I put up a post about this in 'compatibility' but I suspect people don't look
there often, so I'm going to try again here, and with fresh information. I'd
much appreciate advice.

1. Yesterday, Defender completed its daily scan (clear as usual).
Immediately after it finished, AVG's resident shield jumped up detecting a
trojan (ciadoor.13) in an old program file that I haven't used for months
(mirc.exe), and which has been scanned hundreds of times before. It's now in
quarantine. (I should explain this is the new AVG combined
antivirus/antispyware Ewido-based system I'm using.)
2. I did a full scan afterwards with Adaware. It was clear.
2. Today I did an online scan with Kaspersky. It was clear.
3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
this time somewhere in System Volume Information (A0073965.exe) - it's now in
quarantine.
4. For the first time I found where the AVG virus vault is, so I was able to
submit the two quarantined files (each of them precisely 1.93MB) to the
multiple scanner at http://virusscan.jotti.org/. Every scanner (including
AVG) found nothing in both files.

It looks like these AVG detections are false positives. What should I do?
Restore the files from the virus vault back to where they came from? But if I
do that, then AVG will pick them up again next time it scans, presumably.
I've sent an email to AVG, but I'd really like the opinion of you guys, if
you can comment.

It seems to me very odd that all this began just as Defender ended its
regular scan. Is that just coincidence do you think?

Alan,

> It seems to me very odd that all this began just as Defender ended its
> regular scan. Is that just coincidence do you think?

This is not unusual. In order to scan these files WD must access them,
during the acessing by WD the file access is being monitored by your other
resident scanning programs. I have had this happen when I scan with
Ad-Aware, which has been told to ignore a particular program, and my Virus
Scanner went off, which detects some PUPs, and has not been told to ignore
the program (the program is harmless buy the way, just questionable in how
it is used).

If all your other scans come up negitive and these are scans you usually
trust (Confidence Is High) I would say to UnQuarantine them if you are having
No Manifistation of malware and wait to hear back from AVG. Personally I
don't like "combined" programs myself.

By the way, quarantining the program from System Restore (System Volume
Information) May render that Restore Point InValid, I'm not sure. You might
want to make a Restore Point and Label it Accordingly.

?:-)
Tim
Geek w/o Portfolio

"Alan D" wrote:

> I put up a post about this in 'compatibility' but I suspect people don't look
> there often, so I'm going to try again here, and with fresh information. I'd
> much appreciate advice.
>
> 1. Yesterday, Defender completed its daily scan (clear as usual).
> Immediately after it finished, AVG's resident shield jumped up detecting a
> trojan (ciadoor.13) in an old program file that I haven't used for months
> (mirc.exe), and which has been scanned hundreds of times before. It's now in
> quarantine. (I should explain this is the new AVG combined
> antivirus/antispyware Ewido-based system I'm using.)
> 2. I did a full scan afterwards with Adaware. It was clear.
> 2. Today I did an online scan with Kaspersky. It was clear.
> 3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
> this time somewhere in System Volume Information (A0073965.exe) - it's now in
> quarantine.
> 4. For the first time I found where the AVG virus vault is, so I was able to
> submit the two quarantined files (each of them precisely 1.93MB) to the
> multiple scanner at http://virusscan.jotti.org/. Every scanner (including
> AVG) found nothing in both files.
>
> It looks like these AVG detections are false positives. What should I do?
> Restore the files from the virus vault back to where they came from? But if I
> do that, then AVG will pick them up again next time it scans, presumably.
> I've sent an email to AVG, but I'd really like the opinion of you guys, if
> you can comment.
>
> It seems to me very odd that all this began just as Defender ended its
> regular scan. Is that just coincidence do you think?

Alan,

Though Tim's analysis is fine, it's likely that you'd have an issue moving
these from quarantine until the false positive detection has been removed
from AVG. Generally the Resident Shields don't flag the items as exclusions
automatically, so they will immediately detect the files again and return
them to quarantine.

