Possible F/P? -- operating memory of Windows Defender infected

[Eat Eaterson]

I only just made the cool discovery of the screen-saver scanner, after reading the Avast! blog.
I am loving this feature, but now I see something strange happening with it.

When the screen-saver scan checks the operating memory, it detects the virus "JS:Agent-AU [Expl]" in the running process memory of Windows Defender (MsMpEng.exe).  However, when I do the scan of operating memory by launching Avast! Antivirus manually, there is no report of an infection in operating memory (i.e. no pop-up dialog of any infection).  Does this occur on anyone else's (Win-XP) machine?  Could it be an F/P? 

The screen-saver scan is stopped when it finds this infection signature, so none of the rest of my computer gets scanned -- this detection occurs very soon after the start of the scan.  So, for now, I must turn off the "operating memory" scan-area choice - in order to get useful screen-saver scans.

I am running Avast 4.8 Pro.

[Jtaylor83]

Yep, an FP. It should already been corrected by now.

[mliddick]

I have the exact same problem!  Its been an issue since about the same time as this post.  Unfortunately, its still an issue.  If this is a False Positive, why hasn't it been fixed yet?

Mike

[kd6dm]

Hi, my first post here. I also have the same problem. I have run MalwareBytes Anti-Malware, SUPERAntispyware, most of the online scanners such as Trend Micro Housecall, and they all come up clean. HiJack this log is clean.  I even uninstalled Windows Defender, ran CCleaner, and performed a boot-time Avast scan. Everything comes up clean, except for the screensaver scan.

Running 4.8 Home.

Can someone confirm that this is indeed an FP? I read on another forum that it might be, or might not be. Thanks.

[Lisandro]

Everything comes up clean, except for the screensaver scan.

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?

[Maxx_original]

not a FP imho... just some unencrypted signatures in memory..

[kd6dm]

Doesn't give a filename, screensaver scan is interrupted with a Process number, and a memory address that are used by MsMpEng.exe. Says infection JS:AGENT-AU[Expl] has been found in process #### at memory address. Process number and memory address varies.

Thanks for the fast response.

[kd6dm]

Here are the details of the last interruption of the screensaver scan:

                                     avast! Screen Saver

File:                 Process 636, memory address 0x040A0000, block size 262144

Number of files: 1620

                       Found virus JS:Agent-AU[Expl], testing is interrupted

The Process ### and memory address varies at every boot; the block size is always the same. The Process is always Windows Defender.
I don't believe that I'm infected, as 12 other scans e.g., Housecall, MBAM, SUPERAntispyware all come up clean. I'm stumped.

[DavidR]

No it doesn't look like you are infected, not because other scans don't say so, but just bad practice by windows defender loading unencrypted virus signatures into memory as Maxx_original (one of the avast virus labs team) said.

avast will check and monitor processes loaded into memory as a part of the resident scanning by the Standard Shield, so I don't really know why the screen saver scan would detect this but not the Standard Shield, perhaps the settings that you have chosen for the scan.

I have had avast for a over 5 years and other than testing have never used the screen saver scan, perhaps because I can't be bothered with a screen saver, can't see the point when I'm not there to watch. I would rather my monitor (and system) went into standby after a short time and save power.

I just do a manual Standard on-demand scan without archives as a part of my weekly system maintenance.

So outside of the screen saver does avast find this on any other scans ?

[kd6dm]

Hello Mate,

Thanks for the reply. avast! doesn't find anything in a boot-time scan, nor a manual scan. I'll look at my settings, perhaps the screen-saver scanner was the only one I have set up for a memory scan. Not surprised that the problem probably lies with Microsoft.

Thanks again for your help.

Jerry Davis

[DavidR]

You're welcome.

The on-demand scan if started from the avast 'a' icon (right click the avast 'a' icon, select Start avast! Antivirus) does a memory scan before it opens the Simple User Interface. This is why I thought it strange that it wouldn't be found on that, but on the screen saver scan.