Author Topic: MacAvast repair function for Word macro virus broken?  (Read 11945 times)

0 Members and 1 Guest are viewing this topic.

Offline jvmn

  • Newbie
  • *
  • Posts: 4
MacAvast repair function for Word macro virus broken?
« on: February 22, 2009, 08:00:50 PM »
Hello,

since the last few updates, I cannot clean Word documents anymore from macro virus (MW97:Marker Family). The only message I get: "X Files was not processed successfully".
Avast log file shows only:
Code: [Select]
22.02.09 19:16:19.749   repaired: "/path/to/word.doc" success 0 (451)I tried "MacAvast v2.74R0 ServiceKit v1.41" with scan engine 0.68, 0.69 & 0.82beta, also a new installation. But nothing changed.
Is there any hint to fix this problem or I must wait till next Avast update?

Thanks
Juergen

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: MacAvast repair function for Word macro virus broken?
« Reply #1 on: February 24, 2009, 02:06:41 PM »
Hello,

since the last few updates, I cannot clean Word documents anymore from macro virus (MW97:Marker Family). The only message I get: "X Files was not processed successfully".
Avast log file shows only:
Code: [Select]
22.02.09 19:16:19.749   repaired: "/path/to/word.doc" success 0 (451)I tried "MacAvast v2.74R0 ServiceKit v1.41" with scan engine 0.68, 0.69 & 0.82beta, also a new installation. But nothing changed.
Is there any hint to fix this problem or I must wait till next Avast update?

Thanks
Juergen

Hallo, the cleaner is a part of virus database, thus, changing an engine is not necessary here. 451 is an engine error, thus, the file is maybe protected against modification? (apple-i, then, have a look on the permissions).

What's the version of your virus database?

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

Offline jvmn

  • Newbie
  • *
  • Posts: 4
Re: MacAvast repair function for Word macro virus broken?
« Reply #2 on: February 24, 2009, 06:46:18 PM »
Quote
Hallo, the cleaner is a part of virus database, thus, changing an engine is not necessary here. 451 is an engine error, thus, the file is maybe protected against modification? (apple-i, then, have a look on the permissions).

What's the version of your virus database?

regards,
pc

Hello,

permissions (posix & acl) are the first I looked and they are fine. I changed possix permissions to 777 for testing purpose.
Nothing changed. Same behavior.
Virus database version is 090221-0 - 21.02.2009.
Meanwhile there came a new database version via update. I also tried this (090224-0 - 24.02.2009), but same result.

regards,
Juergen

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: MacAvast repair function for Word macro virus broken?
« Reply #3 on: February 25, 2009, 12:17:04 PM »
Quote
Hallo, the cleaner is a part of virus database, thus, changing an engine is not necessary here. 451 is an engine error, thus, the file is maybe protected against modification? (apple-i, then, have a look on the permissions).

What's the version of your virus database?

regards,
pc

Hello,

permissions (posix & acl) are the first I looked and they are fine. I changed possix permissions to 777 for testing purpose.
Nothing changed. Same behavior.
Virus database version is 090221-0 - 21.02.2009.
Meanwhile there came a new database version via update. I also tried this (090224-0 - 24.02.2009), but same result.

regards,
Juergen


Hallo, I tested this few minutes ago, with different engines - and it works. Please note that not all macro-infections could be flawlessly repaired, but many of them can. I can't spread malware samples, but maybe this is your case. Could you zip the particular file (use password: virus), and send it to me? (cimbal :at: avast.com)?

thanks,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

Offline jvmn

  • Newbie
  • *
  • Posts: 4
Re: MacAvast repair function for Word macro virus broken?
« Reply #4 on: February 25, 2009, 05:48:53 PM »
Quote
Hallo, I tested this few minutes ago, with different engines - and it works. Please note that not all macro-infections could be flawlessly repaired, but many of them can. I can't spread malware samples, but maybe this is your case. Could you zip the particular file (use password: virus), and send it to me? (cimbal :at: avast.com)?

thanks,
pc

Hallo,

i send you an sample via mail. It's an 7 year old Word macro virus (Shankar).
MacAvast was able to clean this macro virus in the past. This was the reason for us, to buy a license.  :)
The Avast windows version can clean this file. If i guess, MacAvast should also can do.

I also tried a new installation. First i deleted all MacAvast related files from harddrive:
~/Library/Application Support/com.avast.MacAvast/
~/Library/Preferences/com.avast.MacAvast.plist
/Applications/avast!.app/

Reboot and reinstall. It's weird, always the same error/behavior.

Is there some verbose log output possible? Maybe this helps.

regards,
Juergen

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: MacAvast repair function for Word macro virus broken?
« Reply #5 on: March 02, 2009, 05:06:33 PM »
Quote
Hallo, I tested this few minutes ago, with different engines - and it works. Please note that not all macro-infections could be flawlessly repaired, but many of them can. I can't spread malware samples, but maybe this is your case. Could you zip the particular file (use password: virus), and send it to me? (cimbal :at: avast.com)?

thanks,
pc

Hallo,

i send you an sample via mail. It's an 7 year old Word macro virus (Shankar).
MacAvast was able to clean this macro virus in the past. This was the reason for us, to buy a license.  :)
The Avast windows version can clean this file. If i guess, MacAvast should also can do.

I also tried a new installation. First i deleted all MacAvast related files from harddrive:
~/Library/Application Support/com.avast.MacAvast/
~/Library/Preferences/com.avast.MacAvast.plist
/Applications/avast!.app/

Reboot and reinstall. It's weird, always the same error/behavior.

