Online Armor affected?

Discussion in 'other firewalls' started by avboy, Jul 22, 2010.

Thread Status:
Not open for further replies.
  1. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    I was surfing when suddenly OAhelp.exe popped up asking for permission for a connection. Being a trusted source (folder location same), I gave it permission. After sometime Avira popped up with the message that oahlp.exe was affected by malware.

    From its report file:

    Scan process 'OAhlp.exe' - '1' Module(s) have been scanned
    Module is infected -> <C:\Program Files\Tall Emu\Online Armor\oahlp.exe>
    [DETECTION] Contains recognition pattern of the WORM/IrcBot.3075576 worm


    Immediately I scanned it with MBAM on-demand. It did not find anything. Now I am wondering is it a Avira False Positive? But oahlp.exe did ask for connection which is unusual. Did anyone else using Avira and Online Armor face this? How will I know if Online Armor is really affected?

    EDIT: This happened just after I updated Avira today. I use Avira Premium Security Suite without the firewall.

    Thanks.
     
    Last edited: Jul 22, 2010
  2. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    And now this after updating Online Armor to version 45.
     

    Attached Files:

  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    avboy,

    There are more users with the same issue on OA forum.

    Guess it's a FP from Avira, thought it would be fixed already.
     
  4. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    1,785
    might be a fp but do a double check and use another AV to see what happenedo_O
     
  5. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Avira having a field day!
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      21.4 KB
      Views:
      1,232
  6. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Thanks ctrlaltdelete, exactly the same. It has not been solved as I can see. Anyway I trust wilders members more than any product forum. So will keep looking here more.

    Thanks gery. Am doing a full scan with MBAM. Then will move on to Hitman Pro.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    You need to report to AVIRA. They will confirm or not the false positive. If no one report it there will be unlikely a fix :)

    Here: http://analysis.avira.com/samples/index.php
    (File type: Suspected false positive)
     
  8. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Thanks fax for the heads up. Just did it and got the result that oahlp.exe is a FP. Can breathe easy now. However oaui.exe is still under analysis.
     
    Last edited: Jul 22, 2010
  9. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Just updated Avira. All others except oahlp.exe are *not* detected as malicious any more. So this combined with the result above means it is all clear. Will have to wait for the next update though.
     
  10. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Re: Online Armor affected (Again)?

    Funny, very funny. With the new Avira update the old detections are gone, but now oasrv.exe and oacat.exe as WORM/IrcBot.1284600 and WORM/IrcBot.3506680

    So I have to send the files again to Avira. Dont know why the new owners of OA cant resolve this with Avira once and for all. Avira and OA used to work very well till now, wnder what suddenly happened.

    Also I do not prefer exclusions as there have been (a very few) genuine cases of infection via legitimate updates.
     
  11. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Can any of you spare some time to explain? Yesterday the files oasrv.exe and oacat.exe were flagged clear while other two were shown as affected. So again today why the new detections when the old ones are already flagged clear?
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I'm having the same issue here. oasrv.exe and oacat.exe are both being flagged as bots. I believe its most likely a false positive from a recent virus definition update. To be safe i'm going to check with Avria.
     
  13. laopa

    laopa Registered Member

    Joined:
    Jun 26, 2010
    Posts:
    22
    Location:
    Sqeezed between the Pacific and Indian Oceans
    Hi,

    Based upon looking over and posting on the Avira AntiVir Forum, they do not appear to be listening or interested.

    I would suggest that anybody with this Online Armor and Avira AntiVir problem, as well as keeping up to date here, rock on over to their forum and lob in a new thread, as you can not post a reply to a current thread unless you are a "community member" or the poster who started the original thread.

    "Community Members" seem to be like the Avira AntiVir Masons.

    Go figure.

    Paid or Free there are two options over there.

    http://forum.avira.com/wbb/index.php?langid=1

    You might also want to check this over at Online Armor

    http://support.tallemu.com/vbforum/showthread.php?t=13549

    Good Luck.:doubt:

    laopa
     
  14. mona7865

    mona7865 Registered Member

    Joined:
    Mar 26, 2008
    Posts:
    3
    Location:
    Merksem-Antwerp, Belgium
    Just to be on the safe side I scanned with MBAM, MSE, Eset Online Scanner and SAS, which all came up clean.

    I uninstalled Avira for the time being and replaced it with MSE, till this issue will be resolved.
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    The above will not really help... you need to report to the false positive link already posted. More reports they will get more quickly they will fix it ;)
     
  16. laopa

    laopa Registered Member

    Joined:
    Jun 26, 2010
    Posts:
    22
    Location:
    Sqeezed between the Pacific and Indian Oceans
    Thanks for the advice. I have been an Avira AntiVir Premium user for years and have a current subscription until 2014.

