29 replies to this topic

[AdvancedSetup]

AVG Virus Scanner Accidentally Removes Critical Windows Component

Short story is a bad definition that affected both AVG 7.5 and 8 caused the file user32.dll, a critical Windows component to be deleted.

[szgr]

That's old news. Caused a lot of problems.
False positives is a serious issue for av companies.
On the other hand, users must be careful too, especially with system files, something that its not easy for users without experience.

[AdvancedSetup]

Yes, it's old news but I wanted to share it here since we've had a couple recent users think that MBAM is the only one around that has removed a valid file by accident.

Even the biggest AV Companies out there have run into this issue and removed valid files before.

[exile360]

Kaspersky removed Explorer.exe a while back. That was serious and they took a lot of heat for it.

Kaspersky false alarm quarantines Windows Explorer

[DaChew]

Quote

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

cureit from safe mode killed this computer

Quote

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

combofix seems to handle it

[AdvancedSetup]

MBAM DOES NOT remove this file. It says it does, but it doesn't it's there as a marker for Experts to see and know it's infected and needs attention.

Combofix can potentially correct it IF there is a valid clean version it can locate on the drive. Sometimes there isn't or the Malware prevents access to it.

[DaChew]

MBAM only removed the offending key in the registry

Quote

Dr Cureit... it found one: userinit.exe in WINT/System32... I told it to cure all and saw the status of it and showed it was deleted.

Cureit deleted the infected system file

[AdvancedSetup]

Well I would assume that Dr Web only removed it because like Combofix it found another valid copy on the system. If that file was removed and another not put in it's place the computer would not boot up and allow you to logon.

[DaChew]

Quote

If that file was removed and another not put in it's place the computer would not boot up and allow you to logon.

That's what the user claimed happened

[AdvancedSetup]

No problem. Some time when you're bored and have some extra time. Boot up with some type of WinPE disk and move or change the name of that file and make sure there is no other copy of it in a cache folder or elsewhere and then restart the PC and see if you can logon now.

[Jamin4u]

What safeguards does the MBAM team use to avoid a critical Windows component being flagged?

[RubbeR DuckY]

An internal whitelist is just one stage of avoiding critical files.

[Jamin4u]

Would it be safe to say that most false positives happen during heuristic scanning?

[GT500]

Jamin4u said:

Would it be safe to say that most false positives happen during heuristic scanning?

At least two thirds of our database is heuristics, so yes, false positives are due to an error in heuristics. The research team fixes them as soon as they hear about them.

[Jamin4u]

Thank you Marcin and Arthur for your time in answering my questions.

I think the team does an excellent job of responding to false positives.

Please allow me to ask one more question regarding false positives.

Does the team use test computers with various operating systems to test each database version before release?

[GT500]

Jamin4u said:

Does the team use test computers with various operating systems to test each database version before release?

That I don't know. Bruce didn't answer that question when I asked him.

I do know that the research team does not all use the same version of Windows. They do their research on both Windows XP and Windows Vista, and I would believe some of them use 2000 as well. I assume they have to test the database to make sure that each addition does remove what they expect it to remove, but I do not know any specifics about the testing that they do.

[elero]

szgr, on Feb 5 2009, 10:16 PM, said:

False positives is a serious issue for av companies.

http://kb.bitdefender.com/KB519-en--Faulty...nlogon.exe.html

[AdvancedSetup]

No action required by the user as long as they did not reboot during that time. Otherwise it would be a big problem.

[mountaintree16]

Thank you for posting this, I had no idea.

I am an AVG user and I hope this hasn't happened to my system.

Do you know if there is a way to tell?

AdvancedSetup, on Feb 5 2009, 03:56 PM, said:

AVG Virus Scanner Accidentally Removes Critical Windows Component

Short story is a bad definition that affected both AVG 7.5 and 8 caused the file user32.dll, a critical Windows component to be deleted.

[AdvancedSetup]

You would know right away with an AV or AM scan. This is quite old now and was fixed I think the same day it happened so unless you happen to have had that version on that day and never updated again you won't have this issue.