Cannot open VMWare Fusion with Avast beta - Trojan found?

[bilbo--baggins]

I'm not sure if this is genuine, or a bug.  I have VMWare fusion 4 with Windows XP installed.  Yesterday I installed the trial version of Avast Internet Security.  It's scanned the machine without any problems found.

I since then installed the Avast! free Antivirus for Mac beta.  It too has scanned my Mac (which has VMWare Fusion 4 on it) and found no problems.

However today, when I try launching VMware Fusion it stops during the resume (the machine is suspended when VMWare Fusion is quit) and Avast free Mac beta reports it's found an infected file within the virtual machine (a file within the Virtual Machine package). It reports that it's found Win32: Agent IZJ [TRJ]. The file is called Windows XP Professional 2-s001.vmdk and is called 2.15GB (too big to submit for analysis?!)

When I turn of the Avast Filesystem shield then VMWare Fusion resumes as normal.

My questions are 1) is this really likely to be a trojan or a bug (why isn't it found with the scan), 2) if it is a trojan, why is there no option to repair the file?  It seems that Avast only notifies me of infected files - and doesn't do anything about them?  What is the correct procedure - am I then supposed to scan the file to repair it?  What if the scan finds no problems?

In the meantime I'm running a scan within Windows XP inside the virtual machine (with Mac filesystem shield off) with the sensitivity turned up to high and to scan whole files).

[Gargamel360]

Ehhh....in lieu of being able to submit it, if I had to guess and this was my system....I would treat the detection as a false positive, given the various circumstances.

Avast! for Windows has gone wonky at least once these past couple days, returning detections on its own files, that might be what is happening, Avast! detecting a part of itself within the VM, also VM files have been flagged before with odd FPs.  Update your definitions (if available), and if that does not clear up the problem, just exclude the VM file/folder from scanning, since Avast! installed within the VM shows clean. 

Mind you, that is simply guesswork, and infections are serious business, so if you wanted to be ultra cautious, just delete the VM.  Also, if you do not delete it, and the detection persists, someone from Avast! might want a look at that file...it would have to be sent over ftp, but wait till hearing from someone from Avast! before that, as anything sent ftp unsolicited might be lost/ignored.

[bilbo--baggins]

Thanks for the reply. I was thinking along the same lines - my first assumption is that it's a false positive.  Having said that, the scan I'm currently running on backups of that Mac laptop using the trial of Avast for Mac has found Trojans including the one reported here.  I've also used VMWare Fusion to create a new vital machine having scanned my Windows XP disc, and I'm able to run this without any reports of infections (after installing Avast Internet Security Trial).  Fortunately the affected virtual machine is configured to be isolated from the network, has no email accounts set up, and is only used for testing a web site with Internet Explorer.  Therefore the risk of spreading something is presumably minimal - but equally the whole machine can be trashed with minimal consequences.

Either way something isn't working right - given that Avast! Internet Security finds nothing on a disk scan or boot scan within the virtual machine, and Avast! free Antivirus for Mac beta doesn't find anything scanning the virtual machines files on the Mac laptop.

Presumably whether it's a genuine trojan or a false positive - one or other version of Avast isn't detecting something properly?

[bilbo--baggins]

Thanks.

One other thought that I had is that the new installation hasn't yet been through the (lengthly) process of doing Windows updates.  From reading another thread here from 2009 it could be Windows own updates that have definitions that Avast in Windows knows to ignore?  Presumably I'll find out once I've run all the Windows updates (and I'll make sure I don't browse the internet until it's been checked).

I'm fairly new to using Antivirus software on the Mac (and very little experience of it on Windows too) - if I'm starting to use antivirus on the Mac, and Avast (or in the case of Windows on my wife's Mac, McAfee) is running within those virtual machines, would you recommend I just exclude those virtual machines from any scans and live monitoring permanently?

[mity]

would you recommend I just exclude those virtual machines from any scans and live monitoring permanently?

This would be probably the right solution. However exclusion list on the Mac is not yet implemented. (It's planned feature though).

Regards,
Mity