Author Topic: if a file is warned as trojan, but no sign of trojan activity?  (Read 3143 times)

0 Members and 1 Guest are viewing this topic.

astro46

  • Guest
i just installed avast av, scanned and several files were flagged as being trojans.

i have run these files previously. if they really were trojans, wouldn't there be signs of trojan activity found during the scan in other places, or in real time, if the trojan was active?

sded

  • Guest
Re: if a file is warned as trojan, but no sign of trojan activity?
« Reply #1 on: March 31, 2009, 06:42:17 PM »
Try submitting them to http://www.virustotal.com/ for a second opinion from a number of other AVs; quarantine as appropriate.  Then you can submit them to Avast! as either misses or false positives for their resolution (you can email them from the Virus Chest).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89607
  • No support PMs thanks
Re: if a file is warned as trojan, but no sign of trojan activity?
« Reply #2 on: March 31, 2009, 06:48:15 PM »
i just installed avast av, scanned and several files were flagged as being trojans.

i have run these files previously. if they really were trojans, wouldn't there be signs of trojan activity found during the scan in other places, or in real time, if the trojan was active?

Generally trojans are going to try and fly under the radar and show no symptoms, so that is no guarantee that you aren't infected.

What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

Confirmation at virustotal as sded mentions is the way to go if you aren't sure and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

astro46

  • Guest
Re: if a file is warned as trojan, but no sign of trojan activity?
« Reply #3 on: March 31, 2009, 10:50:50 PM »
thank you sded and davidr,  been a successful day.  i learned how to deal with file alerts, moved to chest, submitted to virustotal, set up an excluded folder, etc.

still two questions:
1) if, as several scanners indicated, these files contained trojans (kaspersky, which i had been running until recently didn't identify them as trojans at virustotal), why do i not see any evidence of their activities in computer operations, or from avanta? wouldn't they be doing something suspect, or have made other files that are suspect?  if they aren't doing anything why are they a problem, and identified as trojans?

2) what is the difference between adding exclusion to Standard Shield/Customize/Advanced/Add
 and adding  exclusion to Program Settings, Exclusions  ?

thanks

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: if a file is warned as trojan, but no sign of trojan activity?
« Reply #4 on: March 31, 2009, 10:55:27 PM »
2) what is the difference between adding exclusion to Standard Shield/Customize/Advanced/Add
 and adding  exclusion to Program Settings, Exclusions  ?
For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be careful, you should 'exclude' that many files that let your system in danger.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89607
  • No support PMs thanks
Re: if a file is warned as trojan, but no sign of trojan activity?
« Reply #5 on: March 31, 2009, 11:32:02 PM »
thank you sded and davidr,  been a successful day.  i learned how to deal with file alerts, moved to chest, submitted to virustotal, set up an excluded folder, etc.
You're welcome.

still two questions:
1) if, as several scanners indicated, these files contained trojans (kaspersky, which i had been running until recently didn't identify them as trojans at virustotal), why do i not see any evidence of their activities in computer operations, or from avanta? wouldn't they be doing something suspect, or have made other files that are suspect?  if they aren't doing anything why are they a problem, and identified as trojans?

As I said before it isn't always going to show symptoms, it entirely depends on what the malware is, it won't want to show signs of its presence as you then start trying to find and eliminate it. They could also be hidden by rootkit, etc. so is isn't always going to show signs. It may also be in a dormant file,e.g. no supporting registry entry to run it or in an archive file, etc. many reasons.

Since you didn't provide the malware name, file names or locations as asked for, that is speculation on my part.

That is also why I asked for the virustotal results URL so we can see what scanners detect what.

2) what is the difference between adding exclusion to Standard Shield/Customize/Advanced/Add
 and adding  exclusion to Program Settings, Exclusions  ?

Tech has covered that, it is also covered in the link on how to report and exclude that you need to cover both areas.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security