What you need to do, beyond the correct steps you've already taken, is
research and/or report the issue to Grisoft directly. Unless you or someone
else does this, the issue may not be fixed for a while. The AVG Free Forum
and other support can be found here:
http://free.grisoft.com/doc/3/lng/us/tpl/v5

Of course, the simplest method in your case would be to uninstall MIRC,
since it sounds like you don't use it anyway.

Bitman

"Tim Clark" wrote:

> Alan,
>
> > It seems to me very odd that all this began just as Defender ended its
> > regular scan. Is that just coincidence do you think?
>
> This is not unusual. In order to scan these files WD must access them,
> during the acessing by WD the file access is being monitored by your other
> resident scanning programs. I have had this happen when I scan with
> Ad-Aware, which has been told to ignore a particular program, and my Virus
> Scanner went off, which detects some PUPs, and has not been told to ignore
> the program (the program is harmless buy the way, just questionable in how
> it is used).
>
> If all your other scans come up negitive and these are scans you usually
> trust (Confidence Is High) I would say to UnQuarantine them if you are having
> No Manifistation of malware and wait to hear back from AVG. Personally I
> don't like "combined" programs myself.
>
> By the way, quarantining the program from System Restore (System Volume
> Information) May render that Restore Point InValid, I'm not sure. You might
> want to make a Restore Point and Label it Accordingly.
>
> ?:-)
> Tim
> Geek w/o Portfolio
>
> "Alan D" wrote:
>
> > I put up a post about this in 'compatibility' but I suspect people don't look
> > there often, so I'm going to try again here, and with fresh information. I'd
> > much appreciate advice.
> >
> > 1. Yesterday, Defender completed its daily scan (clear as usual).
> > Immediately after it finished, AVG's resident shield jumped up detecting a
> > trojan (ciadoor.13) in an old program file that I haven't used for months
> > (mirc.exe), and which has been scanned hundreds of times before. It's now in
> > quarantine. (I should explain this is the new AVG combined
> > antivirus/antispyware Ewido-based system I'm using.)
> > 2. I did a full scan afterwards with Adaware. It was clear.
> > 2. Today I did an online scan with Kaspersky. It was clear.
> > 3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
> > this time somewhere in System Volume Information (A0073965.exe) - it's now in
> > quarantine.
> > 4. For the first time I found where the AVG virus vault is, so I was able to
> > submit the two quarantined files (each of them precisely 1.93MB) to the
> > multiple scanner at http://virusscan.jotti.org/. Every scanner (including
> > AVG) found nothing in both files.
> >
> > It looks like these AVG detections are false positives. What should I do?
> > Restore the files from the virus vault back to where they came from? But if I
> > do that, then AVG will pick them up again next time it scans, presumably.
> > I've sent an email to AVG, but I'd really like the opinion of you guys, if
> > you can comment.
> >
> > It seems to me very odd that all this began just as Defender ended its
> > regular scan. Is that just coincidence do you think?

Just to be sure, you may want to scan with a-squared since it specializes in
Trojan detection.

"Alan D" wrote:

> I put up a post about this in 'compatibility' but I suspect people don't look
> there often, so I'm going to try again here, and with fresh information. I'd
> much appreciate advice.
>
> 1. Yesterday, Defender completed its daily scan (clear as usual).
> Immediately after it finished, AVG's resident shield jumped up detecting a
> trojan (ciadoor.13) in an old program file that I haven't used for months
> (mirc.exe), and which has been scanned hundreds of times before. It's now in
> quarantine. (I should explain this is the new AVG combined
> antivirus/antispyware Ewido-based system I'm using.)
> 2. I did a full scan afterwards with Adaware. It was clear.
> 2. Today I did an online scan with Kaspersky. It was clear.
> 3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
> this time somewhere in System Volume Information (A0073965.exe) - it's now in
> quarantine.
> 4. For the first time I found where the AVG virus vault is, so I was able to
> submit the two quarantined files (each of them precisely 1.93MB) to the
> multiple scanner at http://virusscan.jotti.org/. Every scanner (including
> AVG) found nothing in both files.
>
> It looks like these AVG detections are false positives. What should I do?
> Restore the files from the virus vault back to where they came from? But if I
> do that, then AVG will pick them up again next time it scans, presumably.
> I've sent an email to AVG, but I'd really like the opinion of you guys, if
> you can comment.
>
> It seems to me very odd that all this began just as Defender ended its
> regular scan. Is that just coincidence do you think?

