Results 1 to 4 of 4
  1. #1
    Untanglit
    Join Date
    Oct 2009
    Location
    Tucson Arizona
    Posts
    18

    Default Virus blocked W32.Virut.Gen.D-163

    I have a laptop that duel boots with windows vista and linux. Needed to check a website build today with IE. I rarely boot up windows so had a number of updates to do.

    The virus blocker blocked a virus W32.Virut.Gen.D-163 while doing the updates. The url appears to be the legit update download site.

    I have searched here, nothing came up. One email in the clamav linux mailing list. Google search provides numerous links to threads.

    It appears to be a false positive. With a lot of people submitting it as a false positive to Clamav over the years.

    I was wondering if anyone else has encountered this while doing a windows update. I do not have any other windows machines. I stay as far away from windblows as possible. So I have no idea if this is an isolated event, or a common event.

    Which would be the best way to exclude it. Through the clamav config file or through untangle virus blocker.

    Would adding D-163 as a file extension and leaving the scan box uncheck
    exclude this file from being scanned by virus blocker.

    It appears this file may have something to do with m$ office. I re-checked for updates, update system seems to think all is well. I have not tried office yet. Thought I would attempt to get some more info before possibly trashing the OS. Being that windows is so fragile.

    Any input from you guys would be appreciated.
    Last edited by SinOjos; 11-24-2009 at 03:42 AM.

  2. #2
    Untangler
    Join Date
    Apr 2008
    Location
    Bowling Green, KY
    Posts
    31

    Default

    I had the same thing show up in my report this morning. I was provided the following:

    Virus Name: W32.Virut.Gen.D-163

    URL: http://download.windowsupdate.com/ms...1bc1f7cbb1.cab

    Server IP:
    208.111.157.181

    Server Port: 80

  3. #3
    Untanglit
    Join Date
    Oct 2009
    Location
    Tucson Arizona
    Posts
    18

    Default

    My link is exactly the same as yours. I have downloaded it a number of times to my linux box. Different ip each time, obviously due to load balance.

    Even though virus blocker says blocked. Part of the file still downloads. File download size says 7.4 mb. File ends up being approx 6.7 mb. With each file ending up to be slightly different in size.

    With some of the file missing. I have to wonder what kind of affect it will have on the OS with this incomplete corrupted file.

    So untangle does not completely block identified virus's. Since the complete file does not pass through, one would think that a virus would be nullified.

    This could cause a lot of people some trouble. If the corrupted file has an adverse affect on the OS. Hopefully it is an application file rather than a sensitive component of the OS. Perhaps downloading it unblocked and installing it in the proper place will do the trick. But where does it go?

    With the old file getting over written or the new one being run or not run and processed correctly during the update rebooting process. Could certainly cause some problems with processes not completing during the reboot, file corruption or dead links. Could affect the registry also.

    Hopefully simply over writing the corrupted file with the complete file will be all that needs to be done.

    Going to do some searches and see if I can find out exactly where this file goes and what it does. With M$ products being closed source. Getting exact info may be impossible. If it is necessary to rely on the M$ development team. It may be awhile to get a fix, or never, since a relatively small number will be affected with this problem.

    Another good reason to use open source only.

  4. #4
    Untanglit
    Join Date
    Oct 2009
    Location
    Tucson Arizona
    Posts
    18

    Default

    Here is an excerpt from one post.

    My MS Excel is disabled and MS Word has problems following the scan.

    I was able to replace the following 2 excel files, which permitted opening and reading spreadsheets, but not writing in them.
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
    C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND

    I am unable to find the location for the other files as documented in the scan report below. Please help, as I have already tried to reinstall Office, and the reinstall also does not work, and redoing the entire system is costly.
    Thanks

    Link to post http://forums.clamwin.com/viewtopic.php?p=9558

    Here is another path I found. The majority of post's have paths to excel or windows installer.

    C:\Program Files\HP\Digital Imaging\BE4CEA63-8351-4A12-9E3A-556F8B76683A\hpzcdl01.exe: W32.Virut.Gen.D-165 FOUND
    C:\Program Files\HP\Digital Imaging\BE4CEA63-8351-4A12-9E3A-556F8B76683A\setup\hpzcdl01.exe: W32.Virut.Gen.D-165 FOUND


    The above may be an example of how users of untangle doing recent updates for windows may be affected.

    I have found no way to allow the file through short of turning off the virus blocker. I am relatively new to untangle, so perhaps there is a way I am not aware of, to enter an exception. So one is left adding an exception to clamav or turning off virus blocker.

    Cannot believe with how many years this has come up as a false positive. That clamav has either neglected or reintroduced this false positive.

    If this issue produces a difficult fix. There could be a lot of very unhappy untangle users. Specifically in a business environment that relies on excel.

    Open office could be downloaded and used. One of the great open source projects!

    Perhaps Untangle should put out some kind of warning before a lot of people get affected.
    Last edited by SinOjos; 11-24-2009 at 08:26 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2