Author Topic: Virus Chest Destroys Files When Restored  (Read 12122 times)

0 Members and 1 Guest are viewing this topic.

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #15 on: April 26, 2011, 10:16:07 PM »
Anyone have any further comments about what was found in the MBAM log? For example, the "Videosoft" thing?

How about recommended Virus Chest size so files don't get destroyed?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus Chest Destroys Files When Restored
« Reply #16 on: April 26, 2011, 10:28:38 PM »
You can set the chest size manually if you wish from the settings page

Not sure about the MBAM classification of videosoft though

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #17 on: May 14, 2011, 04:07:29 AM »
Well, the question was about a recommended Chest size. However, that doesn't make one bit of difference since I gave it basically unlimited size and told Avast to always "Ask" when something is supposedly found. Regardless of these settings, Avast continues to destroy files on false positives.

This time around Avast destroyed the Microsoft Mouse driver installer, the FireFox installer and who knows how many other files, claiming, yes you guessed it, another Win32:Tenga virus. There are no Win32:Tenga viruses in these files! And, it destroyed the files when I specifically told it to do nothing.

Why? Because it probably places the file into the Chest, thus destroying the file, and when I tell it to do nothing it puts the destroyed remains back.

Will someone at Avast please fix the file destroying bug in the Chest? Please. Pretty please?

The question I keep asking myself is, why worry about getting viruses when Avast anti-virus is doing a rather decent job of acting like one all by itself.

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #18 on: May 14, 2011, 10:35:09 PM »
Yesterday
From what I been able to gather, Avast destroyed 14 files by claiming they all contained the same Win32:Tenga virus. I reran MBAM and there is no difference between what was mentioned previously and now. Ran Spybot and besides a couple questionable cookies, Spybot encountered nothing of elevated concern.

I again manually restored all 14 files from backup. Then did a comparison by using the old individual PAR2 check files in the original directories and they are all identical.

In the case of Firefox, I went a step further and re-downloaded the installer. The installer passes the old PAR2 check file, a quick binary comparison and a SHA-512 comparison with the original Firefox installer. For all measurable purposes, the Firefox installer is identical! Yet, Avast wants to destroy the file as soon as the file is copied back to the original location.

After the first round of destruction, I set the maximum size of the Chest to zero (unlimited) and the maximum size of file to 2,097,152 KB (2GB) in an attempt to avoid a file from getting destroyed when it's placed into the Chest. As I mentioned before, this didn't make one bit of difference since these 14 files still got destroyed even though I tried my best when the threat dialog appeared to tell Avast to do nothing.

Sadly, at this point there is no direct selectable option to do nothing in Avast. The only option is the close gadget in the left corner of the threat dialog. Unfortunately, this arrogantly suggests that there would never be a time that you would want to do nothing. And yet, I watched in total amazement while Avast destroyed 14 files with each click of the close button on the thread dialog.

In any case, it's interesting to note that some of these files are the exact same ones that were destroyed previously. These include such installers as the Firefox browser, Microsoft's DirectX, Microsoft's Intellipoint Software, Synaptics TouchPad driver, two WinAMP installers and two WinAMP plug-ins. All originally downloaded from their respective websites.

Based on the above, this suggests to me that while this is not likely to be a widespread issue, more likely a specific issue, Avast does has a repeatable Virus Chest bug. Of course, none of this would be happening if not for the Tenga false positives.


Today
Speaking of which, Yesterday evening I disabled the File System Shield until next reboot. A few minutes ago and without rebooting the computer, I re-enabled the File System Shield. I then did a manual scan of the same Firefox installer. No threat was detected.

I see that a new 110514-1 brain file was downloaded while I was away. It appears that this new brain file might have included a new Tenga definition. Either that, or disabling and enabling the File System Shield is related to the issue.

It would seem to me that regardless of the state of the File System Shield, which would likely only trigger the event, the fact remains that there is a Virus Chest file destroying bug within Avast.

Please, does anyone have any further suggestions to help Avast, and ultimately all of us -- diagnose and find this bug?

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #19 on: May 16, 2011, 11:25:03 AM »
On 2011-04-18 the v6.0.1091 program update was released. If we first consider when the program update was applied. Second, that a false positive would need to be introduced into the virus definitions to trigger the event. And three, the time required for Avast to get around to automatically scanning that particular area of the hard drive. This could explain why it took 6 days after the release for Avast to begin destroying files. One day later and a new virus definition, the same file one day before which showed a threat, no longer triggers the bug.

On 2011-05-11 the current v6.0.1125 was released. Three days later and with a subsequent new virus definition file to trigger the event, Avast began destroying files again. One day later and a new virus definition, the same file one day before showing a threat, no longer triggers the bug.

