Win new. External scan: worm. F-secure: nothing.

Dear all,

 

without Internet connection,

I have installed my windows 7 system completely new,

added an Dr Windows update pack (= a German web side which summarizes periodically latest windows updates to install them offline),

connected to Internet,

installed F-Secure (btw, it’s a pity that a security software cannot be installed offline! and get its latest updates later.)

did Windows update several times until no further updates has been announced.

 

Then I booted my system external with a bit defender USB stick and did check the system with Kaspersky, Avira, ClamAV (Bitdefender was expired). Computer was connected to LAN so the newest updates could be loaded. Kaspersky, Avira did not find anything. ClamAV did find worm.Allaple-319.

 

More in detail: Media/…/PgrogramData/F-Secure/FSAUA/guts.sp.f-secure.com/content/aquawin32/1397272660/cevakrnl.rv0 => bd: kav: clam: worm.Allaple-319 avira:

 

Then I started my Computer normal, windows, and did a scan done with F-Secure – and did not find anything.

 

Do I have a worm yes/no? If yes, the situation is quite clear for me, I will reset the system from the beginning. But how can I get this so quick, or in other words, how to avoid at next installation. Note: only online time is for F-Secure and windows update (ok, this tool almost 4h). No browsing, no other software installation.

 

Thanks & Regards

mw

Best Answer

Comments

  • BenBen Posts: 2,641 F-Secure Product Expert

    Hello Mwmw,

     

     

    The detection seems to be done in F-Secure folder. This therefore could be Avira detection our virus definitions: a false positive.

    More in detail: Media/…/PgrogramData/F-Secure/FSAUA/guts.sp.f-secure.com/content/aquawin32/1397272660/cevakrnl.rv0 => bd: kav: clam: worm.Allaple-319 avira

     

    That would also explain why our own Anti-virus doesn't detect it.

    To confirm that your machine is clean, and for peace of mind, you might want to run Online scanner tool.

     

    You can also submit the detected file to our lab for confirmation.

     

    You can find information about the specific detection on the following page.

    http://www.f-secure.com/v-descs/allaple_a.shtml

     

    Note that Net-worm:W32/Allaple.A is a powerful polymorphic worm that can spread over the Internet and over Local Area Networks (LAN).

     

    So despite having been connnected to internet for a limited amount of time, the connexion to a LAN could be at the origine of an eventual infection.

     

     

  • mwmwmwmw Posts: 11

    Hello Ben, thanks for answering / supporting. Together with this http://community.f-secure.com/t5/Security/Full-scan-in-only-10-min/td-p/48841 I have now some hints and tasks. I will continue in this thread as headline does support more the coming questions. Inputs for this taken from above link/thread.

     

    1) But 1st I have a question for this

    Spoiler

    The detection seems to be done in F-Secure folder. This therefore could be Avira detection our virus definitions: a false positive.

    More in detail: Media/…/PgrogramData/F-Secure/FSAUA/guts.sp.f-secure.com/content/aquawin32/1397272660/cevakrnl.rv0 => bd: kav: clam: worm.Allaple-319 avira

     

    I was also wondering that the path is stating "F-Secure ..." Does this mean that F-Secure did put this on Hold (Quarantäne) already? But if so, shouldn't I be able to see this under F-Secure / Computer Security / Tools / Quarantäne?

     

     

    2) Based on the inputs from above mentioned link and the hint that the worm might distribute to other Computer via LAN, I did check

    Laptop - this was the new installation (and reason for starting this thread) and

    Desktop PC - which was already setup, but (of course) also on LAN

     

    For F-Secure I used:

    - F-Secure Internet Security 2014

    - update via starting F-Secure / F-Secure / check on available updates

    - scan via F-Secure / Computer Security / erweiterter scan / full scan of computer

    - following the given recommendations I did do this time with parameter setting

    • Uncheck - Search only known file types
    •  Check - Search compressed files
    •  Check - Use advanced heuristics

    2a) Result Laptop

    - nothing found with F-Secure

    - herd protect did complain about ... local/temp/drwindows_update.exe

    4 engines did find this. But here I have some doubt as this is a serious long time existing supporting web side. So maybe the engines are wrong? herd protect and the stopped and suggested to start scan again in 2 hours as there is "somenthing on cloud" Strange.

    However I'm not convinced that the system is clean. And even if F-Secure did detect something, see item 1), I don't like the idea that I have a "polluted" system.

