Avast crashed Fx...

[polonus]

Hi malware fighters,

Fx with NoScript crashed when avast alerted to SessionRestore.JS having traces of a trojan, could not back up the browser, it kept on crahing, think I have to build up again from crash, because SessionRestore.JS being empty. Could this have been a FP?

polonus

[DavidR]

It has never happened to me, but then again I don't have a sessionrestore.js file, I use the SessionManager add-on.

I exclude the sessionstore*. js files (the wildcard takes care of the multiple sessionstore files), I guess it would be possible to exclude the SessionRestore.js file there would obviously be an element of risk if that file was actually infected. You don't say what the malware name was ?

You should do the usual drills upload to VT and conform or deny the detection and report as an FP as required. Though if you can't test the original file that's out of the question.

Having had to build from scratch I guess you aren't using FEBEs add-on then

[polonus]

Hi DavidR,

There are other ways to do it, in the case of Minefield to have a complete new install once in a while is better anyway, and all I wanted to save I have neatly stored with a link saving program and back-ups, so that does not take that much room. really I have copies of all my extensions there, but I have left Febe because it does not agree with other extensions sometimes and I think it is buggy. I also have several profiles stashed away so I can switch with these, so not really a disaster for me. Later I will report the find with which avast webshield alerted me, I think it was a FP because I was using a javascript fuzzer at the time, so with avast reacting to everything out of the ordinairy I could have expected what I experienced. As I work SRWare's Iron and another updated and patched Mozilla type browser there, not much. Funny that avast takes out a vital javascript file without it the browser cannot survive, starts up and crashes immediately,

pol

[DavidR]

Well I don't know where you get the without it the browser can't survive as I don't have sessionRestore.js at all.

avast would 'take out' as you put it a vital firefox file, I doubt that avast even knows it is a firefox file vital or otherwise, just that it believes it is infected and the user decides what action to take. Me If I saw the location of the alert, I would have checked it out first (usual VT check) before I said to delete or move to the chest.

[Confused Computer User]

Well I don't know where you get the without it the browser can't survive as I don't have sessionRestore.js at all.

avast would 'take out' as you put it a vital firefox file, I doubt that avast even knows it is a firefox file vital or otherwise, just that it believes it is infected and the user decides what action to take. Me If I saw the location of the alert, I would have checked it out first (usual VT check) before I said to delete or move to the chest.

Well moving to the chest would not have been that bad since polonus could have restored it later.

@polonus: couldn't this be just a simple mishap. I mean I also use Firefox and I had crash once or twice with no complaint from avast (set to high in terms of standard shield) before or after the failure. Do you get the same behavior after the re-install?

[polonus]

Hi DavidR and Confused Computer User,

I have switched to this now: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 ID:20090305152042
so left my hands off of the Firefox Minefield trunk for a bit, and will be beta-testing Fx 3.1. Beta 3, nice and swift browser, all my extensions and bookmarks up there and running again.
I had a sign of "JS:ScriptPE-inf [trj] first in sessionstore-1.js later in sessionstore.js and I cleansed it out also deleted sessionstore,bak.
Avast saved my glorious behind I think from this: http://forum.avast.com/index.php?topic=43970.msg367840#msg367840
Gonna run some scans to see nothing there, but I have to warn users that there is a 200% increase in online malware that try to silently download from hacked sites, so be happy with the Avast Shields,
know where to keep NoScript activated as well as RequestPolicy and Perspectives.

Again I am good to go again,

polonus (proud avast user)

[DavidR]

Did you check out the sessionstore-1.js and sessionstore.js using notepad or other text editir to see if you could find the injected javascript ?

I would also have uploaded them to VT for another 38 second opinions

[polonus]

Hi DavidR,

@DavidR

Being here that long makes me trust whatever avast flags, and in case of an alert while using a browser, and  if the browser in question in the aftermath keeps on crashing what the heck can we gain by testing, all the crashing reports landed at third parties anyway, so in time we will know what it is that brought the browser down, no need of some second opinion. That is why I linked to your analysis. Obfuscation cannot be trusted straight or for whatever exploit it was written and on whatever app it will work out something to get a malicious foot between the door of your OS, so if the avast shield blocked this, I am not gonna argue too much, I think this malware vector is getting more and more focus and impact recently, so good that avast keeps an eye on the possible dangers,

@ Confused Computer User
Sessionstore-1.js can be created for a short while and renamed to sessionstore.js after writing to that file has finished as a safety precaution against file corruption. Sessionstore-1.js will only stay on disk if renaming fails. Journal files are created for the same reason: they allow to undo partial changes to sqlite database files.
You can disable Session Restore if you do not want to use that file, but then you lose session data in case Firefox crashes.
See http://kb.mozillazine.org/browser.sessionstore.enabled

polonus

[DavidR]

Me being the trusting sort NOT never take anything on face value and that includes detections on 'any' security application, I investigate first