Avast Anti Virus

[goddi]

Gary,

If Avast found a "solution," logic should tell you that it wasn't a virus with PTE. If it were, how could Avast have a "solution?" In such as case, were it a true virus, Wnsoft would have to have the "solution."

You send your exe files through multiple other anti-virus programs and no problems are found, ergo, Avast has a problem. The fact that after AVG removed two rootkits your problem went away should tell you that the "problem" was two rootkits not the "59" pte executables which were quarantined, right??

Best regards,

Lin

========================

Lin,

Not to beat a dead horse, but 'solution' means just that, something was resolved. It does not point either way. Your knowledge and logic, I am sure, is better than mine, but I don't get anything else but that they understood and solved the problem. Their solution could be to update or correct their malware list, like they do for all the other viruses. I am just curious how and what they did. Just curious.

Well, the question is, why didn't Avast find the two rootkits and solve it itself? I understand that not every anti-malware will catch everything. But since Avast did not detect the two rootkits, yes, I think Avast has a problem. If Avast had found the two rootkits, then I would not have had to use another program to solve the problem and I would not have had the 59 executables quarantined. The problem was fixed immedately after the rootkits were detected and removed.

Having a backup, it was very easy to just restore these exe's. I don't understand why it seems you are objecting to me trying to understand what Avast's 'solution' was. It is just not that obvious to me.

Gary

[Lin Evans]

Hi Gary,

I'm not objecting to your discovering Avast's solution, but you said:

---------------------------

I have had a similar problem before of a virus attaching exe files created by PTE. No other exe's were attacked. Is there a particular vulnerability in the PTE exe's or is this just a random occurance? As I mentioned above, 59 PTE exe's were quarantined.

--------------------------

The "virus" didn't "attach exe files created by PTE - the antivirus software reported a false positive and quarantined perfectly good files. It's important to recognize the difference.

Best regards,

Lin

========================

Lin,

Not to beat a dead horse, but 'solution' means just that, something was resolved. It does not point either way. Your knowledge and logic, I am sure, is better than mine, but I don't get anything else but that they understood and solved the problem. Their solution could be to update or correct their malware list, like they do for all the other viruses. I am just curious how and what they did. Just curious.

Well, the question is, why didn't Avast find the two rootkits and solve it itself? I understand that not every anti-malware will catch everything. But since Avast did not detect the two rootkits, yes, I think Avast has a problem. If Avast had found the two rootkits, then I would not have had to use another program to solve the problem and I would not have had the 59 executables quarantined. The problem was fixed immedately after the rootkits were detected and removed.

Having a backup, it was very easy to just restore these exe's. I don't understand why it seems you are objecting to me trying to understand what Avast's 'solution' was. It is just not that obvious to me.

Gary

[goddi]

Hi Gary,

I'm not objecting to your discovering Avast's solution, but you said:

---------------------------

--------------------------

The "virus" didn't "attach exe files created by PTE - the antivirus software reported a false positive and quarantined perfectly good files. It's important to recognize the difference.

Best regards,

Lin

================

Lin,

The portion of what you quoted of my post didn't show us so I am not sure exactly what you are referring to.

However, whether it was a virus or a false positive, the results, to me, were the same. It disabled a function in the PTE program and it caused the removal of a bunch of files. Avast has not yet replied to my submission to them. A false positive really isn't too much difference than a virus, especially when it took me 2 full days of poking around trying everything I could find to get it back to normal. It seems you are ignoring that the removal of the rootkit (that Avast did not find) solved the problem. I have been using Avast and PTE together for a long time. Something went wrong.

Gary

[Barry Beckham]

Gary

Lin has explained what the issue was, its the price we have to pay for our virus protection.

If we have a guy fit 5 padlocks on our door and he gives us 4 right keys and one wrong one, we can't get in. Its just an error, but nothing we can do will open that last padlock. The Virus software programs in their efforts to protect us sometime make a mistake with the list that drives the virus programs.

They all have at one time or another so there is little point in changing virus programs when this happens. You just keep your head down, don't panic, but just be aware of the issue, but usually the virus definitions will be updated

daily.

The part that caused the false positive is put right and the problem ceases on its own.

[nobeefstu]

Gary,

Think of a false positive as a false alarm ... or the false detection of a known virus in a uninfected file.

[goddi]

Gary,

Think of a false positive as a false alarm ... or the false detection of a known virus in a uninfected file.

==============================

Greetings,

Thanks Barry and nobeefstu. I do understand what a false positive is. I am just wondering about my particular circumstance. I am not trying to argue the point. When it happens, you don't know whether it is or it is not a real virus. From what you say, if I did nothing and just waited a couple days, and Avast updated its virus listing, it would have cleared up by itself?

Gary

[nobeefstu]

Gary,

Its always best to use caution and report the activity to the security program maker . The more reports prompt quicker attention to resolve the matter. Think of it as making a bug report.

[Lin Evans]

Hi Gary,

After the developers corrected the false detection, the anti-virus program would no longer tag your executables as having malware, but the file placed in the vault would still be there unless you removed them or copied them from your backup. In general, when a fault with an anti-virus program is found and corrected, there is no remedial action by the anti-virus program. Things which were quarantined would still be gone unless you take action yourself.

Best regards,

Lin

==============================

Greetings,

Thanks Barry and nobeefstu. I do understand what a false positive is. I am just wondering about my particular circumstance. I am not trying to argue the point. When it happens, you don't know whether it is or it is not a real virus. From what you say, if I did nothing and just waited a couple days, and Avast updated its virus listing, it would have cleared up by itself?

Gary

[Conflow]

Hi Guys,

As I said above we have used Avast for the past 2 years....

1)

Avast detected an 'unknown' infection on 26-29th September and so did Norton and others. (Avast was 1st to do ao).

