Internet Security finds a trojan but will not clean it

JackJack Posts: 63

Every time Internet Security finds a virus, it skips doing anything about it, that is it does not delete it nor does it quarantine it. I must use Malwarebytes to quarantine the virus. Just thought I would report this and hope something can be done. I have a picture of the scanning report attached, hope this can be fixed, it has happened 4 or 5 times over the past month


Answers

  • UkkoUkko Posts: 2,999 Superuser

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions).

    Based on your screenshot:

    • Detected item was "Attachment". Perhaps, spam letter (that 'spammed' automatically) or harmful letter in your inbox. This email(?) letter with additional attached files.
    • Then I am not sure about 'structure' of this path, but perhaps detected item is located under compressed (archived) container with all received attachments or even emails (kind of local database of your mail client). So, under your screenshot - it is ".tgz"-file. Where can be different content inside it.
    • This 'file' (container / archive / zipped or compressed file) contained "_pdf.exe" item. So, sounds that file tried to looks like a "PDF" document - but extension is ".exe". So, this is clearly executable file and malicious (rogue / spam / harm) letter with intention to mislead user with words about PDF document (to open it) - while it will be launch for 'unknown' executable file. Pretty dangerous.
    • "Trojan.TR/Crypt.XPACK.Gen2" detection name is about generic rules / triggers. So, there can be false positives when detection is generic. But quite rare with such a background. So, perhaps, it is indeed malicious attachment with unknown payload. For example, there is a description for threat (where "Trojan.TR/Crypt.XPACK.Gen" - but not ".Gen2" is one of aliases): www.f-secure.com/v-descs/trojan_w32_dnschanger_arnf.shtml

    Good to be careful and do not open any unknown and suspicious letters (or even marked as spam and looked as spam based on its title / other information). And surely do not launch / open any strange attachments.

    Why F-Secure can not autodelete or quarantine this detected item.

    Detected file is "pdf.EXE". Only this one. But item is located under container/file (.tgz). So, to remove it or quarantine - need to perform 'unpacking / repacking" or something around. Probably, it is impossible (with this situation) or it not suitable (unsafe / tricky). To delete entire archive/container (.tgz) is not an option - since there can be useful and wanted content.

    Situation is partly discussed there:

    • community.f-secure.com/discussion/31309/viruses-were-found-but-were-not-automatically-cleaned-what-can-i-do

    and further related articles:

    • community.f-secure.com/safe-en/kb/articles/6246-how-to-remove-malicious-files-viruses-malware-manually-f-secure-safe-internet-security-did-not-remove-them-automatically

    So, you could try to empty your "spam folder" under mail client. Or to remove such files manually (not recommended with this situation).

    In general, it should be possible to understand what is certain letter with trouble attachment. Perhaps, you can try to reach out their official Support channels (for example, web-chat) for proper assistance with this situation:

    • www.f-secure.com/en/home/support/contact

    Thanks!

    Sethu
  • JackJack Posts: 63

    Thank you for the reply. I followed up using Malwarebytes and Malwarebytes quarantined the virus okay. If Malwarebytes can do it, I would think F Secure could do it.

    Ukko
  • UkkoUkko Posts: 2,999 Superuser

    Hello,

    Malwarebytes quarantined the virus okay. If Malwarebytes can do it, I would think F Secure could do it.

    So, perhaps this assumption is logical. At least, as a general situation (since there are anyway differences with used technologies and techniques; and can be different set of abilities for certain action).

    However, was your sentence based on situation from screenshot? If so, quarantined item is only .exe file? Or entire .tgz?

    If full 'container' (?) is quarantined (as a result, all content inside; if it is about email database - then all emails from archive) - then looks like that this is decision by F-Secure design .

    Since there is the next explanation:

    https://community.f-secure.com/discussion/31309/viruses-were-found-but-were-not-automatically-cleaned-what-can-i-do
    

    ...

    Reasons for not deleting an infected file can be:

    The file is inside an archive. In that case we would have to delete the complete archive to remove it, including all clean files therein.

    despite the fact that used term is "deleting" - quarantine action (not "removal/delete" action) is actually also will isolate clean files. But temporary with an ability to restore it. I am not sure whether quarantine option is not applied there with F-Secure solution.

    By the way, when scan by F-Secure is completed - Scan Wizard with post dialog screen where listed all detected items. It is possible to choose each one and check action that is available and suitable for you. If nothing is available (only skip) - then there should be an explanation.

    Actually, one more point is that if it was possible to choose "remove" or "quarantine" - but action is not completed - then maybe indeed file was temporary or 'locked' by system.

    In general, if ".tgz" (container / archive / zipped / compressed item) is not rated as harmful. and only one item inside is rated as a malicious item. Then, actually, file is already isolated as such. If do not unpack it or do not try to access attachment - then system is safe. However, to delete it is still something useful. That is not an option to perform automatically, but can be done manually if archive / container is not needed.

    With your situation can be enough to clean up spam/junk folder. (maybe)

  • JackJack Posts: 63

    Thank you, but I don't really understand why the virus was not cleaned. I know very little about computers, I am 75 years old

This discussion has been closed.