    And  sorry, but this absolutely new for me, can I trust this online scanner? I have bad feelings when loading such engines and allow them to scan my system. Sorry!

     

    At the end for sure I will again try to setup Laptop again. Because I want to have a clean Image for later re-settings. But how to assure that next time goes right?

     

     

    2b) Result Desktop

    On Desktop Computer F-Secure did find 4x Trojan.Generic.8057389.

    The problem I have: I can not delete this files as "the infected file is in an archive" --> I should open and delete manually. But even with right mouse click I do not get full path information - the window is to small. And with the readable names I also can not find it. What to do here?

     

    Thanks!

    Regards

    mw

  • UkkoUkko Posts: 3,160 Superuser

    Hello,

     

    Sorry that I answered here (just because - probably it's more good - if will be answer from F-Secure team), but anyway:

     

     - about "worm.Allaple-319" - it's more related with "updates" - not about "quarantine-storage";

    Possibly some kind of false-positive about update-files/signatures and etc.

    But... here already indeed more good to use F-Secure SAS (where F-Secure specialists checked situation/sample of file);

    cevakrnl.rv0 - current file/sample, which probably related with one of "signature"/virus-definition-database-file;

     

    Situation can be related with next points : "during update-process for F-Secure" -  detected that "temp"-file;

     

     

     - about Online Scanners...

    It's can be helpful - if system have some kind of rootkit or malware, which can to be hidden for "known protection-programs" - but can be without "hidden-status" for any online scanners (which time to time - able to re-name and launch);

     

    Practically without much different with any "traditional" protection software - but if talking about "modern of them"; Some companies.... already using just "cloud/online"-protection (which not always good);

     

    Here already need to check that you download from official source and it's have any valid certs (signed) and etc;

    In common means - without any troubles for your system or user data - but if you not need that - probably more good - not use that.

     

     - about Trojan.Generic.8057389.....

     

    Probably you can to visit F-Secure quarantine storage or "Computer Security-Settings-History of spyware and viruses" - where can to re-size any directory-ways and checking information.

    And during that in "archive" - it's can be close to "safe"; If you not need that detected file - more good delete archive without unpacking.

    But maybe I just wrong understand current trouble and readable-place about detected files. Also after scan-process you can able to check log-report about....  

     about also that "detection" - can be generic-descriptions for suspicious archives; and your current detected files... can be with archives about any software/many software/ pack of something and etc. If it's not from known and totally good source-  it's can be with malicious "payload" in some places. but anyway - for first - you must to find... which files certainly detected (archives - if that detected items... indeed all zipped);

     

     - about situation...

     

    Are you certainly can to trust for Dr.Windows? Or with current "file", which you have about that?

     

  • mwmwmwmw Posts: 11

    Thanks Ukko!

     

    A) Regarding Laptop, I have started new installation - with updatepack from here

    http://www.drwindows.de/windows-7-updates-and-patches/15232-windows-7-update-pack-by-drwindows-version.html

    to answer your question: I'm quite confident that this is a safe side. However I did scan all downloads for Laptop - driver and updatepack - on Desktop PC with F-Secure. No finding. But: when I want to scan a certain folder the option "full scan" is not offered!

     

    My question on my installation procedure: whenever I want to check if I have again a virus, malware, ... I need to go online. So I do all installations -

    1) offline: windows, driver, updatepack

    2) then MUST go online for F-Secure installation and update followed by multiple runs for windows update

    3) then having installation finished and can earliest check online with different scanner and F-Secure again

     

    From my point of view the mistake is starting at 2) - to go online when update situation is still not updated.

    But probably no choice? Or?

    So it is only by chance if I will detect virus, malware, ... again?

    This cannot be. How does experts do this installation procedure?

     

     

    B) Regarding Desktop

    I assume I did find the file/path. To confirm this I need to redo the scan. Will post result.

     

    Thanks & Regards

    mw

  • NikKNikK Posts: 935 Rock Star

    If only ClamAV found something I would question that. You can upload that file to https://www.virustotal.com/ to get it scanned with 50+ AVs. In case it's not a false positive, here's what I'm thinking:

     

    Are you behind a NAT router? If so, you should be protected from "incoming" threats during installation. If you control the LAN you could disconnect all other devices from it during installation. So you're sure you don't get infected from another device.

