Results 1 to 9 of 9
  1. #1
    4 Star Lounger
    Join Date
    Mar 2001
    Location
    New Zealand
    Posts
    541
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I have just downloaded and installed version 9 using default settings. I am running a scan and I am getting a ton of detections as follows:

    An unsigned file was found when scanning the system files!
    Contains HEUR/Modified.SystemFile suspicous code.

    It gives me the options to copy to quarantine or ignore.

    Lots of files, like:
    c:\windows\system32\csrss.exe
    c:\windows\system32\drivers\kdbclass.sys
    c:\windows\system32\spoolsv.exe

    What is going on? Do I have an infection or is it just the heuristics?

    I opted to quarantine them but when I tried to restore them the restore failed. Does this mean they have been deleted from my system? What effect will this have?

  2. #2
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts
    The files you mention are Windows system files; they might be infected but it's npt very likely.
    Chances are that Windows has already restored them automatically.

  3. #3
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='philkiwi' post='765974' date='18-Mar-2009 07:19']I have just downloaded and installed version 9 using default settings. I am running a scan and I am getting a ton of detections as follows:
    <snip>
    What is going on? Do I have an infection or is it just the heuristics?

    I opted to quarantine them but when I tried to restore them the restore failed. Does this mean they have been deleted from my system? What effect will this have?[/quote]
    As Hans mentioned, and as you may know, there are Windows files with those names (I think it is kbdclass.sys).

    Before using an unknown anti-malware program for the first time it is good to check all settings, what are the defaults? What will it do if this or that happen. Yes, I know, default settings are supposed to be safe to use, no need to change for normal use etc. But since false positives appear sometimes, it is no consolation at that time, that deleting or putting in quarantine (healing etc.) is the best normal choice, since it may remove clean and valuable files.

    As Hans said, in this case, these files are protected by the OS; Windows File Protection, WFP, will restore a copy if they are deleted.

    I don't know about that AV program, but obviously some can become a bit perplexed when they try to restore something and the file is already there (the OS put it back as per above scenario).

    Have you checked if the files that were put in quarantine are back in their original locations?

    I assume you used some other AV before, and were virus free previously; you could check again without heuristics, check with some other software. Read up on the settings for the AV, look at their support to see if it is reported, or see if someone here has specific comments about Avira’s Antivir Free. And obviously, check again after the next update of the virus definitions.

  4. #4
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts
    [quote name='philkiwi' post='765974' date='18-Mar-2009 06:19']What is going on? Do I have an infection or is it just the heuristics?[/quote]

    I just installed this version and tried it, and I got exactly the same errors as you. This is Avira telling you that these files should have digital signatures to prove that they haven't been tampered with, but it has not found them. The good news is that if you just tell it to ignore every one of these (I had 21 of them) and ALLOW THE SCAN TO CONTINUE TO COMPLETION, then the next time you run the scan it is fine.

    I also allowed it to quarantine one of the files, this seemed to do no harm at all - I suspect Windows automatically restored the file. Just delete them from quarantine when you have finished.

  5. #5
    New Lounger
    Join Date
    Jan 2009
    Location
    Whidbey Island, Washington, USA
    Posts
    23
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Avira has one of the highest false-detection rates of the major AV programs, although it's considered a very robust AV. I just tested all the top rated ones, including Avira, and they all have a high number false detections, they scan pretty slowly, they use up a lot of Windows resources, but the high rated ones are extremely accurate, unlike the "popular" ones such as AVG. So I guess you either choose accuracy or speed and a small footprint. Here's the testing web site:
    http://www.av-comparatives.org/

    The testing results report indicates you should always set the heuristics to "high" for the most accurate results, which is how the tests were conducted. Personally I found all of these programs unacceptable for various reasons so I chose my own path to follow!
    There are 10 kinds of people in the world:
    Those who understand binary
    and those who don't.

