Author Topic: avast does not detect file as malware within windows, only via a full boot scan?  (Read 4615 times)

0 Members and 1 Guest are viewing this topic.

thedarkness

  • Guest
I am using the latest free version of avast. I have downloaded a foobar player skin, and the files contained within the rar are determined to be safe after an extraction. If I do a full bootscan however, one dll file within the skin is now recognised as malware. The file is foo_ui_columns.dll, in the component folder of the 'foo flow' skin (foo_flow.rar), from customize.org/foobar/skins/56042. I am told I am infected with yiqilai [pup]. I go back into windows. On a scan on the same individual dll, avast still finds nothing questionable about the same dll, but I have put it in the chest for now. The only other similar issue I have had is with an 8-bit .fdi file from a sinclair emulation cd, detected as 'usk-789' malware. Its only detected within windows on a full scan, despite a boot scan also having gone through the same folders. The file is not compressed. Any idea on why they are detected on one and not the other? The skin dll was on my desktop (within an extracted folder), the fdi file was on another partition of the same single hdd.  I am certain they are both false positives (I have been told the fdi might be detected as malware simply because it relates to a floppy file?). The foobar skin is detected on virus total on 7 programs out of 40+. I can understand vaguely why compressed content, whether via a full boot scan or within windows, might be missed, but I dont know why dlls and fdi emulator files might not both be detected within both scan modes.

Thanks for any info on my skin, and why avast may only detect a file as malware depending on scan mode  :)

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76017
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Any idea on why they are detected on one and not the other?

I guess you've PUP detection enabled only in one but not the other. ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
The boot-time scan has scan for PUPs enabled by default, but the other regular on-demand scans doesn't.

I feel a major reason why PUPs aren't scanned for by default in the normal on-demand scans is because most people don't understand what a PUP is (other than man's best friend) and many would treat it is if it were a real infection.

The problem being the user needs to know what a PUP is installed on their system and if avast were to alert they have a decision to make (one they may not have enough information to make), is this a legit program, did I install it for a purpose, has it been on the system for some time, etc.

Potentially Unwanted Program - See http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1066761,00.html. Not included in this definition are tools which can be used for good or evil, some have been legitimately installed for a specifically good purpose, but could have been unknowing installed for a malicious purpose.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

thedarkness

  • Guest
thanks for the replies :) the potentially unwanted program PUP warning was from the skin downloaded by myself manually. If avast is simply not sure of what to make of the file, and its up for me to decide whether to take the risk, I may ignore it as it came from a fairly reputable site, the skin being up for a fair while without any user warnings. I have ran the skin on the media player, and it worked 100%, there didnt seem to be any issues within windows. PUP sounds like a more in depth scan. As you mention, its switched off by default within windows. It sounds like if it wasnt, there could be many worried users with clean machines out there with all these potential multiple PUP warnings popping up? I will dismiss it...... unless its not just a rough guess (a false PUP, lol).. and there is a definate clear reason as to why it was labelled a PUP in the first place. Are there any tools I can use to find out, or is it all within avast?

The malware warning was for the equivalent of a floppy format file (.fdi?) for an old non windows system, on an emulation cd. Im assuming it may be a false positive malware warning. I will dismiss it, but leave it in the chest or simply delete, as its not in english and of no use to me. Do you think the fact its a floppy format equivalent for an old computer might increase the likelyhood of avast giving me a warning-with avast possibly believing its questionable windows software?

ps- the PUP warning was only for the skins 'dll' inside the rar, it didnt state any other particular location (eg installed within windows or its registry), despite having used the skin once before. The skin doesnt install, only needs to be extracted to use, into the right directory in the media player. I dont know if thats of any use to determine whether its anything to be concerned about or not. It would seem that by simply deleting the dll might just remove the warning on the bootscan, although Ill have to test that out to know if its a definate of not, to know if nothing was written to windows or the registry etc. thanks
« Last Edit: June 14, 2012, 01:32:20 AM by thedarkness »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
If the floppy format file was a win32:malware-gen detection this is a generic signature and given what the file is designed to do format something, it would be debatable if that should also have had a [PUP] suffix ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

thedarkness

  • Guest
yes, the floppy file did not give a PUP warning-only the 'foo_ui_columns.dll' from the skin rar gave the yiqilai [pup] warning, during a boot scan.  the '.fdi' floppy file was detected as usk-789 malware within windows during a full scan, not labelled as [PUP]. The fdi was not detected as malware on a boot scan, or quick scan within windows. The fdi is on another partition, so that would seem thats the reason as to why-a boot scan and (obviously) a quick scan, dont scan all partitions, or as thoroughly.

the .fdi floppy file (update-I have TWO of these files on the cd, detected as malware)
https://www.virustotal.com/file/677cc2bb050f5d5477ac40abb5bc9818dea92c1cdc7d2d5fcd7f2af87dffbd96/analysis/
https://www.virustotal.com/file/bfe7fb0ba1064d5c9a624970f42fc49b74fd5b1e5e8412623d3ba85c026c1f25/analysis/

the foo_ui_columns.dll from the skin (only detected on a boot scan, as PUP)
https://www.virustotal.com/file/ba7c7f620bb31c38c10f0dc823d24c11befa783e72ecfe3b684325537eaa80b1/analysis/

Both fdi files seem to give identical results. The only other malware caught within the last couple of years is one file, found in application data\java\deployment\cache, and still in the chest. I believe this to be the most likely actual malware
https://www.virustotal.com/file/4588a2c5da64720b375c0984922425728362b5792a443b719ed9c7b61d29f829/analysis/

thanks for the reply :) Im still wondering how I can find out what any file labelled as PUP may actually do, if its possible for any detection tool such as avast that labels anything as PUP, to know or have any further details. I dont know what to make of the fdi's, it would seem being old floppy files for another system may increase the likelyhood of causing confusion-the files are labelled as 'file type: unknown' within virustotal, but are picked up as malware on the exact same 7 programs out of 41.
« Last Edit: June 14, 2012, 09:07:48 PM by thedarkness »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
Unfortunately the first 2 VT results you posted are almost three years old, when you see they are previously scanned and from more than a couple of weeks it is best to have then rescan the submission.

The 3rd VT result is similarly out of date if a rescan shows only avast detecting it then it should be sent to avast for analysis:
Send the sample to avast as a possible False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

The JAVA cache one is most commonly found when your JAVA version is out of date and probably being exploited. Unless you specifically require JAVA (not javascript) you can uninstall it otherwise you need to ensure that it is the latest version, now JAVA 7 update 5.

The problem is it really is almost impossible to say what the PUP might do without a good deal of knowledge of what is on your system and what it does (usually googling like a thing possessed for more information) as the range of what might be considered a PUP is very wide. Or running it in a virtual environment monitoring what it does and that too requires skill also.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security