I would also submit the files to VirusTotal for analysis, just in case. If
they prove clean, I would remove them from quarantine ONLY if they were files
that I use from time to time. Otherwise, if they are not missed, I would
keep them quarantined. You just can't be too careful, even with potentail
false positives.

ewido/AVG is a good tool and not nearly as prone to issuing false positives
as other AV/AS software. BUT ... with a half-million signatures with which
to contend, it is certainly open to human-induced errors. ;-)

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html

Hi Alan

Found this on the Wilders Security Forum - looks like you are not the only
one and it could well be an FP. The link is there for an analysis if you wish
to submit

http://www.wilderssecurity.com/showthread.php?p=875963

Stu

"Alan D" wrote:

> I put up a post about this in 'compatibility' but I suspect people don't look
> there often, so I'm going to try again here, and with fresh information. I'd
> much appreciate advice.
>
> 1. Yesterday, Defender completed its daily scan (clear as usual).
> Immediately after it finished, AVG's resident shield jumped up detecting a
> trojan (ciadoor.13) in an old program file that I haven't used for months
> (mirc.exe), and which has been scanned hundreds of times before. It's now in
> quarantine. (I should explain this is the new AVG combined
> antivirus/antispyware Ewido-based system I'm using.)
> 2. I did a full scan afterwards with Adaware. It was clear.
> 2. Today I did an online scan with Kaspersky. It was clear.
> 3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
> this time somewhere in System Volume Information (A0073965.exe) - it's now in
> quarantine.
> 4. For the first time I found where the AVG virus vault is, so I was able to
> submit the two quarantined files (each of them precisely 1.93MB) to the
> multiple scanner at http://virusscan.jotti.org/. Every scanner (including
> AVG) found nothing in both files.
>
> It looks like these AVG detections are false positives. What should I do?
> Restore the files from the virus vault back to where they came from? But if I
> do that, then AVG will pick them up again next time it scans, presumably.
> I've sent an email to AVG, but I'd really like the opinion of you guys, if
> you can comment.
>
> It seems to me very odd that all this began just as Defender ended its
> regular scan. Is that just coincidence do you think?

"Tim Clark" wrote:

> By the way, quarantining the program from System Restore (System Volume
> Information) May render that Restore Point InValid, I'm not sure. You might
> want to make a Restore Point and Label it Accordingly.

Thanks for this Tim. I'd wondered about whether this would mess up System
Restore - maybe this is a good time for me to clear all the old restore
points anyway, after I've heard from AVG and done whatever they suggest.

"Bitman" wrote:

> Alan,

> What you need to do, beyond the correct steps you've already taken, is
> research and/or report the issue to Grisoft directly. Unless you or someone
> else does this, the issue may not be fixed for a while.

Thanks Bitman - I sent them a more detailed email yesterday, outlining all
the steps I'd taken and what the results had been.

> Of course, the simplest method in your case would be to uninstall MIRC,
> since it sounds like you don't use it anyway.

Yes, definitely. My only concern is what happens if I try to uninstall it
when the main program (mirc.exe) is locked in quarantine. Is the Windows
uninstaller routine clever enough to cope with that?

"Mr Cat" wrote:

> Just to be sure, you may want to scan with a-squared since it specializes in
> Trojan detection.

Thanks Mr Cat, for two reasons.

First - I didn't know about this scanner, so it's a useful addition to my
armoury. Second - it gave the all-clear on the two quarantined files, as well
as on an overall quick scan.

"Scott D" wrote:

> I would also submit the files to VirusTotal for analysis, just in case. If
> they prove clean, I would remove them from quarantine ONLY if they were files
> that I use from time to time. Otherwise, if they are not missed, I would
> keep them quarantined. You just can't be too careful, even with potentail
> false positives.

Thanks Scott. I'm just sent the two files to Virustotal, and those scanners
found nothing, either.

Do the files have to be kept in quarantine perpetually? Or can they simply
be deleted?