2)

This 'infection' was announced on Sky TV-News some time before on account it was considered to be 'incurable'.

3)

Norton and others had no answer to this ~ please Google: "Backdoor-Bifrose" if you dont believe me.

4)

Avast (auto-updated) their Virus-Engine & Definitions late on Thursday-night the 29th Sept (First to do so).

5)

The only (fully-automatic) Malware-Program which removes this is Malwarebytes.Org ~ this is not an AV-Program

and you neeed its recent up-date to remove this infection..

Some Notes

Gary ~ Yes you had 2 Bifrose-Rootkit infections as seen in your Attachments. You removed these with the ICO-utility.

Barry and others ~ Its very likely that you were also infected but the infection was automatically removed with AV-updates.

Concerning PTE

This has nothing to do with PTE-Exe's but 'Wild-Card' infections can and will try to access any Exes with active script-operands.

Should this activity be detected by Avast it will 'flag' that Exe as being infected ~ rightly so until Avast has a solution to the infection.

But unlike other AV-programs, Avast does not delete your Exes it simply 'Sandboxes' them for further attention.

The Rootkit

More on this dangerous Bifrose-Rootkit can be had on Google and yes as its a Wildcard" it can attack anything with Scripts.

Unfortunately it can also damage certain System Cab-Files if removed in any un-orthodox way.

The proper title of this Root-Kit is "Registry-Mart" ~ it copies sensitive registry data for sale to 3rd.parties.

It effects all Windows-platforms with the exception of Win7 64.Bit System ~ 32.Bit is not exempt.

See Report "Attachment".

Brian (Conflow)

We were also hit see Malware-Log

mbam-log-2011-09-30.txt

[goddi]

Brian,

Thanks for the information. Yes, I remember now that the 2 rootkits I found were call 'Bifrose'. I just checked my Malwarebytes program and its last update was 9/25, a day short of their update to catch the virus. Though others have disagreed, I could not dismiss the fact that I had found two viruses and that they were probably causing the problem with PTE.

It is good to have this cleared up.

Sincerely, Gary

[Ken Cox]

malwarebytes -update it daily

avg does

superanti spyware does

and most others do also

ken

[Cedric Dawnhawk]

Although the posts suggest this problem has been fixed, I still seem to be suffering from it.

I have just installed the free version of Avast and if I try to run a v7.0.1 PTE sequence I get a (false) detection of Win32:Malware-gen. I have updated the Avast virus definitions and program and reported it as a false positive.

Could any other user who is not having problems, check their Avast versions? Mine are:

Engine and virus definitions: 111029-0

Program: 6.0.1289

Andrew Chadwick

[westonphoto]

W7 Ultimate 32 bit

Engine & Virus definitions: 111029-0

Program: 6.0.1289

No problems whatsoever.

[Cedric Dawnhawk]

Thanks for that information which confirmed that I did have the latest Avast versions.

I had originally created the exe sequence file on another computer and then copied it to a laptop which has Avast installed. I decided to make a new test project, using PTE on the laptop, and create a test exe file. This ran with no problems as you said!

After further investigation I found that if I used my own icon for the exe file (Project Options | Assign icon...), Avast picked up a false virus. I think this might be one for Igor!

I have submitted the exe file with the false virus to Avast, so hopefully they will sort it out in a future definition file.

Andrew

[westonphoto]

Hmmm,I nearly always use my own icon for an .exe file - nary a probblem. I've just checked out new individual test sequences with both the default and alternate "official" icons individually and alternately. No problems, so I can't reproduce your state of affairs at all. Sorry!

[Cedric Dawnhawk]

I am pretty convinced it is using my own icon that causes the problem. I created a new exe without ticking the box and it worked. I went to back to the project ticked the box and selected my icon and made a new exe and it failed.

However where we may differ is that when I said my icon, I literally meant one I had designed myself. From the description of your tests, are you using the icons in PTE\Main folder? If you are interested I've attached the icon that seems to cause the problem.

Andrew

AVIconXP.ico

[westonphoto]

Andrew: Nope, I'm using icons designed in Photoshop and then generated using something else (can't remember what, could have been a very old PaintShop Pro). I only tried the PTE 'official' ones out of interest to see if I could recreate your problem. Both my own and the PTE icons worked, and still do, without fail. I've downloaded your AVIconXP.ico. Guess what - I can't get it to work either. Ergo, the fault is more likely to lie with your icon rather than PTE. But you'd guessed that already so no progress there. Have you tried using PixBuilder for icon generation (not that I have, but it might be worth looking at)? You're on your own on this one, I'm afraid.

[fh1805]

I've just downloaded the AVIconXP.ico and run a test on one of my "test rig" sequences. First did a "Publish" of an EXE with standard PTE icon - no problem. Then ticked the box for a customized icon and selected the AVIconXP.ico file. Did another "Publish" to a different EXE name - no problem. I use AVG Free 2012 not Avast. The problem lies in Avasts's interpretation of the AVIconXP.ico file. Try renaming the icon file to something innoccuous, like MyPTE.ico. I find it hard to believe that the icon data can be seen as suspicious. I think the problem might be with the name.

regards,

Peter

[Cedric Dawnhawk]

Phil: Thanks for confirming it is my icon combined with Avast and PTE V7.0.1 that is the problem. The answer is probably to redesign the icon and try again. It wasn't very brilliant anyway but I've been using it a while.

Peter: I did try using another version of the icon with a different name but it still didn't work. I don't really know how virus scans work but I presume it is based on sequences of bits. If so I suppose an icon could just coincidentally contain the same sequence as a virus. It does seem to be a specific problem with Avast. You say AVG doesn't pick anything up and ZoneAlarm, that I use on my main PC, is also unconcerned.

Thanks both for your help

Andrew