HEUR / malware??

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My Avira AntiVir®  PersonalEdition Classic is suddenly constantly
complaining about "HEUR/malware" in pexshell.dll for phrase express.
I think the complaint is BS so I tell it to ignore but it does not
remember and is a royal PIA.
What to do?

TIA

Lou

Re: HEUR / malware??

Lou wrote:
Quoted text here. Click to load it

Its a mistake by Avira

Lou

Re: HEUR / malware??



|
| Its a mistake by Avira
|
| Lou

Based upon what ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HEUR / malware??

David H. Lipman wrote:
Quoted text here. Click to load it

See my reply to puzzlemuscle.

Lou

Re: HEUR / malware??

Lou wrote:
Quoted text here. Click to load it

Hi Lou,can you upload the file (pexshell.dll) to Antivir Lab for
further checking?

Please copy the file, zip it with password "infected" (without the
quotes)

and send it to virus@avira.com .

OR simply upload the zipped file at :
http://www.avira.com/en/support/submit_suspicious_files.html

Puzzlemuscle


Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Probably tomorrow AM, but I have received an email from Gunnar at Phrase
Express that Avira says it is their error.
You can get the file by d/l from http://phraseexpress.com /
I redid the d/l when the problem started popping up this morning and the
   issue remained (it is still there).  I get an automatic update every
night so will see if the problem is gone tomorrow.

Thank you for providing info on uploading.

Lou

Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

I tried and could not zip or copy the thing cause it was in use.
I kept getting warnings so I finally told avira to "quarantine" it. Now
it has disappeared.

I think I am may find another AV program.  This one has become more
trouble than it is worth!

Lou

Re: HEUR / malware??

Lou wrote:
Quoted text here. Click to load it

HI Lou,
Sorry to hear that AntiVir is causing trouble in your system.
If you have not uninstalled Antivir yet, please follow the steps to zip
the file and upload it to their viruslab.

Double click the Antivir icon in the start-up bar.
Deactivate Antivir Guard
Click Quarantine and you should find the file in it.
Right click on the file and click" restore object to... " and resore it
to any place you like.
Zip the file with password: infected
Send/upload it to Antivir Lab.
Remember to activate Antivir Guard again !

If you do not want to submit the file to Antivir Lab,at least you
should:

Double click the Antivir icon in the start-up bar.
Click Quarantine and you should find the file in it.
Right click on the file and click" restore object " <this time without
"to">
If Antivir Guard alarm, click ignore.
If you wish, uninstall Antivir. ( Although I do not recommend this, or
if you find a better antivirus )
So that your program[ phrase express] can continue working smoothly.


If you do not want antivir guard to alert you because of this file, you
can add the file to exception:

Double click the Antivir icon in the start-up bar.
Click Extra--> Configuration--> tick the square besides "Expert mode",

Click the + sign besides "Guard", Click the + sign besides "scan" -->
click "exception"--> add the file (pexshell.dll) to File objects to be
omitted for the Guard.

Click OK and Done ! (Please note that I have never add any file/process
to the exception list,I do not know whether you will be successful or
not)

I hope this can help you.

Puzzlemuscle


Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Thanks for the time.  I followed the instructions to make an exception.

Will post back in a while with results.

Lou

Re: HEUR / malware??

Hi lou,

Just Something I forgot to tell you:
If you want to exclude the file in an on-demand scan(manual scan), you
have to repeat the configuration process in the Scanner part.

 Double click the Antivir icon in the start-up bar.
Click Extra--> Configuration--> tick the square besides "Expert mode",

 Click the + sign besides "Scanner", Click the + sign besides "scan"
-->
 click "exception"--> add the file (pexshell.dll) to File objects to be
omitted for the Scanner.
 
 Click OK and Done!


Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Thanks.  I let it do a scheduled scan every night at 03:30 1/2 hour
after the scheduled update.

Lou

Re: HEUR / malware??

Lou wrote:
Quoted text here. Click to load it

Well your instructions on making an exception worked very nicely!!

Thank You!!!

I am now getting an occasionally warning about same "malware" in a thing
called A0040283.dll which I ignore.

I did use google and found a post where someone sent a another file to a
service that uses many scanners to check the file for a virus and Panda
thought it was suspicious.  All the others (about 20) said "no virus".
Poster thought it was a messed up heuristic scanner.  FWIW Antivir
itself has NO info on the "malware":-((

Lou

Re: HEUR / malware??

Hi Lou,

I think the article you read is
http://forums.miranda-im.org/showthread.php?t=10519
As I have mentioned in some threads , Antivir is well known for its
False Positive.

