Scheduled virus scan could not handle some harmful items

leadhead
leadhead Posts: 7 Observer

Hi....Just joined F-Secure after using Windows Defender for many years(with no problems)

After doing a full scan I got this message..."Scheduled virus scan could not handle some harmful items"

I have tried to find out what it is telling me but not having much success... Can I delete it(the file), do I need to delete it, Why cant F-Secure handle it....If it is dangerous, why hasnt it been dealt with, and if its not dangerous , why the warning. If I do a Defender scan it doesnt show this problem at all. After all scans since the first one, I get the same message....Is it possible for F-Secure to ignore this file if it isnt a problem...

 

Thanks for reading my post

 

Bob

Comments

  • leadhead
    leadhead Posts: 7 Observer

    @Ukko wrote:

    Hello,

     

    I am only an F-Secure user (their home solutions). Just as discussion between community users:

     

    Hi...Thanks for your comprehensive reply...I will try and answer all the points

    After doing a full scan I got this message..."Scheduled virus scan could not handle some harmful items"

    There is a difference between "Full Scan" and Scheduled scan (that is kind of full scan too).

    So, this prompt(?) as a notification """Scheduled virus scan could not handle some harmful items""" is likely about completed Scheduled scan.

    Result of Full Scan is, usually, with visible Scan Wizard UI where possible to open scan report.

     

    There is Online Documentation / Help:

    about "Full Scan" (steps):

    about "Scheduled scan":

    I didnt realise that there was a difference in a full scan and a scheduled scan...Ive since done a full scan...The full scan finds the item, but in the end the outcome is the same. The scheduled scan reported that it "could not handle some harmful items", whereas the full scan (after it looked as though it was going to deal with it) reported that "it did not remove all harmful items"...

    I have tried to find out what it is telling me but not having much 

    Did you mean that you look for scan log report? Or that it was not useful?

     

     there is a place "Recent events":

    where possible to find list of "completed" scans and further ability to open "log-file" (scan result) for each of them.

     

    Scan log report is about brief information about "detected" items and some more information.

    Can I delete it(the file), do I need to delete it, Why cant F-Secure handle it....If it is dangerous, why hasnt it been dealt with, and if its not dangerous , why the warning

    In general, good to check what is detected item. Need to open scan log report and read what it was.

     

    If file / item is known and is not important for you - you can delete it and it is OK (enough step).  I dont know what the file does, or whether deleting it will cause me further problems, but

    Yes I can get into the log-file, the item it has found it says is "Potential Risk.PUA/CryptoMiner.Gen"....and the file it associates this with (which it appears to say it has SKIPPED this file) is....C:\Users\  (and then)   Bob\AppData\Local\Mozilla\Firefox\Profiles\32os21da.default-1515779315977\cache2\entries\A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5\[1] A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5~: Skipped

     

    I have tried to get into the file to see what it is or does, but so far i am not having any luck, so really I didnt find the info the log-file gave me as very useful. Actually clicking on the PUA/CryptoMiner.Gen  link in the log file, it takes me to a page that describes what the infection, might be, what it could do...It also says that F-Secure has blocked it (if it has why is it coming up on every scan)  and goes on to tell me about  allowing it to run,/excluding it and then onto false positives.

     

    Ive tried to trace back to the time and date when the file appeared and I was in a hotel room using a fairly insecure connection...

     

    About inability to handle it by F-Secure. For example, if detected item is under .zip-file (or other archive / container) - then F-Secure can not handle it (at least, in a sense of proper matter). Because to delete / quarantine entire "container" is not an option. But auto  unpack / repack (cleaning) is not always suitable action. 

    Thus, only report that it was not possible to clean up item.OK I understand that

     

    It is possible to read more explanations there:

     If I do a Defender scan it doesnt show this problem at all. After all scans since the first one, I get the same message....Is it possible for F-Secure to ignore this file if it isnt a problem...

    File can be unknown for "Windows Defender" signatures.  OK

    Another possibility is false positive detection by F-Secure engines (https://www.f-secure.com/en/web/labs_global/submit-a-sample - possible to transfer item for reanalysis there).

    In addition, F-Secure SAFE for Windows with exclusions lists:

    But to exclude detected item is only a temporary workaround. OK If it is a false positive - good to contact F-Secure Labs for re-rate. Otherwise, if file is a malicious / harmful - good to quarantine it or to delete it.

