Friday, August 10, 2007

AVG detects Win32/PolyCrypt viruses

Woke up at 10.30 AM today, I am surprised to see that AVG reported 20 infected files in my machine. The virus name is Win32/PolyCrypt. All the infected files are in my Cygwin folder (Cygwin is a program suite that simulate Unix environment in Windows system).



After googling, I found a thread at Ubuntu forums discussing the same problem but they instead found the viruses in their Ubuntu partitions. This lead me to the thread at AVG posted by Adam Hunt.

Ahunt

While it certainly is possible that what you are seeing is a false positive... first let me correct something you said... Just because a malware may not spread on a Linux ( or other OS ) system, doesn't automatically make the item a false positive. A compromised system could still be used to store and distribute other malware even if that malware may not directly affect the system it is on. This is why AVG and other antivirus programs still look for Windows based malware on a Linux box ( and visa versa ) .


If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive , turn off hueristic scanning for the time being. When Grisoft adjusts the virus defintions you can turn it back on. If you are unable to still test/email the file after disabling the hueristics, you will need to temporarily disable the Resident Shield.

Dear AVG:

Sorry for the delay in taking care of this issue - meetings intervened.

As you recommended I scanned several of the files at [virusscan.jotti.org] that AVG picked up as infected with WIN32/PolyCrypt and only AVG detected them as infected. The rest of scanners indicted "nothing found".

I think it is likely that we have a "false positive" here.

As you have asked I will try to package up one of the files, password protect it and send it to you at virus@grisoft.com. The infected files all seem to be binaries, so it may take me a bit to package them to send to you.

I have the same AVG virus definition file installed on my Windows XP PC and have scanned that PC with no infections found. I believe that this is not a "virus issue", but is an issue of the last definition file's compatibility with Linux instead, judging by the number of Ubuntu users with the same problem at [ubuntuforums.org] . Perhaps this thread would be better moved back to the Linux section of the forum?

Thank you for your time on this. I hope that this will help you solve the issue in a future definitions update.

Adam


In conclusion, it seems like this is an issue with AVG virus definition file and the result is false positive. The detected files won't do any harm to the computer. I will wait for the next AVG update to correct this problem.

Note: What is a false positive result?

Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

When a test wrongly shows an effect or condition to be present (eg that is woman is pregnant when, in fact, she is not).
www.i-bio.gov.uk/UkBioportal/Beginners/html/glossary.html

Some women are told that tests have shown that their baby may have a problem. If further tests then show that this is not the case, that result is called a false positive.
www.arc-uk.org/glossaryofterms/glossaryofterms.htm

Sunday, August 5, 2007

Unwritable session save path in Joomla setup

I found a good fix at http://forum.mamboserver.com/showthread.php?t=12800 by Yohan. Thanks :)

My environment is PHP 4.40 with IIS 5.1 on Windows XP. First, I created new directory and named it sessionsave at C:\php\sessionsave. After that, I changed this directory permission to enable the IUSR_machinename to have full control over it.




Note: If you cannot find Security tab in your Windows XP system. You can enable it by go to the Tools -> Folder Options ... -> View -> remove the tick in front of "Use simple file sharing". Windows Server family enable this by default.

Finally, I edited my php.ini file. Back to the setup, Joomla can now write to the session save path.

[Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
; As of PHP 4.0.1, you can define the path as:
session.save_path = "C:\php\sessionsave\"

PHP with IIS error: The page cannot be found

Recently, I mangled up my IIS's wwwrooot directory. So I had to create a new one.

Today, I need to install Joomla, one of popular PHP CMS applications. But when I copied the package to my new wwwroot and browse to http://localhost/GearGame ("GearGame" is my project's name) the web server return me the 404 error. I am running PHP 4.40 with IIS 5.1 on Windows XP.



After some experiments, I found that I cannot run any PHP file. So I consult the PHP's readme file and found these lines:

The following steps are optional:

* Edit your new php.ini file. If you plan to use OmniHTTPd, do not
follow the next step. Set the doc_root to point to your web
servers document_root. For example:

doc_root = c:\inetpub\wwwroot // for IIS/PWS

doc_root = c:\apache\htdocs // for Apache

Then, I browse to my php.ini file located at C:\Windows\php.ini and edit the doc_root to my new wwwroot.

; The root of the PHP pages, used only if nonempty.
; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
; if you are running php as a CGI under any web server (other than IIS)
; see documentation for security issues. The alternate is to use the
; cgi.force_redirect configuration below
doc_root = C:\wroot

I finally refresh the page, I can setup my Joomla now.