Author Topic: Avast detects Threat:Win32:Agent.coh[Trj] in Spybot S&D resident process  (Read 8765 times)

0 Members and 1 Guest are viewing this topic.

Offline bluetimes

  • Newbie
  • *
  • Posts: 4
 :-\  avast detects threats in Spybot processes. Cannot quarantine or apply any action because it says Access is denied. Are these False Positives. They are not detected when Spybot resident is shutdown.   

Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
It is False detections if avast detect the definitions inside spybot S&D

i will recommend to switch spybot with a much better program. Malwarebytes  www.malwarebytes.org

Altarir.

  • Guest
They are not detected when Spybot resident is shutdown.

Spybot resident protection loads its virus signatures in memory of some processes as far as I know. since these are virus signatures avast obviously detects them as malware. they won't harm you, though.

The morale is, do not run more than one av with resident protection on.
« Last Edit: May 28, 2010, 01:32:02 PM by Altarir. »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Good programs loads the definitions encrypted to not be detected as false positives.
Spybot is and old good companion. Not that much help nowadays.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
:-\  avast detects threats in Spybot processes. Cannot quarantine or apply any action because it says Access is denied. Are these False Positives. They are not detected when Spybot resident is shutdown.   

Thanks

For them to be detected under normal circumstances, you have changed the default settings (relating to Ignore Virus Targeting) in the avast on-demand scan:

E:\Images\CapturedScreenPrint\avast5\ignore_virus_targeting.gif - Ignore Virus Targeting
Quote
In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code). With "Ignore virus targeting" option enabled avast! can detect these harmless fragments.

These items in scan results are not the files but the virus is detected in memory allocated to security_program_name.exe process - because of this no action is available.

So what scan detected these and have you made changed to the avast scans ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline bluetimes

  • Newbie
  • *
  • Posts: 4
Thanks everyone
Quote
For them to be detected under normal circumstances, you have changed the default settings (relating to Ignore Virus Targeting) in the avast on-demand scan:

Yes David I did enable the 'ignore virus targetting'. But then today I ran the scan with it disabled and then with it enabled. It detected the Spybot resident processes on both. the resident working in the tray both times.

Quote
So what scan detected these and have you made changed to the avast scans ?

Yes changed almost all

Custom scan (not scheduled or boot)
Memory, Auto start all users, rootkits full scan
Scan all files
High sensitivity
Use code emulation
Test whole files
Ignore virus targetting
Scan for Pups
Follow links
All Packers
high Scan priority
Speed up using persistent cache

The target was mainly spyware.

file:///D:/My%20Documents/New%20Folder%20(2)/1.jpg
file:///D:/My%20Documents/New%20Folder%20(2)/2.jpg

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
There are other options that may well have the same impact, but the most common is the Ignore Virus Targeting, when unchecked (as the default setting) if it doesn't remove them all it should reduce the number. The Memory scan is obviously one such area that may return these detections, as will the Test whole file option.

The main thing is to know what the actual alert is telling you in relation to memory locations loaded by another security based application (they have loaded unencrypted signatures into memory).

Your attempt to attach images has failed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline bluetimes

  • Newbie
  • *
  • Posts: 4
Sorry David These are the pics

I got also PC tools Spyware Doctor with Anti-virus as a secondary virus scanner which does not detect these. I just wanted to confirm these were false positives.

Another question: Why did not my Avast Full scan detect a Refog keylogger setup exe file stored in the hard disk while Pc tools Spyware doctor did. It detected it as a KGBSpy Spyware.

Thanks :)


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
The detections are on memory. They're Spybot (and TeaTimer) virus definitions that weren't encrypted. Bad.
You can ignore them or try another (much better) scanner for spywares (like MBAM and SuperAntispyware).

For resident, you can try WinPatrol, ThreatFire or other HIPS program (but TeaTimer is not that good anymore).
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
I got also PC tools Spyware Doctor with Anti-virus as a secondary virus scanner which does not detect these. I just wanted to confirm these were false positives.

Another question: Why did not my Avast Full scan detect a Refog keylogger setup exe file stored in the hard disk while Pc tools Spyware doctor did. It detected it as a KGBSpy Spyware.
<snip>

As Tech confirmed these are unencrypted signatures loaded into memory by spybot and teatimer functions.

Since you don't mention the file name and location of the PC Tools detection I can't really comment. However, I can say that if you are running PC Tools with the resident AV version then you are likely to come conflict at some point as two resident AV scanners shouldn't be installed.

You could also check the offending/suspect file detected by PC Tools at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Nightwinger

  • Guest
Keyloggers and virus definitions are acknowledged by Spybot as stuff that some AVs will report
as false positives.   Also the Teatimer may trigger a false threat since it is able to modify the
registry.  Nothing to worry about.

See FAQ from SPYBOT website:

http://www.safer-networking.org/en/faq/49.html

CharleyO

  • Guest
***

Avast has never found a problem with Spybot in all my years of using both programs. Not is avast detecting anything in Spybot as of today even though Teatimer is always active.


***

Offline bluetimes

  • Newbie
  • *
  • Posts: 4

Thanks Everyone   :D

Tech since they are in memory I will take them as false positives for now
David I tried to upload the file on Virus total but was not successful. It is the quarantined sfs file
Nwinger Yes and when put in paranoid mode teatimer asks before any changes are made to the reg
Charley I didntt have this problem before but only in last last 2 months this is happening. My other scanner does not detect anything

 :)