wanted one perfectly clean install to make an image from and now I have it.

Thanks again!

I hate computers. Maybe I should have avoided Computer Science in school.

[jskrivseth]

Just so you know, this continues to happen pretty consistently on more than a dozen machines. I just have to ask: Why does Avast even pop the alert for hueristic detections by default? Why not submit the file for screening and avoid bothering the user? It puts the user one click away from deleting trustedinstaller.exe and that is not good.