Author Topic: Win32:Bifrose-EGW[Trj]  (Read 6670 times)

0 Members and 1 Guest are viewing this topic.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Win32:Bifrose-EGW[Trj]
« on: July 25, 2009, 12:05:00 AM »
Hello

Has anyone recently had avast! flag a Windows Installer file named c415ae.msp as infected with Win32:Bifrose-EGW[Trj]?

I zipped and password-protected the file and sent it to support a few hours ago, but have not heard back.

As an aside, I also noticed that when I tried to email the file to avast from the Chest (by clicking the email icon on the toolbar), nothing happened... that is, the Submit file dialog did not appear.  :(  It does appear for other files in the Chest.  Any ideas?

I eventually added the file to the exclusions lists, in order to email it and also upload it to VirusTotal.  VT, by the way, only had avast! and one other vendor flagging this file.

Any info and help would be appreciated.  :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33450
  • malware fighter
Re: Win32:Bifrose-EGW[Trj]
« Reply #1 on: July 25, 2009, 12:26:22 AM »
Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: Win32:Bifrose-EGW[Trj]
« Reply #2 on: July 25, 2009, 12:29:28 AM »
Yes, lots of them, in the viruses and worms forum. http://forum.avast.com/index.php?topic=47063.0 as polonus mentioned.

No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #3 on: July 25, 2009, 12:36:24 AM »
No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   :-\

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #4 on: July 25, 2009, 12:42:53 AM »
Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus
Sorry, looks like I posted this in the wrong forum.  :-[  I'll know better next time.   :)

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #5 on: July 25, 2009, 12:49:51 AM »
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update
Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."



Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: Win32:Bifrose-EGW[Trj]
« Reply #6 on: July 25, 2009, 01:25:29 AM »
No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.
I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   :-\

It can't be virus like behaviour inside the chest, a protected area, even if it was possible it doesn't make sense that it would effect one file type and not another.

The other problem there have been others who have been able to submit the file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #7 on: July 25, 2009, 10:43:23 PM »
The other problem there have been others who have been able to submit the file.
David, did you notice that Fallen-Parts encountered the same behavior as I did when trying to email one of these fp's from the Chest?

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #8 on: July 25, 2009, 10:45:20 PM »
Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."
It's all good now!   :P

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: Win32:Bifrose-EGW[Trj]
« Reply #9 on: July 25, 2009, 11:47:22 PM »
The other problem there have been others who have been able to submit the file.
David, did you notice that Fallen-Parts encountered the same behavior as I did when trying to email one of these fp's from the Chest?

Yes I did, weird. Not something I could check out as I have had no detections.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #10 on: July 26, 2009, 12:31:30 AM »
If you really want to check it out, I could email you a zipped copy of the fp file I had, and if it's possible to roll back detections to yesterday, you might be able to see the behavior for yourself??

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: Win32:Bifrose-EGW[Trj]
« Reply #11 on: July 26, 2009, 01:09:33 AM »
I don't go that far to check things out on my own system thanks.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #12 on: July 26, 2009, 01:10:46 AM »
I don't blame you!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: Win32:Bifrose-EGW[Trj]
« Reply #13 on: July 26, 2009, 02:24:23 AM »
Well I have found out what your problem is ;D

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: Win32:Bifrose-EGW[Trj]
« Reply #14 on: July 26, 2009, 06:28:00 AM »
Well I have found out what your problem is ;D

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.
You are 100% absolutely correct!  Good thinking, David.  I tested it on my settings as well, and have made the (10mb) change... that's a nice round number. ;)  I'm glad you figured that out.  Thank you.   :)