     

    Sorry for my English! Could you back with feedback if something is unclear?

     

    Your English is excellent.....and thanks again for your time.....Bob

     

    Thanks!


    Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied. I have had to add the words (and then) the link to my desktop that i included

     
     

     

     
     
    Email me when someone replies
    Message Tags
     
  • Ukko
    Ukko Posts: 3,724 Superuser

    Hello,

     

    Hi...Thanks for your comprehensive reply...I will try and answer all the points

    Thanks for your feedback!

     

    I didnt realise that there was a difference in a full scan and a scheduled scan...Ive since done a full scan...The full scan finds the item, but in the end the outcome is the same. The scheduled scan reported that it "could not handle some harmful items", whereas the full scan (after it looked as though it was going to deal with it) reported that "it did not remove all harmful items"...”

    Usually (but not always) result of full scan and scheduled scan can be relatively close.

     

    It is possible to tune up (tweak) some options with both types of scanning. For example, to scan inside zip-files, to scan only vulnerable type of files (these ones that more popular for being malicious or even possibility to be so). But if settings are corresponding to each other - then result is practically one (however, I think that scheduled scan with more opportunity to scan certain type of files; but I could not to recommended launch scheduled scan too often).

     

    Scheduled scan is also configured to perform autodecision after scanning. This a reason for ""could not handle some harmful items"". Since F-Secure solution tried something, but it was not possible (or was not appropriate).

    Full scan with delay for user's chosen decision. As a result, it is already about completed action ""it did not remove all harmful items"".

     

    But different wording is probably based on "long story" of solution. It was used "one" and then switched to another. For example, scheduled scan was left with the previous wording.

     

    "Potential Risk.PUA/CryptoMiner.Gen"....and the file it associates this with (which it appears to say it has SKIPPED this file) is....C:\Users\..\AppData\Local\Mozilla\Firefox\Profiles\....\cache2\entries\A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5\[1] A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5~

    Well, this detection name can be about JavaScript-file (.js). Such a .js-file can be located on a certain webpage (originally).

    """PotentialRisk.PUA/CryptoMiner.Gen""" reads as:

    -- "PotentialRisk" (indication of potential risk rather then clear malware. it can be used by safe owner and with clear user's consent; but misuse leads to dangerous impact; that is potential risk);

    -- "PUA" is type of suspicious / malicious software (usually, potentially). Potentially Unwanted Application. F-Secure with their policy about "how to understand that this is PUA" (https://www.f-secure.com/v-descs/guides/classification_guide_pua.shtml)

    -- "CryptoMiner" is a certain type of PUA threat. So, this item is about cryptominer (mining crypto currency or related things). I think that, usually, it is still unwanted for user.

    -- ".Gen" means that it is a generic detection. High possibility of false positive. Trigger for detection can be too "broad". As a result, safe item is marked as a cryptominer (looks like a cryptominer). Or any of threats (certain type) can be detected by only one this generic detection (too powerful).

     

    Then, if I understand it right (I am not experienced Firefox user) - detected item is located under Firefox cache folder.  Some resources of each visited page (almost each) is cached under filesystem.

    Kind of temporary internet files.

    Browser's cache is possible to clear up but result is "empty cache" and, for example, deleted cookies (authorization and so) - need to relogin with some services if there was "saved" session (and other session information).

     

    Perhaps, this item "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5" is file with no extension. And it can be a certain container. As a result, first item of this container is ""[1] A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5~".  And it can be .js-file (JavaScript file) with certain functionality. That somehow can be cryptominer or around it.

     

    You can try to find "manually" (open destination folder) and look for this item "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5". OR to search under file system (local drive) this name "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5". Then, for example, to delete it.

    Otherwise, it is possible to try clear cache under Firefox browser's settings.

     

    It also says that F-Secure has blocked it (if it has why is it coming up on every scan)

    There is a meaning: even if file is still under filesystem - it is blocked. For example, any try to access it by third-party software is denied / blocked. File is remained (coming up on each scan) - but file is blocked itself (isolated against any touch or restricted to do something). This is part of real-time protection.

     

    Ive tried to trace back to the time and date when the file appeared and I was in a hotel room using a fairly insecure connection...”