    I have upload False Positive Reports 22/7/201 (=2) and False Positive Reports 23/7/2010 (=3) and the feedback so far from Avira amounts to a pile of rubbish with no recognition of a problem and no comment about a possible solution.

    Trying all possible alternative angles and approaches may add to the link you mention.

    laopa
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Feedback limits to confirm or not false positive unless you have reported to another link. Again more reports to them better it is. Reporting to the forum does not help... :)
     
  18. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Free Avira and paid OA user here.

    Having the same issue, but I'm confident all can be attributed to FP's. Added some exclusions and am getting on with my life.

    I think it is likely this will be cleared up eventually, and don't think a small delay in fixing the issue is frustrating. Ask me again in a week, and I might switch to MSE, but really, my time is valuable and since my system is fine with the exclusions, I mught just forget about it for a while.
     
  19. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Off topic posts removed. Stick to the subject please. Thank you.
     
  20. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Is it still being detected? Normally they fix FP's quickly but reading these threads it seems it is still being detected.
     
  21. gdiloren

    gdiloren Registered Member

    Joined:
    Jul 3, 2007
    Posts:
    146
    Problem solved. Had to submit the file (which takes some extra time and ability) and it takes usually 24 Hours to tell you what you already knew, detecting OA FIREWALL is a FP, of course. How can this just happen ? ? ? Stop the beer, Avira!!!:D
     
  22. laopa

    laopa Registered Member

    Joined:
    Jun 26, 2010
    Posts:
    22
    Location:
    Sqeezed between the Pacific and Indian Oceans
    Hi,

    The madness has not stopped. Just finished scanning my system with the latest Avira AntiVir Premium with today's updates (24/7/2010) and now it thinks 1ClickDVDCopyPro.exe is a trojan. (TR/Agent.2136912 Trojan) Never happened before.

    Yes I have sent it to Avira. That is about a dozen FP's over the last three days, with most of them being Online Armor.

    We wait and see.

    laopao_O
     
  23. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Ok the Online Armor issue has been sorted out. I had forwarded the files yesterday morning. After last night's update and today's nothing has been detected. Got replies from them confirming FPs.
    Someone related to Avira or in the know of things will be able to tell why this happened. And if its happening with other software like the one mentioned above, may be they are trying to implement new heuristics or new scanning method.
     
    Last edited: Jul 24, 2010
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I personally wouldn't be so quick to write it off as a FP. IMO Avira is doing you a favor by flagging it. First you see a new file asking for internet access that you've never encountered before, and then these detections. It's giving all the tell-tale signs of malware. There's absolutely no reason that a help file should need internet access. I would personally shoot first (block) and ask questions later.

    You should run the file through VirusTotal and see what other AV's detect it. If Avira is the only one that does, then it's probably a FP. That still wouldn't make me trust it completely. The way I see it, if you block it and everything still works fine, then it doesn't need the access rights it's asking for. This is true for a lot of perfectly legitimate programs. Even though I know they are safe I still don't allow them access they don't need. I feel safer that way and it saves resources as well.
     
  25. laopa

    laopa Registered Member

    Joined:
    Jun 26, 2010
    Posts:
    22
    Location:
    Sqeezed between the Pacific and Indian Oceans
    Hi,

    I have scanned the file with HitMan Pro, SUPERAntiSpyware, EmsiSoft Anti-Malware, Malwarebytes Anti-Malware and tried to send it to Virus Total but good old Avira AntiVir blocked access to the file. I have never agreed to this happening. I instructed Avira AntiVir to skip the file. The only action Avira would allow me to take was to move this file to quarantine and no I am not allowed to restore it either.

    Found a way around Avira and sent it to Virus Total (41/42) antivirus programs gave it a clean bill of health, one of them being Avira AntiVir? DrWeb did not like it .... never heard of DrWeb. The Avira AntiVir version listed I think is not the current one which seems to be causing all of these problems.

    EDIT: Got paranoid and uploaded and ran the FP reported by Avira (1ClickCopyPro.exe) through VirusTotal again and got (42/42) OK second time around.

    Based upon the recent Online Armor issues where Avira AntiVir either quarantined the files or at reboot refused access to them, forcing most of us to have to uninstall and then reinstall Online Armor and even in my case uninstall and then reinstall Avira AntiVir, it seems that the recently updated Avira AntiVir is making these decisions by itself without user input and in some cases decisions directly opposed to specified user input.

    Protecting us against our selves ... how "big brother" is that?

    Pretty sure there will be more about this.

    laopa:ouch:
     
    Last edited: Jul 24, 2010
Thread Status:
Not open for further replies.