Is there some verbose log output possible? Maybe this helps.

regards,
Juergen

Hallo,
what was the subject/sender of the mail? Can't locate it in my mail Inbox. Maybe try to send it pass-protected, to be able to pass through various mail filters along the path.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

Offline jvmn

  • Newbie
  • *
  • Posts: 4
Re: MacAvast repair function for Word macro virus broken?
« Reply #6 on: March 03, 2009, 01:10:15 PM »
Quote
Hallo, I tested this few minutes ago, with different engines - and it works. Please note that not all macro-infections could be flawlessly repaired, but many of them can. I can't spread malware samples, but maybe this is your case. Could you zip the particular file (use password: virus), and send it to me? (cimbal :at: avast.com)?

thanks,
pc

Hallo,

i send you an sample via mail. It's an 7 year old Word macro virus (Shankar).
MacAvast was able to clean this macro virus in the past. This was the reason for us, to buy a license.  :)
The Avast windows version can clean this file. If i guess, MacAvast should also can do.

I also tried a new installation. First i deleted all MacAvast related files from harddrive:
~/Library/Application Support/com.avast.MacAvast/
~/Library/Preferences/com.avast.MacAvast.plist
/Applications/avast!.app/

Reboot and reinstall. It's weird, always the same error/behavior.

Is there some verbose log output possible? Maybe this helps.

regards,
Juergen

Hallo,
what was the subject/sender of the mail? Can't locate it in my mail Inbox. Maybe try to send it pass-protected, to be able to pass through various mail filters along the path.

regards,
pc

Hallo,

I resend the virus sample. It's an zip file with password on (password=virus)
First mail was send on:
Message-ID: <49A56FAD.5030704@jvm.de>
Date: Wed, 25 Feb 2009 17:19:57 +0100
Subject: Virus Sample

second on:
Message-ID: <49AD1B4F.1020107@jvm.de>
Date: Tue, 03 Mar 2009 12:58:07 +0100
Subject: Virus Sample /2

Second mail was also send to my privat mail account and it came through. Hope this time you will receive the sample.

Regards
Juergen

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: MacAvast repair function for Word macro virus broken?
« Reply #7 on: March 03, 2009, 04:36:13 PM »
Quote
Hallo, I tested this few minutes ago, with different engines - and it works. Please note that not all macro-infections could be flawlessly repaired, but many of them can. I can't spread malware samples, but maybe this is your case. Could you zip the particular file (use password: virus), and send it to me? (cimbal :at: avast.com)?

thanks,
pc

Hallo,

i send you an sample via mail. It's an 7 year old Word macro virus (Shankar).
MacAvast was able to clean this macro virus in the past. This was the reason for us, to buy a license.  :)
The Avast windows version can clean this file. If i guess, MacAvast should also can do.

I also tried a new installation. First i deleted all MacAvast related files from harddrive:
~/Library/Application Support/com.avast.MacAvast/
~/Library/Preferences/com.avast.MacAvast.plist
/Applications/avast!.app/

Reboot and reinstall. It's weird, always the same error/behavior.

Is there some verbose log output possible? Maybe this helps.

regards,
Juergen

Hallo,
what was the subject/sender of the mail? Can't locate it in my mail Inbox. Maybe try to send it pass-protected, to be able to pass through various mail filters along the path.

regards,
pc

Hallo,

I resend the virus sample. It's an zip file with password on (password=virus)
First mail was send on:
Message-ID: <49A56FAD.5030704@jvm.de>
Date: Wed, 25 Feb 2009 17:19:57 +0100
Subject: Virus Sample

second on:
Message-ID: <49AD1B4F.1020107@jvm.de>
Date: Tue, 03 Mar 2009 12:58:07 +0100
Subject: Virus Sample /2

Second mail was also send to my privat mail account and it came through. Hope this time you will receive the sample.

Regards
Juergen

Hallo Juergen,
thanks for details, your samples were burried in junk-folder. Yes, the "bug" is reproducible, MW97:Marker family is detected, but trying to clean the file returns "Not succesfully processed". Why?

Internally, there are two distinct repair levels - weak-failsafe (tries to remove the infection), and stronger-cruel (would remove all macros). By default, gui applies the first level, but here the 451/42060 is returned ("file was not repaired"), and the higher level isn't used in turn. Thanks for report, we'll add this "stronger repair" fix to the present alpha.

regards,
pc

PS: if you still wanna repair your particular file, you can do it manually:
- open terminal, and type: telnet -u `pwd`/Library/Application\ Support/com.avast.MacAvast/socket
- then, type: license path path_to_your_license_file
- then, type: repair 1 0 path_to_the_infected_doc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

Offline jazfx

  • Newbie
  • *
  • Posts: 2
Re: MacAvast repair function for Word macro virus broken?
« Reply #8 on: December 23, 2015, 01:26:29 AM »
Hiya,

I have the same problem, MW97:Marker-D detected but not fixed by newly installed Avast up to date.
I even try the terminal command (even though it would be a pain with that amount of files with it... but it says "licence: commande not found"

there is no informatons i could find on the net about how to really fixe the problem, even tough it is very documented.

can somebody has a real solution ? I am exhausted to drag those macros since years.

cheers

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2198
Re: MacAvast repair function for Word macro virus broken?
« Reply #9 on: December 23, 2015, 01:33:15 PM »
Hello,
try to create ticket on https://support.avast.com/

Milos

Offline jazfx

  • Newbie
  • *
  • Posts: 2
Re: MacAvast repair function for Word macro virus broken?
« Reply #10 on: December 23, 2015, 01:57:24 PM »
thanks, i did put a ticket