     

    Are you sure Dr Windows and the USB boot stick is clean? (I assume you have a legitimate Windows installation media)

     

    I wouldn't take a chance with something like Dr Windows just to save time. And if you skip Dr Windows I don't see a need for booting with the USB stick to scan the computer, right?

     

    I would isolate the LAN, install Windows, all Windows Updates, and then F-Secure.

    No need for Dr Windows or booting from USB stick Smiley Wink

  • mwmwmwmw Posts: 11

    Thanks Nikk!

     

    Yes, only ClamAV did find, but I could not find the file. Anyway. As I did start to re-install this infected file is gone. Maybe it comes again Smiley Wink but hopefully not.

     

    I'm behind an updated Fritzbox, yes. And I have LAN control and can/will switch off all other devices next time.

     

    For Dr. Windows and boot stick I feel 98% safe and yes, windows is legaly on my own, I also did do telephone registering, because I want to stay offline as long as possible during setup.

     

    Agree, that it might be better to trust only on windows update instead of Dr. Windows. But my thinking is the other way round: Dr. Windows does shorten the online time to get up to date. But your statement is: this doesn't matter. Even if I need 8-online-hours instead of 4-online-hours during setup to get all updates, this does not increase the risk drastically? Did I get it right?

     

    One thing you are right: driver downloads, Dr Windows download ... I do on Desktop PC, scan them on Desktop PC, transfer to USB stick and install on Laptop (or the other way round). As Desktop PC has shown 4 infects, but not the worm(!), this might be an risk. But how to overcome? Only way would be to download the driver from clean laptop setup after done all updates, but I have learned, that driver installation should be one on 1st actions?

     

    Thanks & Regards

    mw

     

     

     

  • UkkoUkko Posts: 3,160 Superuser

    About offline installation.....

     

    Possibly you can try to create a ticket for F-Secure support about that situation and ask about "offline installer";

     

    Also you can create something like LiveCD/RescueCD - F-Secure have one of realization too (on Knoppix-based); But here also online-databases downloading, but maybe here http://www.f-secure.com/en/web/labs_global/removal-tools in part abot "databases" - have available-option about download databases by system with network-connection and check another system without network-connection.

     

    ---------------------

     

    About situation:

     

     I - first trouble was about worm - but practically it's totally related with false-positive about signature/update by F-Secure. It's can be - but it's really strange. But anyway - it's can not be really critical..... if  you can to be sure in another sides (like you already wrote);

     

    And it's mean - it was probably one-time false-positive detection, but it's can be repeating... and can be just in strong settings for that. More related without any risk for system.

     

    II - Anyway - F-Secure installation can take a lot of time - all downloaded/installed.... it's can take time.....

    And maybe just that point have a not good things.

    Security status about downloading/installing by network.... related with some kind of "more security-level and protection" for safe-status about downloaded files. Practically it's can not be something bad with network-installation or network-updates...... If  F-Secure work without any troubles. Can be trouble - just if any malicious files blocked F-Secure, but it must be good visible.

     

    And it's mean - your laptop with network-connection during F-Secure installing probably almost close to totally safe.

    Also after end of installation - F-Secure already protecting system (but you must be sure... that you have Firewall in turn-on status); And also here can be good - go to F-Secure Settings (when all modules downloaded/installed) of Computer Security - and checking that.... and if you want to change some points to more protection-level.

     

    III - After that - you can to launch Full-Scan (indeed it's able just "full" - not for any part of; you can also choose Fast Scan or Manual Scan for files/or related option - Scan for user's choice);

     

    That can be enought.

    But..... if you want be sure that - all OK in system.... you probably need to do next things:

     

     - use another protection-scanners (which can not be related with F-Secure engines or it's will be just double) like.... I can to write... example... like NOD32 (here can be detected any PuPs/Riskware... which F-Secure can be ignore... because it's not active malicious);

     

     - use something against rootkits like..... any specific scanners (but I can not to recommend anything...... because all of them - can be worst; and F-Secure have rootkit-scanner.... which must work good); Or.... something like LiveCD/RescueCD - that have practically in all protection-companies like "public tool";

    It's can be interesting - just can to detect some hard-detect-items in system.

    But practically..... if you don't have any visible troubles with system - All OK.

     

     IV - Desktop have four suspicious/malicious items.

    Probably it's able to re-detect that again... and check "more information" about that items/files;

     

    V - I will create a private letter for you.

  • mwmwmwmw Posts: 11

    Thanks! This should answer all, also private questions (which was generated for better understanding).