Prior to the release of v6.0.1091, I never experienced anything like this before. Ever since then, there's been two separate, but identical incidences, where Avast has destroyed files, both related to moving files in and out of the Chest. And, if I'm not mistaken, this is an operation of the File System Shield.

I could be wrong as I'm not a programmer, but based on this it seems to me it's possible that these "fixes" to the File System Shield in v6.0.1091 could have introduced a nasty new bug in Avast. That under the right circumstances, has the ability to unintentionally destroy files.

Does this seem plausible?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Virus Chest Destroys Files When Restored
« Reply #20 on: May 16, 2011, 11:39:40 AM »
No.
The Tenga detection has been there for years, untouched. The behavior you mention (infections on various exe files suddenly appearing) exactly matches Tenga, being a file infector. So no, this is not a false alarm - something is infecting the files on your computer or network.

The program updates also didn't change anything about handling the files.

As for destroying the files... well, a file infector - such as Tenga - might certainly corrupt the files itself. It's also possible that the detection is triggered "in the middle of the infection" (the file was already modified by the virus so that avast! detects it - but the infector hasn't finished yet, so the file is in some kind of intermediate state) and the file was moved to Chest at that moment, in a corrupted state.

However, when dealing with file infectors (and I'd say avast! should be able to repair Tenga, even though I'm not 100% sure) - don't expect that the file will be restored exactly, so that the hash matches the original - that's just not possible. Some parts (e.g. a few EXE header fields) are irreversibly overwritten by the virus.

SafeSurf

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #21 on: May 16, 2011, 11:44:34 AM »
You have been though a lot and I can empathize with your frustration.

Question:

1.  Did you ever upload any of the files in the Chest to Avast for analysis?  If yes, they would have analyzed them on the next virus definition update and if there was a false positive it would have been fixed and pushed out to users for the next update.

Since this is not a wide spread problem, I recommend the following:

1. Run an OTS log so that we can see what is actually going on inside your machine and analyze better.  Here is how to run OTS:

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode).  Post the OTS log as an attachment (Additional Options > Attach > Post). 

Do not make any changes to your machine after you post the OTS log or you will have to repeat this all over again!  We will analyze your OTS log and report back to you.  Thank you.




Nesivos

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #22 on: May 16, 2011, 04:12:36 PM »
Windows XP SP3 has a malware infection rate per 1,000 installations of more than six times that of Windows 7 x64.  It amazes me that people stay on any release of XP. 

Quote
Windows XP SP3 32-bit has an infection rate of 15.9 per thousand systems, while Windows Vista SP2 32-bit has half this infection rate, 7.5 per thousand. Windows 7 32-bit nearly halves this again to 3.8 per thousand, while Windows 7 64-bit managed to get the infection rate per thousand down to 2.5.

http://www.zdnet.com/blog/hardware/windows-7-more-malware-resistant-than-xpvista/12786

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Virus Chest Destroys Files When Restored
« Reply #23 on: May 16, 2011, 04:24:20 PM »
It amazes me that people stay on any release of XP.
I think it's a matter of budget and hardware limitations only...
The best things in life are free.

Dch48

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #24 on: May 16, 2011, 09:02:28 PM »
It amazes me that people stay on any release of XP.
I think it's a matter of budget and hardware limitations only...
I have never used any Windows version other than the one that came pre-installed on the machine. When I get a new computer , it will have Windows 7, but I'm not switching from XP on this one. I used 98SE from 1999-2005 and I've been on XP ever since October of 2005 and am very satisfied. I've also never been infected by anything since I first started using a Windows computer.

SafeSurf

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #25 on: May 17, 2011, 09:16:07 AM »
We should get back on-topic and wait for the OP to respond to Post #21 as this will give us more information to work with to fix his problem.  Thanks.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Virus Chest Destroys Files When Restored
« Reply #26 on: May 18, 2011, 02:44:46 AM »
We should get back on-topic and wait for the OP to respond to Post #21 as this will give us more information to work with to fix his problem.  Thanks.

Do you have any hope that he come back?
The best things in life are free.

SafeSurf

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #27 on: May 18, 2011, 09:29:28 AM »
I'm beginning to question that, but I'm giving him hoping he does by giving him another day or so.  :-\

sonaraghu

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #28 on: May 18, 2011, 10:48:40 AM »
Hi...

I've also had a similar problem like this before a long time.
But that has happened only once, what i was thinking is that the virus programs have infected those software's because avast haven't detected the same software's as threats before and after that event.

Thank u

SafeSurf

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #29 on: May 18, 2011, 10:56:23 AM »
Malware (infections) are changing all the time.  Yes, according to Post #20 by our senior Avast Team member, he explains the situation best.