On Access FP

[Th3Eagle]

I have had a game installed on my game system for almost a year. (Jewel Quest III)

a couple of days ago, Avast all of a sudden (while I was playing the game) said that it had a trojan
and deleted the executable for the game.

I reinstalled the game (from a CD that I created back when I first purchased the game)
from the installation file, and Avast deleted it as soon as it was extracted to be installed.

how can I prevent Avast from deleting this file that I know is clean?
I tried adding an exception for both the file itself & the folder it is installed in,
but as soon as I try to play the game, Avast deletes it.

[DavidR]

First avast doesn't delete anything it alerts to infection and pops-up an interactive screen for the users to choose the action to take. The Home free version doesn't have any autonomous actions and the Pro version which has, the user has to set it up as to what action/s to take on detection.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

If your exception isn't working you are either putting it in the wrong location (program files, exclusions and not the on-access scanner, see below) or you are getting the full path to the file incorrect.

You should always confirm the detection - check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[Th3Eagle]

C:\games\Jewel Quest III\JewelQuest3.exe



hXXp://www.virustotal.com/analisis/6478022d07e65abb161f5ac83560a459

Code: [Select]

File JewelQuest3.exe received on 01.02.2009 20:16:42 (CET)
Current status: finished
Result: 6/38 (15.79%)


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.02 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 Win32:Krap-S
AVG 8.0.0.199 2009.01.02 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 866 2009.01.02 TrojWare.Win32.Krap.b
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.02 -
F-Secure 8.0.14470.0 2009.01.02 Packed.Win32.Krap.b
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 Win32:Krap-S
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2009.01.02 -
Kaspersky 7.0.0.125 2009.01.02 Packed.Win32.Krap.b
McAfee 5481 2009.01.02 -
McAfee+Artemis 5482 2009.01.02 -
Microsoft 1.4205 2009.01.02 -
NOD32 3732 2009.01.02 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2009.01.02 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 Win32.Malware.gen#PECompact!92 (suspicious)
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 1245184 bytes
MD5...: 8060963b7622d15f03f7079b5928927b
SHA1..: 8124ddb4d62dbd0f8c798f383ecc6c4257836d1d
SHA256: 201b29a1ab1c9d3a00d670ca96c41b2a75b65cbcdaebfad3276135f23f8edda4
SHA512: 57aca64863688f07c4f97cc1da0c1acb57daf5d0cbd0e8bc76265fa8d65ea119
5ea2328a91ebdc7815ba9e2da9122d5e8cc20faebdc1328545e11885a232db5a
ssdeep: 24576:G1zrh4IKy3ug0Y53uh2UUQygW29brrD8p:+hBx5p/Qyx2br38p
PEiD..: PECompact 2.xx --> BitSum Technologies
TrID..: File type identification
Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41db80
timedatestamp.....: 0x484da9c1 (Mon Jun 09 22:08:01 2008)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2a6000 0xd4a00 8.00 913601130519c9c56e6eb138cbd11486
.rsrc 0x2a7000 0x5c000 0x5b200 5.44 438737300b561b4a51df2e6f0136fb0a

( 1 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree

( 0 exports )
packers (Kaspersky): PE_Patch.PECompact, PecBundle
CWSandbox info: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=8060963b7622d15f03f7079b5928927b
packers (F-Prot): PecBundle, PECompact

[Lisandro]

Th3Eagle, Kaspersky is not known by false positives... is this game (I mean the one installed in your computer) clean?

[Th3Eagle]

it has been considered clean on every system that I have installed it on, up to a couple of days ago.

My one System that I have NOD32 installed on, detects nothing and lets the game run.
all other systems (5 in total) have Avast on them, which HAS deleted the file (moved the exe to the virus vault).

[Lisandro]

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.

[Th3Eagle]

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.

thank you.

[DavidR]

I would suggest that you send the sample to avast (the how to report and exclude from scans link I gave.) as a possible false positive as some are reporting it is a packed malware name which could be prone to misidentification and one detecting as suspicious (heuristic detection), which are more prone to FP. GData uses avast as one of its two scanners, so that can be treated as one detection rather than two.

Whilst Kaspersky isn't noted for FPs there are many other AVs that are not detecting anything when their detections as normally reasonable.

This Win32:Krap (http://www.google.co.uk/search?q=Win32%3AKrap) is associated with a password stealer for on-line games, now I would say that it is possible that the game has some form of protection along this line, which may be getting pinged incorrectly. http://www.threatexpert.com/threats/packed-win32-krap-b.html

So there is sufficient doubt for further investigation by avast.

[Th3Eagle]

I would suggest that you send the sample to avast (the how to report and exclude from scans link I gave.) as a possible false positive as some are reporting it is a packed malware name which could be prone to misidentification and one detecting as suspicious (heuristic detection), which are more prone to FP. GData uses avast as one of its two scanners, so that can be treated as one detection rather than two.

Whilst Kaspersky isn't noted for FPs there are many other AVs that are not detecting anything when their detections as normally reasonable.

This Win32:Krap (http://www.google.co.uk/search?q=Win32%3AKrap) is associated with a password stealer for on-line games, now I would say that it is possible that the game has some form of protection along this line, which may be getting pinged incorrectly. http://www.threatexpert.com/threats/packed-win32-krap-b.html

So there is sufficient doubt for further investigation by avast.

thank you, I will look for that link, and report it.

[DavidR]

It is at the last paragraph at the bottom of my first post.

[Th3Eagle]

It is at the last paragraph at the bottom of my first post.

my SMTP server doesn't allow zip file attachments,
so I had to use winRar to send it as a rar file attachment instead
it is password protected, and everything except the file type is according to the directions given

I hope this is acceptable.

[DavidR]

Zip is just a generic term, .zip, .rar, .7z any password protected archive is fine.

Thou you could have added it to the User Files section of avast (a copy remains in the original location) and sent it from there, now it gets uploaded to avast during the avast update process (no need to zip or password protect and that is covered by avast).