    So, maybe you visited certain page on which  such an "item / file" was stored. If you visited only safe webpages (known / trusted) - then maybe insecure connection leads to on-the-fly additions to the traffic. But it is a bit unlikely (I think).

    Maybe item is a false positive. All in all, current detection is about only potential cryptominer. I do able to suspect that it is ".js"-file and it can be from anywhere (part of any website / webpage).

     

    If F-Secure was already active on your device  (and file was known to F-Secure Labs) - then such a file should be detected by real-time scanning during browsing. Blocked / deleted or prompted about it.

    If it was Windows Defender - then file is landed to browser's cache and still there. Sounds that it is a pretty static resource (not launched / not used) and detected by F-Secure only by manual scanning.

    Thus,  perhaps this is a file in a container that did not run on your system. But for sure good to inspect more. Container (package) can be as zip-file, archive, executable (.exe, .msi) or anything else.

     

    Sorry for my awkward explanation and suggestions.

    I do recommend to try find "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5" item under your filesystem manually at first (but do not try to launch it). Maybe to try delete it (I think it should not be a critical file. since it is in the browser cache and has a pretty temporary name).

     

    Thanks!

  • leadhead
    leadhead Posts: 7 Observer

    @Ukko wrote:

    Hello,

     

    Hi...Thanks for your comprehensive reply...I will try and answer all the points

    Thanks for your feedback!

     

    I didnt realise that there was a difference in a full scan and a scheduled scan...Ive since done a full scan...The full scan finds the item, but in the end the outcome is the same. The scheduled scan reported that it "could not handle some harmful items", whereas the full scan (after it looked as though it was going to deal with it) reported that "it did not remove all harmful items"...”

    Usually (but not always) result of full scan and scheduled scan can be relatively close.

     

    It is possible to tune up (tweak) some options with both types of scanning. For example, to scan inside zip-files, to scan only vulnerable type of files (these ones that more popular for being malicious or even possibility to be so). But if settings are corresponding to each other - then result is practically one (however, I think that scheduled scan with more opportunity to scan certain type of files; but I could not to recommended launch scheduled scan too often).

     

    I have a scheduled scan run everynight at 2am....should I not do this.....I notice that a scheduled scan, scans 90k more items than the full scan.

     

    Scheduled scan is also configured to perform autodecision after scanning. This a reason for ""could not handle some harmful items"". Since F-Secure solution tried something, but it was not possible (or was not appropriate).

    Full scan with delay for user's chosen decision. As a result, it is already about completed action ""it did not remove all harmful items"".

     

    OK.. I understand that

     

    But different wording is probably based on "long story" of solution. It was used "one" and then switched to another. For example, scheduled scan was left with the previous wording.

     

    "Potential Risk.PUA/CryptoMiner.Gen"....and the file it associates this with (which it appears to say it has SKIPPED this file) is....C:\Users\..\AppData\Local\Mozilla\Firefox\Profiles\....\cache2\entries\A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5\[1] A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5~

    Well, this detection name can be about JavaScript-file (.js). Such a .js-file can be located on a certain webpage (originally).

    """PotentialRisk.PUA/CryptoMiner.Gen""" reads as:

    -- "PotentialRisk" (indication of potential risk rather then clear malware. it can be used by safe owner and with clear user's consent; but misuse leads to dangerous impact; that is potential risk);

    -- "PUA" is type of suspicious / malicious software (usually, potentially). Potentially Unwanted Application. F-Secure with their policy about "how to understand that this is PUA" (https://www.f-secure.com/v-descs/guides/classification_guide_pua.shtml)

    -- "CryptoMiner" is a certain type of PUA threat. So, this item is about cryptominer (mining crypto currency or related things). I think that, usually, it is still unwanted for user.

    -- ".Gen" means that it is a generic detection. High possibility of false positive. Trigger for detection can be too "broad". As a result, safe item is marked as a cryptominer (looks like a cryptominer). Or any of threats (certain type) can be detected by only one this generic detection (too powerful).

     

    I understand that

     

    Then, if I understand it right (I am not experienced Firefox user) - detected item is located under Firefox cache folder.  Some resources of each visited page (almost each) is cached under filesystem.

    Kind of temporary internet files.

    Browser's cache is possible to clear up but result is "empty cache" and, for example, deleted cookies (authorization and so) - need to relogin with some services if there was "saved" session (and other session information).

