avast 5.0.366: suspicious file detected : hardlock.sys

[samnetx]

avast 5.0.366: suspicious file detected : %SystemRoot%\system32\drivers\hardlock.sys
edit: detected by avast heuristics (previous avast version not detected anything suspicious like that)
hardlock.sys
HARDLOCK.SYS is related to Hardlock Device Driver for Windows NT.
Manufacturer: Aladdin Knowledge Systems Ltd.
www.aladdin.com

The file deleted several times from the computer using avast5.0.366 menu whenever avast5.0.366 detected the file but the file is coming back again and again.
Complete virus scan from avast5.0.366 found no virus or malware.

samnetx

[polonus]

Hi samnetx,

You could upload to virustotal.com and see what scanners flag it to decide if it is really is a False Positive.

See info on this file:
http://www.tallemu.com/oasis2/file/aladdin_knowledge_systems_ltd_/hardlock_device_driver_for_windows_nt/hardlock_sys/24501

Associated with an alledged worm here: http://www.prevx.com/filenames/X3961266400541339988-X1/HARDLOCK.SYS.html

Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!
Heuristical find: http://heavenward.ru/removeany_search.php?s=4ef7.hardlock.sys

This is why it probably was flagged: First of all there are two versions of hardlock.sys because they contain different packet crypt code. And both do it inside virtual machine. Code of VM and p-code obfuscated. The obfuscation there is probably heuristically flagged - so update to avast with this
remark....

polonus

[samnetx]

virustotal not detected anything. It is a False Positive
https://www.virustotal.com/analisis/5f8f5f79ffd25c8717a501a34ed77833f67e48c08f1b641d9c9e56dff1fe8e34-1263884253

[Yanto.Chiang]

Hi Samnetx,

Please submit to virus@avast.com
with compress file name : virus
password : virus

and give subject as : False Positive.

[Vlk]

It's a Behavior Shield detection.
Can you please post the contents of the file

c:\programdata\alwil software\avast5\log\arPot.log

??

Thanks
Vlk

[RejZoR]

How does the Behavior Shield popup look like? I've never seen one to date.

[Maxx_original]

RejZoR: look at the screenshot somewhere in beta subforum... someone already posted it (yesterday)

[samnetx]

It's a Behavior Shield detection.
Can you please post the contents of the file

c:\programdata\alwil software\avast5\log\arPot.log

??

Thanks
Vlk

Log file arPot.log attached here.
It shows that hardlock.sys file is suspicious by avast5.0.366
File sent to avast for verification.