Win32 Kryptic in avant.exe?!, false positive?

Discussion in 'ESET NOD32 Antivirus' started by doxavita, Apr 28, 2010.

Thread Status:
Not open for further replies.
  1. doxavita

    doxavita Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    12
    Today, when my computer was starting up, my NOD32 detected Win32 Kryptik trojan in avant.exe (Avant Browser).

    How can this be?, I never use that program, I consider it safe since it's just a browser and I haven't run any potential damaging files that could infect it. Could there be a possibility this was just a false positive, and so I shouldn't be concerned?

    Thanks very much.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    Same thing happened today to AnVir Task Manager on a full scan:

    C:\Program Files\AnVir Task Manager\AnVir.exe - a variant of Win32/Kryptik.EAB trojan - cleaned by deleting (after the next restart) - quarantined [1,2]

    It is in quarantine right now, I am not sure what happens if it is determined to be a FP, my Nod32 is set to rescan quarantine on updates, will it restore the file automatically if it is a FP?
     
  4. doxavita

    doxavita Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    12
    Yes, my file was avant.exe. I think it quarantined it, but I already got rid of the file anyways.

    EDIT: if it was quarantined, where might I find the file?
     
    Last edited: Apr 28, 2010
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    I downloaded and scanned Avant Browser v11.7 Build 46 and Anvir Task Manager Pro v6.3.0 on a computer running ESET Smart Security v4.2.20.0 with virus signature database 5070 and was unable to replicate this.

    Is the problem still occurring, if so, can you tell me which virus signature databases are installed on the computers in question?

    Regards,

    Aryeh Goretsky
     
  7. doxavita

    doxavita Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    12
    My virus signature database was 5069 when the problem was detected. Although the Avant Browser version might have been older than the one you tested with.
     
  8. fwcetus

    fwcetus Registered Member

    Joined:
    Apr 28, 2010
    Posts:
    1
    ESET NOD32 Antivirus 4 deleted my own avant.exe executable (claiming it was infected with the Win32/Kryptik.EAB trojan), crippling my Avant Browser installation. The current definitions version is "5070 (2010042:cool:". I tried downloading another copy of the Avant setup file (absetup.exe) from CNet, and NOD32 disconnected the download.

    Fred

    Update: Looking more carefully at the log files for the day: 5068 was installed at 1:21 PM, 5069 at 2:21 PM, and 5070 at 5:44 PM. Avant.exe (which I tried restoring several times by downloading and installing manually) was quarantined first at 2:22 PM and last at 4:43 PM. Last evening I successfully re-installed Avant, and it still seems to be allowed to run by the "NOD32 trojan" {grin} this morning. So, looking at the time spans for each definitions file, it seems as if trigger-happy definitions version 5069 wiped out a perfectly normal program, and whatever was in that definitions file to do so should be guarded against in the future - it is ~NOT~ OK to wipe out a legitimate piece of installed software.

    Fred
     
    Last edited: Apr 29, 2010
  9. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    Well, it happened this morning and I am at 5070 right now. I tried the "submit for analysis" in quarantine and it errored. Ah, I was at 5069, it is in the log file. AnVir was 6.1.3.

    edit: I shall restore from quarantine and rescan using latest version.

    edit 2: restored and rescanned system with no problems with AnVir. Must have been some issue with 5069.
     
    Last edited: Apr 28, 2010
  10. doxavita

    doxavita Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    12
    Re: Win32 Kryptik in avant.exe?!, false positive?

    As a result of this issue, now when my Nod32 updates and scans I get a pop-up in the tray area saying: "File-Submission: Some of the suspicious files suitable for analysis have not been approved for submission yet. To open an approval window click on these message." So I clicked the message

    And then a "Submission of suspicious files" window opens up. So I selected avant.exe and hit submit. Hopefully I won't be getting this reminder anymore.
     
  11. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    hitman pro flagged absetup.exe as trojan today also.
     
  12. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    At least it's just hit a browser and not critical system files like the Win32/Kryptik.JX detection fiasco with 3918 (what's with the FP on Kryptik variants !?!)

    The last couple years in all honesty with eset hasn't been great. Though it's like an old girlfriend your still in love with... I can't let her go LOL
     
Thread Status:
Not open for further replies.