     

    Ive just looked in Firefox Blocked Content and I do have Cryptominers blocked

     

    Perhaps, this item "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5" is file with no extension. And it can be a certain container. As a result, first item of this container is ""[1] A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5~".  And it can be .js-file (JavaScript file) with certain functionality. That somehow can be cryptominer or around it.

     

    You can try to find "manually" (open destination folder) and look for this item "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5". OR to search under file system (local drive) this name "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5". Then, for example, to delete it.

    Otherwise, it is possible to try clear cache under Firefox browser's settings.

     

    I searched for the file using just the item above and found it, I attempted to do a virus scan on the file, but although it generated a log-file, it apparently couldnt scan the file itself(as you mentioned above)...I deleted the file from the search page, verified it had gone by searching for it again, then searched the Recycle bin and found it there...

     

    It also says that F-Secure has blocked it (if it has why is it coming up on every scan)

    There is a meaning: even if file is still under filesystem - it is blocked. For example, any try to access it by third-party software is denied / blocked. File is remained (coming up on each scan) - but file is blocked itself (isolated against any touch or restricted to do something). This is part of real-time protection.

     

    Ok..I understand this

     

    Ive tried to trace back to the time and date when the file appeared and I was in a hotel room using a fairly insecure connection...”

    So, maybe you visited certain page on which  such an "item / file" was stored. If you visited only safe webpages (known / trusted) - then maybe insecure connection leads to on-the-fly additions to the traffic. But it is a bit unlikely (I think).

    Looking at the time the file was generated(9.30am)....The only files I would be checking then would be my email and the BBC local weather...which i use regularly.

     

    Maybe item is a false positive. All in all, current detection is about only potential cryptominer. I do able to suspect that it is ".js"-file and it can be from anywhere (part of any website / webpage).

     

    If F-Secure was already active on your device  (and file was known to F-Secure Labs) - then such a file should be detected by real-time scanning during browsing. Blocked / deleted or prompted about it.

    If it was Windows Defender - then file is landed to browser's cache and still there. Sounds that it is a pretty static resource (not launched / not used) and detected by F-Secure only by manual scanning.

    Thus,  perhaps this is a file in a container that did not run on your system. But for sure good to inspect more. Container (package) can be as zip-file, archive, executable (.exe, .msi) or anything else.

     

    Sorry for my awkward explanation and suggestions...

    I do recommend to try find "A234D41C0BCDB58A0E7A03AC22B6E4EEFEAB40E5" item under your filesystem manually at first (but do not try to launch it). Maybe to try delete it (I think it should not be a critical file. since it is in the browser cache and has a pretty temporary name).

     

    As I mentioned above, Ive now managed to delete it, i will run a full scan now and see what happens....Thanks very much for your time, I will read the links you have posted... I will mark this as "accept a solution"

     

    Thanks!......Thank you


     

  • leadhead
    leadhead Posts: 7 Observer

    I spent 2 hours reading your post, looking at links, replying, deleting the affected file, thanking you, but made the mistake of pressing "accept solution" and my whole post disappeared from the screen

     

    I understood everything you said, acted on your serch suggestion and deleted the file

     

    Thanks for all your help...I am so annoyed my post has disappeared...

     

    Regards and Thank you

     

    Bob

  • Hi @leadhead,

     

    I went through the Spam Quarantine and realised that your post has ended up there. I'm not quite sure why it ended up in the Spam Quarantine, but my guess is may be because of certain words and that the spam quarantine recognised it wrongly as spam.

     

    I have released the post from there and it is now available in this thread. I have also unmarked your post as a solution so you can go ahead and mark the post which you feel as the right solution.

     

    Sorry for any inconvenience caused. Thank you for letting us know.

  • leadhead
    leadhead Posts: 7 Observer

    @Laksh wrote:

    Hi @leadhead,

     

    I went through the Spam Quarantine and realised that your post has ended up there. I'm not quite sure why it ended up in the Spam Quarantine, but my guess is may be because of certain words and that the spam quarantine recognised it wrongly as spam.

     

    I have released the post from there and it is now available in this thread. I have also unmarked your post as a solution so you can go ahead and mark the post which you feel as the right solution.

