Friday, August 10, 2007

AVG detects Win32/PolyCrypt viruses

Woke up at 10.30 AM today, I am surprised to see that AVG reported 20 infected files in my machine. The virus name is Win32/PolyCrypt. All the infected files are in my Cygwin folder (Cygwin is a program suite that simulate Unix environment in Windows system).



After googling, I found a thread at Ubuntu forums discussing the same problem but they instead found the viruses in their Ubuntu partitions. This lead me to the thread at AVG posted by Adam Hunt.

Ahunt

While it certainly is possible that what you are seeing is a false positive... first let me correct something you said... Just because a malware may not spread on a Linux ( or other OS ) system, doesn't automatically make the item a false positive. A compromised system could still be used to store and distribute other malware even if that malware may not directly affect the system it is on. This is why AVG and other antivirus programs still look for Windows based malware on a Linux box ( and visa versa ) .


If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive , turn off hueristic scanning for the time being. When Grisoft adjusts the virus defintions you can turn it back on. If you are unable to still test/email the file after disabling the hueristics, you will need to temporarily disable the Resident Shield.

Dear AVG:

Sorry for the delay in taking care of this issue - meetings intervened.

As you recommended I scanned several of the files at [virusscan.jotti.org] that AVG picked up as infected with WIN32/PolyCrypt and only AVG detected them as infected. The rest of scanners indicted "nothing found".

I think it is likely that we have a "false positive" here.

As you have asked I will try to package up one of the files, password protect it and send it to you at virus@grisoft.com. The infected files all seem to be binaries, so it may take me a bit to package them to send to you.

I have the same AVG virus definition file installed on my Windows XP PC and have scanned that PC with no infections found. I believe that this is not a "virus issue", but is an issue of the last definition file's compatibility with Linux instead, judging by the number of Ubuntu users with the same problem at [ubuntuforums.org] . Perhaps this thread would be better moved back to the Linux section of the forum?

Thank you for your time on this. I hope that this will help you solve the issue in a future definitions update.

Adam


In conclusion, it seems like this is an issue with AVG virus definition file and the result is false positive. The detected files won't do any harm to the computer. I will wait for the next AVG update to correct this problem.

Note: What is a false positive result?

Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

When a test wrongly shows an effect or condition to be present (eg that is woman is pregnant when, in fact, she is not).
www.i-bio.gov.uk/UkBioportal/Beginners/html/glossary.html

Some women are told that tests have shown that their baby may have a problem. If further tests then show that this is not the case, that result is called a false positive.
www.arc-uk.org/glossaryofterms/glossaryofterms.htm

6 comments:

Unknown said...

Thanks, had the exact same problem, found your explanation helpful. Have a nice one / Kristoffer

Anonymous said...

I've turned up at work bleary eyed to discover the same. Two hours later with a lot of various scanning (yea! for housecall) later and it does definitly seem to be a false positive.

Unfortunatly, AVG has moved all the "infected" files to the vault, and they all seem to have come from the encoding libraries of Perl and Python for me, but lucily dont use cygwin enough for that to be a problem. I'm not sure what effect this might have on anyone using those libraies (presumably whatever app they would run would just die).

Unknown said...

Nice explanation. I also had AVG picking up from the cygwin folder.

Unknown said...

Hi,

Thanks for these comments! :D

Anonymous said...

Oi, achei teu blog pelo google tá bem interessante gostei desse post. Quando der dá uma passada pelo meu blog, é sobre camisetas personalizadas, mostra passo a passo como criar uma camiseta personalizada bem maneira. Se você quiser linkar meu blog no seu eu ficaria agradecido, até mais e sucesso.(If you speak English can see the version in English of the Camiseta Personalizada.If he will be possible add my blog in your blogroll I thankful, bye friend).

Anonymous said...

what's AVG?

;P