Possible FP? Sf.bin

[Ragamuffin]

Just started a full system scan with the lastest updates and had C:\Program Files\Avast Software\Avast\Defs\12020300\SF.bin flagged as Win32:Trojan-gen

[true indian]

I scanned my avast folder nothing found here  

thats weird!

[Pondus]

reboot your machine and scan again....still detected ?

[Ragamuffin]

reboot your machine and scan again....still detected ?

Yes and no as odd as is sounds, the scan and real time shield say it's a threat, but going to the virus vault and clicking to scan it comes up with no virus.

[Pondus]

C:\Program Files\Avast Software\Avast\Defs\12020300\SF.bin

part of avast VPS....

[Ragamuffin]

Yea, I know it's part of Avast, but that's not really explaining why it's being flagged by Avasts scans and real time shield, but says it's clean when I scan it in the virus chest.

[Pondus]

hmmmm.....computers...and avast works in mysterious ways   

[Average Joe]

Same here:


[Move to Chest] and [Delete] don't work as the file is protected by Avast against tampering.
The popup won't go away until you make it [Block] the file.
Excluding [R][W][X] [C:\Program Files\Alwil Software\Avast5\defs\*] from the File System Shield scanning coverage shuts it up, but ignoring it doesn't seem to be the best idea.

Manual scan of [C:\Program Files\COMODO\] turns out clean.
Manual scan of [C:\Program Files\Alwil Software\Avast5\defs\] finds the "infection".

It's as if the VPS 120203-0 update contains a malware signature/sample which in itself is regarded a threat by Avast.
I hope VPS 120203-1/120204-0 will address this and be released soon.

Just now, while it wasn't excluded from File System Shield scanning, I couldn't open Firefox. Only the [firefox.exe] processes would start without showing the program window. I could open Firefox once I selected and applied [Block] in the popup.

[Ragamuffin]

At least I'm not the only one, should say that this is still an issue for me in the latest defs that have just come out 120203-1

[DavidR]

I don't know what scan it was that you were doing, but a context menu (right click), ashQuick.exe scan on the sf.bin file you mention and the whole defs folder (and sub-folders) comes up clean - VPS version 120203-1. The ashQuick.exe is effectively the most thorough of the scans.

[Ragamuffin]

I know, I've got no suspicions about it being infected or anything, I mean when it gets moved to the virus chest and I scan it there is comes up clean, but a full scan, or just scanning the file itself or containing folder flags it, and so does the real time shield.

[DavidR]

I hate mysteries too.

[Flippy]

Hello,

thank you for notice that. Its false positive and it should be fixed in next virus definition update.

Thank you and best regards,

Filip Chytry
Virus Analyst

[Average Joe]

I shut down my PC yesterday around 20:00 GMT+1, not wanting to mess with it - the VPS ver. at the time was 120203-0.

Booted today at 9:30 GMT+1 and got the popup - selected block. Then I checked the VPS ver. and it was 120204-0, so I hit manual engine/defs update to make sure I had the latest VPS - ver. 120204-0 was already up to date.
I did a manual (Explorer context menu) scan of [C:\Program Files\Alwil Software\Avast5\defs\] and it turned out clean. I logged off and on again and the popup didn't show as it used to do. I guess the popup in the morning showed up just before Avast auto-updated to VPS 120204-0.

VPS 120204-0 appears to have fixed it.

As a side note:
[\12020300\] (containing [Sf.bin]) is still in the [C:\Program Files\Alwil Software\Avast5\defs\] folder along with the new [\12020400\]. Should I do anything to remove [\12020300\] (like LiveCD boot and manual delete), or just leave it there as it doesn't cause problems anymore?

[DavidR]

No leave the defs sub-folders alone; you will normally have the current one plus the last one and on occasion (before avasts own housekeeping removes it) the one before that.