  6. #6
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='cutedeedle' post='770686' date='15-Apr-2009 15:12']Personally I found all of these programs unacceptable for various reasons so I chose my own path to follow![/quote]
    And that was?

    Wow, that's a lot of AV programs that you've written off as unacceptable, so I'm curious as to what you DID decide was the "one for you."

    BTW, Welcome to Woody's Lounge!

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='cutedeedle' post='770686' date='15-Apr-2009 12:12']I just tested all the top rated ones, including Avira, and they all have a high number false detections, they scan pretty slowly, they use up a lot of Windows resources, but the high rated ones are extremely accurate, unlike the "popular" ones such as AVG. So I guess you either choose accuracy or speed and a small footprint. Here's the testing web site:
    http://www.av-comparatives.org/[/quote]
    Are you a tester/writer for AV Comparatives?

  8. #8
    New Lounger
    Join Date
    Jan 2009
    Location
    Whidbey Island, Washington, USA
    Posts
    23
    Thanks
    2
    Thanked 0 Times in 0 Posts
    [quote name='jscher2000' post='770705' date='15-Apr-2009 13:28']Are you a tester/writer for AV Comparatives?[/quote]

    Nope. I just find their testing very interesting. It seems that what is extremely accurate at the highest setting is very slow to scan and has an unacceptably high rate of false positives, which I found to be quite true, after testing all of the ones rated excellent. For me, maybe not for everyone, what's the point of having an AV if it's not highly accurate? Then again, it's a trade-off between accuracy, scanning speed (not a deal breaker to me if I schedule a weekly in the wee hours) and false positives, which can be from real-time monitoring as well as the weekly or daily scans. So far the standalone AVs aren't acceptable, especially when you check out the virtual size, the working set, and the memory use. I just gagged on all of the above. Your mileage may vary!
    There are 10 kinds of people in the world:
    Those who understand binary
    and those who don't.

  9. #9
    New Lounger
    Join Date
    Jan 2009
    Location
    Whidbey Island, Washington, USA
    Posts
    23
    Thanks
    2
    Thanked 0 Times in 0 Posts
    [quote name='Bigaldoc' post='770698' date='15-Apr-2009 12:47']And that was?

    Wow, that's a lot of AV programs that you've written off as unacceptable, so I'm curious as to what you DID decide was the "one for you."

    BTW, Welcome to Woody's Lounge![/quote]

    Thanks for the welcome. All the folks here are great! My solution isn't for everyone -- I chose the top rated firewall that also has an integrated AV -- Comodo Internet Security. I used to use AVG, then F-PROT. Dropped both of them.
    Here, check this out:
    http://www.matousec.com/projects/firewall-...nge/results.php
    One reason that made me switch from Online Armor Pro to Comodo is their included VPN software called Comodo TrustConnect. I've also tried various SSL and VPN solutions and this is really slick -- quick install, very easy to use, doesn't slow down internet browsing. The only downside for heavy surfers is you're limited to 10 GB a month. I use it only for wireless when I travel with my little netbook. Also, Comodo allows you to install Internet Security on all home computers for one price -- I think it's about $40 a year but that includes the VPN. Also, Online Armor has HIPS that was slowing things down. I have a Checkpoint hardware firewall so I don't need the HIPS, thus decided a change was for me.

    I also use SiteHound (paid version) for site warnings in FF, WinPatrol (paid version), Malwarebytes Anti-malware (paid version), GMER (a freebie), HiJackThis, Flashblock and NoScript, among others, in FF. Note that all of these programs have free versions that are perfectly acceptable. I just believe in supporting the developers by purchasing licenses for multiple computers.

    Yeah, I'm paranoid. Having been in the I.T. biz since 1969 and an I.T. Director for many years, I used to tell my staff the only safe PC is one that's turned off. I guess it's worked for me since I have never had a virus, malware, spyware, Trojan, worms etc.
    Time for a new line of work I think .......
    There are 10 kinds of people in the world:
    Those who understand binary
    and those who don't.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •