amon detecting Kav 4.5 updates as virii?

Discussion in 'NOD32 version 2 Forum' started by tobamore, Feb 9, 2005.

Thread Status:
Not open for further replies.
  1. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Hi,
    Over the last 2 nights while I've been away from my pc, nod32 amon has found 2 different avp1c**.tmp files and suggested that they are *probably* both crypt.win32virus. I have recently updated my on demand kav to 4.5.094 pro and I'm hoping that this is a false positive, on both occasions I deleted the files, where maybe I should have quarantined them and submitted them to Eset...

    Kav is set to update every few hours and does tend to create files beginning with avp1c**.tmp I have noticed, so maybe nod is wrong?

    However, I have found nothing when scanning these files via nod on demand scanner.

    Please advise?

    #
    Toby.
     
  2. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Here is the actual nod32 report;

    Time Module Object Name Virus Action User Info
    09/02/2005 22:54:01 AMON file C:\WINDOWS\TEMP\AVP1C4B.tmp probably unknown CRYPT.WIN32 virus deleted NT AUTHORITY\SYSTEM
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    No, these files are packed malware that KAV unpack and then AMON detect them.

     
  4. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Ah, so they are okay to ignore, how can I setup nod to ignore them automatically in future? Other than excluding the temp folder of course?

    mtia
    #
    T.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Wouldn't it be possible to copy the file to quarantine before you delete it and then send the content of the program files\eset\infected folder to samples@eset.com for analysis?
     
  6. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Yes, next time it happens I will do that, but am I likely to get a reply? Or is it just submitted and reacted to/dismissed accordingly internally?

    I have recently run full scans (with all the bells and whistles switched on) and found nothing, so I'm a little perplexed... o_O

    #
    Toby.
     
  7. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Further update...

    I have just run a full Kav 4.5 scan (finding nothing) but nod came up with an alarm again, I tried to quarantine, but an error message was displayed - perhaps there was nothing to quarantine as kav had finished its scan and may have already deleted the file?

    Anyway, here is a copy from my log;

    Time Module Object Name Virus Action User Info
    10/02/2005 13:48:01 AMON file C:\DOCUME~1\toby\LOCALS~1\Temp\AVP19C1.tmp probably unknown CRYPT.WIN32 virus error quarantining the object - - deleted HOME-39E90DB473\toby

    #
    Toby
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Since the file is deleted from the temp folder instantly, it's imposible for NOD to copy it to quarantine. Would you please confirm or deny it happens regardless of what folder you scan? If AMON springs into action only when scanning a particular folder/file, the best would be to narrow it down to that file and send it to us for analysis.
     
Thread Status:
Not open for further replies.