     

    I have Desktop and Laptop. This story started with Laptop, but in meantime both are questionable.

    - After Laptop new system setup (no programs yet installed, just F-Secure and all F-Scecure and Windows updates) a worm was detected.

    - By the inputs of this forum I did check with changed settings Desktop and found 4 virus attacs.

    - I did re-start to setup Laptop new and keep Desktop as it is – means with detected and deleted 4 virusses. After Laptop is done I will do Desktop new setup.

     

    Dr. Windows update pack has very high confidence level to be clean and serious. There are also no complaints from other users. Reason why I take Dr Windows update pack is to be less time online during system installation – because I consider online time with non finalized installation as infection risk.

    But I also take info from this forum, that longer online time by just doing windows updates via Microsoft, also does NOT increase risk to get infected.

     

    Scan with external systems I personally don’t feel comfortable, but only reason is, that I have no experience and the idea to allow someone/thing things I cannot control does not make me feel better. I would do this after creating an image, checking with online scanner, and the re-install the image and continue.

     

    To summarize:

    - I understand that this forum considers risk to be infected during F-Secure online updating as low

    - I understand that this forum considers risk to be infected during multiple Windows online updating as low

      therefore supporting packages as Dr. Windows are not required in terms of safety

     

    Why have I been infected anyway?

    -  might be Dr. Windows – don’t think so

    - might be the used USB stick on which I loaded drivers, F-Secure, update pack from Desktop where I did download this files – don’t think so, as no worm was detected a) on this downloaded files, b) neither on Desktop (but 4x virus)

    - might be attack during installation – but how realistic is this? Following your answers also considered as low risk

     

    So what do I have? For me right now

    - no clear idea why I got infect

    - no clear idea why it should be next time better – but installation is running, can tell you later about.

     

    Regards & thanks

    mw

  • UkkoUkko Posts: 3,160 Superuser

    Hello,

     

    Also... thanks for answers.

     

    Possibly.....here already just two points about troubles with systems (Laptop and Desktop) - about which.. you worry:

     

     - worm;

     - four items (malware/viruses);

     

     

    Practically you can be sure... that situation about worm was "wrong detection" (close to false positive);

    For me - it's, of course, a little be strange... why time to time detected something during "updates"-files about signature-bases..... but it's happened and practically always is false positive (it's mean - file safe.. and detected by behavior/generic means..... which just because "it's looks like something probably maybe wrong or suspicious or harmful or maybe can be risk here"); Also how I understand... it was detected just one time... and just by one of programs - which can be often related with same situations.

     

    BUT!

    If be honestly - I not really love idea... about use "Temp-folders" for any updates-points (I mean software updates)..... just because it's potential risk. That folder close to "potential risk" with rights/re-changes/infected/malicious actions..... between all files here (if it's have something malicious in temp-directories); But practically.... it's not really like that and it's practically hard to use with any malicious steps.

     

    AND....... probably F-Secure.... know current "question" better... and, of course, did all like need... and it's practically not possible to do something in malicious-side about Temp-files (like it can be "updates" for antivirus engine);

     

    ----------------

    It's mean... practically..... your Laptop  was without any "malicious results" in system. "Worm-detection" probably was "randomly mistake"; "worm" (but just in detection-name) was about "downloaded descriptions for malware" (which need to work against malware) - and practically it's without any risk and safe. But... if you still have that file - you can to give that sample for F-Secure SAS (service for checking samples) - where can be that file with analysis. Also about that "worm" - if that detection name use for searchng... it's give some URLs with information about (include F-Secure page, which already was here) - you also can read any symptoms and etc (for checking... can be same with your situation or not; Also it's can be with instructions - for checking your network/settings);

    ----------------

     

    About four items - need more information. But if you already deleted that....

    it's mean - can be trouble just if something detected again and again in your Desktop.

    Maybe that files was just about some of zip-archives with different informations/files/data and etc. Where can be something malicious... or without any malicious (but all that settings looks suspicious);

     

    Anyway.... about your setting with "Fritzbox" (if I correctly understand... it's certainly that thing... which some time ago was with big story about some kind of vulnerability in some of places about);

    You can be, of course, careful with any network-connections.....  but possible... if it's something "seriously" - you need start to checking... certainly from your network-connection settings and etc.

    Just after that.... already can to do something with system. But probably with your system must be all OK (?);

     

This discussion has been closed.