Author Topic: Infected VRDB? (Read 5046 times)

MikeBCda · « **on:** April 05, 2009, 02:45:14 AM »

I just did my first thorough scan in ages (usually do a standard), but with archives omitted, and got an interesting and surprising result. This was with both the program and VPS right up to date, 4.8.1335 and 090904-0 respectively.

I was alerted that it had found Win32:Dialer-gen13[trj] in, of all places, the VRDB file, ....\integ\avast.int. It did not find any problems elsewhere on the disk. So that file got successfully moved to the chest.

I'm guessing that since nothing else was found, the infected whatever was present on my system when I last generated the VRDB (March 24th) and slipped past avast during generation, but is no longer around except for the "recovery" data for it. So I've got three questions:

1) Sound like a reasonable and likely inference I'm making?

2) If so, am I probably safe to just delete the file and generate a fresh VRDB? Or possibly it's a false positive in the current defs which others have already reported, so I don't even need to delete but can simply restore it?

3) Some time, way back when, I'd asked whether avast scanned files for which it put data into the VRDB, to ensure that the resulting VRDB was clean, and was told yes it did. If the current alert is in fact legit, does that mean we can't take for granted that the VRDB is clean?

Oh, should also mention that I haven't yet run SAS or MBAM scans, to see if maybe one or both of those turns up something elsewhere on the disk that the avast scan missed. I'll post a follow-up shortly once those are done.

MikeBCda · « **Reply #1 on:** April 05, 2009, 03:43:18 AM »

Just finished full (not "quick") scans with SAS and MBAM, nothing turned up with either one.

Lisandro · « **Reply #2 on:** April 05, 2009, 04:17:05 PM »

The detection seems to be a false positive. If you delete the VRDB file, just start (generate now) another.
avast scans the files before add them to VRDB and the .int file shouldn't be detected as infected.

MikeBCda · « **Reply #3 on:** April 05, 2009, 07:36:05 PM »

Thanks, Tech.

Haven't done anything with it yet, but might as well just delete it and re-generate, although it sounds like that's unnecessary (in this case) for security purposes.

If nothing else, it should trim the file size way down since I'll now have only the data for most recent version of updates of what's protected rather than 3 versions. Plus, if I understand correctly, a fresh VRDB over an earlier existing one does not delete data relating to stuff that's been uninstalled, so wiping the file and starting afresh should make the file smaller still.

Given the size and nature of the .int, I'd be curious what in it triggered the alert, and if the FP has since been confirmed and corrected.

DavidR · « **Reply #4 on:** April 05, 2009, 07:51:24 PM »

The other aspect of the VRDB integ.int is that it doesn't contain complete files as in a back-up copy. It only contains some information on the file to try and restore the original file to an uninfected state.

So I believe this just happens to be a random match of a virus signature, strange as this may be.

The only way for it to be corrected is for a) you to report it as a possibly false positive and send the sample which could be big as you mention, b) Alwil to analyse the file and try to identify why the detection occurred, c) to correct it and issue a VPS update.

Chris2009 · « **Reply #5 on:** April 05, 2009, 11:46:17 PM »

I'm just scanning my son's machine, which he has neglected - I've renewed the licence, updated everything and am now doing a full scan. I have had this same Trojan, Win32:Dialer-gen13[trj] reported in ....\integ\avast.int.

This particular avast.int is 7455 kB and has not been modified since January 2006.

I haven't deleted it yet - it it worth me sending in for checking as a false positive?

Chris

Lisandro · « **Reply #6 on:** April 05, 2009, 11:53:41 PM »

Quote from: MikeBCda on April 05, 2009, 07:36:05 PM

I'll now have only the data for most recent version of updates of what's protected rather than 3 versions.

The utility of the VRDB is almost none nowadays... I won't worry about that too much.

Quote from: MikeBCda on April 05, 2009, 07:36:05 PM

Plus, if I understand correctly, a fresh VRDB over an earlier existing one does not delete data relating to stuff that's been uninstalled, so wiping the file and starting afresh should make the file smaller still.

Fully right.

Lisandro · « **Reply #7 on:** April 05, 2009, 11:55:23 PM »

Quote from: Chris2009 on April 05, 2009, 11:46:17 PM

I haven't deleted it yet - it it worth me sending in for checking as a false positive?

If you could, it will be good. Which is this file size?
You can report the false positive, you can send it to virus@avast.com or, if it is too big, you can upload to ftp site.

MikeBCda · « **Reply #8 on:** April 06, 2009, 08:06:24 PM »

Might be a good idea to send it in, Chris, since you got the same thing I did -- I've now gone the delete-regenerate route so no longer have it and can't do that myself.

Chris2009 · « **Reply #9 on:** April 09, 2009, 11:30:30 PM »

The file was 7.5MB - I sent it in using the false positive report function, with a reference to this thread.

If I hear anything I'll report it here for interest

Chris

DavidR · « **Reply #10 on:** April 09, 2009, 11:47:21 PM »

You normally don't get a reply unless they need more information, if you have retained a copy in the chest, etc. you can periodically scan it within the chest. When no longer detected the VPS has been corrected.

Lisandro · « **Reply #11 on:** April 10, 2009, 01:22:19 AM »

Thanks for helping improving detection

Author Topic: Infected VRDB? (Read 5046 times)

MikeBCda

Infected VRDB?

MikeBCda

Re: Infected VRDB?

Lisandro

Re: Infected VRDB?

MikeBCda

Re: Infected VRDB?

DavidR

Re: Infected VRDB?

Chris2009

Re: Infected VRDB?

Lisandro

Re: Infected VRDB?

Lisandro

Re: Infected VRDB?

MikeBCda

Re: Infected VRDB?

Chris2009

Re: Infected VRDB?

DavidR

Re: Infected VRDB?

Lisandro

Re: Infected VRDB?