     

    Sorry for any inconvenience caused. Thank you for letting us know.


    Hi Laksh.....

     

    Thanks very much for rescuing my "lost" file...

     

    I forgot to mention in my previous reply that,  I also submitted the file to F-Secure to see if they could detect anything in it, or whether it was a "False Positive"....I will post the results I get here, and then maybe accept Ukko's solution after I get those results..

  • Ukko
    Ukko Posts: 3,724 Superuser

    Hello,

     

    Sorry for my further discussion, but since your reply is revealed... :)

     

    I have a scheduled scan run everynight at 2am....should I not do this.....I notice that a scheduled scan, scans 90k more items than the full scan.

    There are such points to consider (and let us think that "protected" system is clean on current minute):

     

    -- proper design is that malicious item  just won't get into the system. F-Secure protection layers (some of them) are next: if website is known as a harmful page (or with harmful items) - then webpage is blocked as harmful-rated one; if anyhow website is rated as safe, but there is a malicious item inside - then webtraffic scanning should hook it. If file is anyway saved / downloaded to filesystem - then Real-time scanning should detect it. If not - it is always good to manually scan downloaded items (if downloading is triggered by user). If file is even launched then F-Secure DeepGuard can to prevent it.

    So, for getting malicious item in the system - it should be "unknown" (yet) item. Or to pass all "before standing" security layers.

    ((There can be different limitations and exclusions, of course.))

     

    As a result, scheduled scan:

    - or can not to detect something (since it was detected on the fly or before).

    - or can detect "static" remained harmful-rated item. Because if it is "dynamic" one - then it should be launched; but if it was running - then it should be detected by other security layers.

     

    Thus, daily scheduled scan is not a somewhat useful.

    In addition, more often you know when it is possible to "idle" system and to launch Full Scan manually rather than to schedule it.

     

    But just because "Full Scan" and "Scheduled Scan" are a bit different things - then it is possible to use Scheduled scan too. My own configuration is about "once at four weeks" at certain hour/minute. But I skipped (at launch) most of last ones - since I used my system and planned to use it further.

    Instead, I launch Full Scan when I know that I have not to use system some amount of time (enough for full scan).

     

    Official Knowledgebase article about related subject:

    with recommendation "to perform a scheduled scans every 1-2 weeks." and some further information.

     

    -- Scanning takes some system resources. If it is unnecessary - maybe good to reduce indirect consumption.

     

    All in all, it is OK to launch / schedule to perform Scheduled scan from time to time. As a doublecheck against static remained items (for example); or when system is really always "turned ON" and user does not often with ability to launch Full Scan "on idle" time (and then to handle result of Full scan manually).

     

    Ive just looked in Firefox Blocked Content and I do have Cryptominers blocked

    It is good! Maybe detected item by F-Secure is a false positive.

    Otherwise, Firefox functionality can be with certain limitations too. And some pieces are not blocked by browser.

     

    it again, then searched the Recycle bin and found it there

    In general, it is possible to clean Recycle bin (https://community.f-secure.com/t5/Common-Topics/How-can-I-clean-Recycle-Bin-from/ta-p/15408). Or to delete it from there manually.

    Also, it is possible to delete files by "Shift+Del" combo (choose file and then to use "combo" instead of just "Del"). It will delete them practically completely (with avoiding Recycle bin).

     

    Looking at the time the file was generated
    ... As I mentioned above, Ive now managed to delete it, i will run a full scan now and see what happens

    ...
    I also submitted the file to F-Secure to see if they could detect anything in it, or whether it was a "False Positive"

    So, maybe item was from something "one time" or from advertisements. Unclear a bit, of course.

    Anyway, good that situation is sorted out! And good if all will be OK!

     

    Thanks!

  • leadhead
    leadhead Posts: 7 Observer

    @leadhead wrote:

     

    I forgot to mention in my previous reply that,  I also submitted the file to F-Secure to see if they could detect anything in it, or whether it was a "False Positive"....I will post the results I get here, and then maybe accept Ukko's solution after I get those resul

    Unfortunately the file I sent was corrupted and they could not analyse it.  I deleted it after sending the sample, so cannot resend...

  • leadhead
    leadhead Posts: 7 Observer

    Thanks particularly  to Ukko, and everyone else who contributed to this thread

This discussion has been closed.
Feedback on New Design