Avast! says I have virus in windows/pagefile.sys

Discussion in 'other anti-virus software' started by brjoon1021, Aug 22, 2009.

Thread Status:
Not open for further replies.
  1. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    Hi,

    I am dual booting my laptop with Linux, where I installed Avast! for linux. I ran a scan of the entire computer including windows and it says that it found:

    SillyOC-Ksink-90 in the windows/pagefile.sys

    What do you think? can you get a virus in the pagefile? What do I do, do I let it delete the pagefile.sys or ? The scan from the Linux partition is still running right now, I hope that I did not screw up my windows installation.
     
  2. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    is the detection in the linux or windows?
    also how much have you been using linux, enough to get a virus?
     
  3. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    That's false positive. I used to get the same alert on that file while scanning on Ubuntu.

    Btw, it won't matter if you delete pagefile.sys because it will be re-created when you boot up Windows.
     
  4. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    thanks.
     
  5. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    its false postive from linux as it cannot read locked virtual ram(page file of window) it take it as a virus funny thing is that if you delete that file and reboot form your windows again after again the page file recreated then again you boot form linux and re scan it again show you the virus in page file......

    so you dont need to do any deleting in short its false +ve
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    And how can you be so certain it's a false positive if the file is re-created with same detection again? Pagefile is never generated the same twice. So chance of Windows somehow generating it back with that thing inside, i find it hard to believe. Ppl just shoot "it's a false positive" without inspecting properly.
    And i've noticed this several times already. If it's an avast! detection, it has to be FP. While in reality, avast! has been the first to detect new malware properly.
     
  7. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    As it's an old DOS virus, I'd guess either uncrypted signatures in OS memory, swapped out to the swap file (comming possibly from another AV - Windows Defender, ...?), or a false positive indeed in this case.
     
  8. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    We don't label it as a false positive because of some stereotypes against avast!. So there's no need to establish conspiracy theories lol.

    Format your pc totally and install both Linux and Windows. Then scan again on Linux, you'll get the same result. Therefore I'm sure that it's false positive. It's that simple. ;)
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Word "Linux" has a so wide meaning... i mean with trilions of different distros, you'd have to be more specific than just "Linux". Same goes for Windows version.
    Because running SuSE and Windows 98 is not the same as running Ubuntu and Windows Vista (in dual boot of course)...
     
  10. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    OK, since the others used the general term "Linux", I used it as well. Now I'm replacing it with Ubuntu. But re-read my first post, I already said Ubuntu there.

    Other than Ubuntu, sometimes I use Pardus but avast! doesn't have a version with .pisi extension so I don't have a chance to scan on it. I don't like and use the other distros, so someone else who uses different distros may be required to confirm this detection. :)
     
  11. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    sorry i was forgot to mention it give you alert or it recreated in vista i dont remember but there is a page file even for security reasons i format my pc which i forgot to tell same results

    2nd i agree with mevcit i reinstall vista and new 2 linux fedora/ubuntu and install and scan avast from them both give same results (virus in a page file) i also did a something if you got windows you can install and run avast from windows as well you surprise so see that scanning from windows with same company product didnt give you virus alert so............................nothing left to prove :D
     
    Last edited: Aug 25, 2009
  12. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    On Windows, you can't scan pagefile.sys in both normal and safe modes because it is being used while Windows is up. avast! doesn't detect in boot scan either. But I don't know if it is able to scan pagefile.sys while boot scan.

    By the way, the Linux version of avast! doesn't have the same engine with the Windows version. Whatever... Since I get the same result on clean installations (as I said before), this is probative enough for me that it's a false positive.
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! is able to scan pagefile.sys, but is ignoring it deliberately.
     
  14. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    I think no AV software can scan pagefile.sys on Windows unless it is in a different partition (because there might be some "pagefile" files on other devices/partitions). I wondered if the boot scan could cope with it, and I think avast! ignores -the one on the local partition where Windows is installed- again as you said. Thanks for the reply.
     
    Last edited: Aug 25, 2009
  15. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well when i first installed Avast the first thing it detected for me was the pagefile and im not running any other partitions or nothing, just my windows vista.
     
  16. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    Hmm, actually when I try to scan the file manually, I get en error because the file can't be opened (locked by system). Furthermore, pagefile.sys is excluded in standard shield settings by default and it can't be un-excluded. Maybe avast! gives alert in some situations when Windows is accessing pagefile.sys in a "strange" way according to avast!. :p

    OK, I've spent a bit much time on this subject and it's 2:18 am here. I'm gonna sleep now. :D
     
  17. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ye it was detected by the guard not during a scan.
     
  18. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,191
    Location:
    USA,IA
Loading...
Thread Status:
Not open for further replies.