But I still like Antivir because after you send the False Positive
Files, they will take away the detection in a short time, 2-3 days ,
may be several hours for serious cases.After all, users can enjoy high
heuristic detection for free from antivir to detect unknown virus.

In your case ( and many others as you read,actually one of my friends
has the same problem too ), may take a longer time since it is not a
signature detection, it is a heurisitic detection which concerning the
scan engine.

Antivir had just updated its Engine in 30/8/06 when the potential false
positives took place, I think they added two problemic heuristic
detections including
HEUR/ Malware and DR/Delphi.gen .

I hope they will fix their engine soon.

Concerning A0040283.dll , I guess it is a file under System Volume
Information which is the file that Backups for System Restore.You are
doing the right thing, by choosing "ignore". Viruses there can not
function.They will do no harm even if you do not delete them. But once
you restore your system to those restore points, you may make them live
again.


Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Thanks for all the help. Now that I understand how to make exceptions I
am going to stay with antivir.  Also knowing that ignore is OK is
helpful for those items that turn up just once in a while.

Lou
Education is about knowing where to look for answers.

Re: HEUR / malware??

Lou wrote:
Quoted text here. Click to load it


Hi Lou,

For "those items that turn up just once in a while",we should choose
"ignore" Only when:
1.  the virus( suspicious file) is located under System Volume
Information folder.
     (if you want to clean up the viruses there, you have to disable
System Restore function and then re-enable it.By doing this, all your
system restore points will be lost.)

2.  we strongly believe a file is clean and will do no harm to our
computer. i.e. Antivir is making false alarm
The drawback of heuristic detection is making false positive, if
AntiVir alerts you about a virus infection , and the virus name has
HEUR/- prefix or -.Gen suffix , it is possible that the file
is not infected. In this case, you should submit the files to Avira for
further checking, so that they can improve their engine/signature or
add new virus sighnature to the database.

If you do not know whether the files detected with heuristics are clean
or not, you should choose "quarantine".
For  4 reasons:
1. You can restore them and send the suspicious files to Antivir Lab

2. Restore the files to original places if Antivir tell you it is not a
virus at all.

3. If it is a virus. it cannot harm your computer.

4. Restore them and Scan the files in muti-av-scanner websites, such as

http://www.virustotal.com
http://virusscan.jotti.org
http://scanner.virus.org

to see what other av-scanners find about the file.

In other "those items that turn up just once in a while" situations, we
should choose "quarantine" or "delete" , when detections with the virus
names do not contain  HEUR/- prefix or -.Gen suffix. e.g.
TR/Spy.Banker.anv


Puzzlemuscle


Re: HEUR / malware??


Puzzlemuscle wrote:
Quoted text here. Click to load it

Finally I want to apologise for any inconvenience caused when reading
my replys.
English is not my mother tongue and there are some typing mistakes.

Puzzlmuscle


Re: HEUR / malware??

HI Lou,

You need to tweak Antivir for maximum protection.

AntiVir Configuration Guide for Version 7 for maximum protection

1. Double click the red umbrella at bottom right corner of the desktop
2. Click Extras--> Configuration
3. Check Expert mode at the top left corner
4. Click Scanner
5. Select All files, ensure all the squares in this page are checked.
6. Click the + sign beside Scanner to expand the table
7. Click Archives, ensure all 4 squares in the middle of this page are
checked.
8. Click Heuristic, ensure there are ticks in the squares on the right
hand side and choose high detection level.
9. Click Guard, select Scan when reading and writing and All files
10. Ensure all squares in this page are checked
11. Click the + sign beside Guard to expand the table
12. Click the + sign beside Scan to expand the table
Click Heuristic, ensure the all squares are checked and choose High
detection level.
13. Click the + sign beside General to expand the table
14. Click Extended threat categories
15. Click Select All in the middle of the page.
16. Click OK at the bottom of the page to save your Configurations


Just for your information only.
Note:
1. choosing High detection level may increase the no. of false alarms.

2. choosing "Scan when reading and writing and All files" in Guard may
slow down some computer.

The above problems do not affect me.

 
 Puzzlemuscle


Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Will study this all later.

Thank You.

Lou

BTW phraseexpress - the original cause of the complaint - is a very neat
program and is free. at web site of same name.

Re: HEUR / malware??

Puzzlemuscle wrote:
Quoted text here. Click to load it

Puzzle,

Your English is fine and you are a pretty good typist:-))
If you are really concerned about typos use the spell checker in your
posting program.
Much more importantly, your information has been and is very helpful!
I am saving all the replies.

Your posts are making me very happy I found this group.

Lou (Who was a Netscape Champion about 10 years ago)
Education is about knowing where to look for answers.

Site Timeline