Use caution with Avast! in Windows!

Anything about Mac emulation that does not belong in the above categories.

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
MarkS
Student Driver
Posts: 12
Joined: Tue Oct 20, 2009 9:42 am

Use caution with Avast! in Windows!

Post by MarkS »

I just ran a virus scan in Windows 7. Avast! flagged several of the .hfv files as viruses and deleted them without a prompt. I now have to find and try to reconstruct quite a bit of lost data.

Just a warning. Be careful.
prowler
Tinkerer
Posts: 49
Joined: Thu May 14, 2009 10:53 pm
Location: Sidcup, England

Post by prowler »

This is interesting. In my experience, Avast! Windows version is also capable of detecting viruses in A-Max disk images.

A-Max is a Macintosh Plus emulator for Amiga computers, and it uses a proprietary 800K format for floppy disks which can be read in the Amiga's floppy disk drive whilst storing Macintosh files in an HFS filesystem. Such disks can even be used to boot the emulation.

A-Max disk images are identical to the equivalent 800K Macintosh images, but also have a 16 or 32 byte header which identifies them as A-Max disk images. Another Amiga-based emulator, Emplant, uses much the same disk and image format.

Presumably, Avast! would be able to detect viruses in all types of Macintosh HFS disk images too.

This is surprising, because I wouldn't have expected Macintosh virus signatures to be included in the Avast! virus database.

I don't, however, remember the errant disk images being deleted by the anti-virus program.
MarkS
Student Driver
Posts: 12
Joined: Tue Oct 20, 2009 9:42 am

Post by MarkS »

The problem is that it didn't flag the files as containing a virus, rather it flagged them as a virus. Even stranger still, these were new drives with rather new data. The information I had was pre-internet. The chance of a virus being in that data was slim to none. Not to mention that when I actually had a working 68K Mac, I ran Disinfectant religiously. There were no viruses in those files.
prowler
Tinkerer
Posts: 49
Joined: Thu May 14, 2009 10:53 pm
Location: Sidcup, England

Post by prowler »

MarkS wrote:The problem is that it didn't flag the files as containing a virus, rather it flagged them as a virus.
Hi MarkS,
When scanning one of the A-Max disk images I mentioned, the Avast! program provided the malware name MacOS:Nvir-B and type Virus/Worm (the VPS version was 090520-0, 20/05/2009). This seemed to suggest that the disk carried an Nvir-B infection, not that the file actually comprised the Nvir-B virus.
Until this happened, I didn't know that Avast! could detect Mac viruses too. However, because it shows "MacOS" in the malware name, it is perfectly possible that the virus database incorporates both PC and Macintosh signatures.
I admit that it's a real possibility that the disk actually carries this virus, but I cannot check it, as it will not mount successfully in emulation, either as a disk in my Amiga or as an image in Mini vMac. The disk was created with the final A-Max version 4.x, which I have not been able to find a working copy of. It has an interleaved 720K format which is not compatible with earlier versions of A-Max and neither can the image be opened in Mini vMac.
MarkS wrote:Even stranger still, these were new drives with rather new data. The information I had was pre-internet. The chance of a virus being in that data was slim to none. Not to mention that when I actually had a working 68K Mac, I ran Disinfectant religiously. There were no viruses in those files.
Yes, that is strange. If I could just mount that A-Max disk or image, then it would be a simple matter to scan it with Disinfectant and remove the infection, if present.
Does anybody else have an experience to share concerning Avast!'s ability to deal with Macintosh viruses?
Jorpho
Master Emulator
Posts: 367
Joined: Fri Sep 17, 2004 4:22 am

Post by Jorpho »

I rather suspect this is a false positive.

Why not upload the disk image to virustotal.com and see what happens?
prowler
Tinkerer
Posts: 49
Joined: Thu May 14, 2009 10:53 pm
Location: Sidcup, England

Post by prowler »

Jorpho wrote:Why not upload the disk image to virustotal.com and see what happens?
Why not indeed! Great suggestion! I didn't know about that site. I'll upload the four images I have there tomorrow and report what, if anything, happens.
prowler
Tinkerer
Posts: 49
Joined: Thu May 14, 2009 10:53 pm
Location: Sidcup, England

Post by prowler »

Wow! VirusTotal is a fantastic resource!

The website was supporting a high workload when I went to upload my files, so I sent them by email instead and within minutes I had received email reports of each file analysis.

Macintosh virus infections were found on each of the four disk images as I had expected.
Those found and the anti-virus programs which found them were:
[MacOS:Nvir-B] (AntiVir,Avast!,GData)
[Virus.Mac.Nvir!IK] (a-squared)
[MACOS/Nvir.A] (AntiVir)
[Virus.Mac.Nvir] (Ikarus)
and I don't think that these are false positives.
MarkS
Student Driver
Posts: 12
Joined: Tue Oct 20, 2009 9:42 am

Re: Use caution with Avast! in Windows!

Post by MarkS »

This is an OLD topic, but I thought I would post and update for anyone interested.

I uploaded a game my father made to Macintosh Garden in 2009, just before posting this thread. A couple of days ago, I remembered that I had done so and went to the site to see if it was still up. In the comments, the site admin stated that he replaced the .sit file with a clean version as the one that I uploaded was infected with NVir A. The file that I uploaded came directly from my father's computer, so it looks like his computer was infected, thus infecting my old Mac. When I copied some old files from my Mac's hard drive to the emulation drive, I copied the virus and that is what Avast! picked up.

I am really surprised that Avast! has old Mac virus definitions built in. This is a very old virus!
User avatar
ClockWise
Site Admin
Posts: 4016
Joined: Mon May 20, 2002 4:37 am
Location: Uiwang
Contact:

Re: Use caution with Avast! in Windows!

Post by ClockWise »

Off-topic, but I'm very interested: what game did your father make?
mathieudel
Inquisitive Elf
Posts: 36
Joined: Sat Oct 03, 2009 12:51 am
Location: France

Re: Use caution with Avast! in Windows!

Post by mathieudel »

I may be wrong I think is talking about this game : http://macintoshgarden.org/games/rose-garden
MarkS
Student Driver
Posts: 12
Joined: Tue Oct 20, 2009 9:42 am

Re: Use caution with Avast! in Windows!

Post by MarkS »

mathieudel wrote:I may be wrong I think is talking about this game : http://macintoshgarden.org/games/rose-garden
Yes. Thanks for posting the link!
Xermald'Oh
Space Cadet
Posts: 5
Joined: Fri Jul 11, 2014 1:46 am

Re: Use caution with Avast! in Windows!

Post by Xermald'Oh »

Now there's another warning to heed...

When I logged into my account at TheOldComputer.com, went to Roms >> Apple >> Macintosh >> Applications, downloaded some of the applications there, and submitted some of them to VirusTotal for analysis, almost all of the submitted applications were flagged as malware by Avast. Of course, these detections can be false positives as none of the other antivirus engines found any malware (if my memory serves me right) but I cannot be entirely sure. If the files turn out to be infected by malware, I wonder whether there are any legacy antivirus suites capable of disinfecting the files – that is, without deleting or destroying them.
User avatar
Ronald P. Regensburg
Expert User
Posts: 6391
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Re: Use caution with Avast! in Windows!

Post by Ronald P. Regensburg »

Here is a summery of known classic Mac OS viruses: http://lowendmac.com/virus/classic-mac-virus-list.html

Especially viruses that spread by merely mounting (floppy) disks can easily have ended up in disk images. I remember that sometime in the nineties those viruses were widespread. There was anti-virus software that would warn and block/remove malware, but I do not specifically remember software that could repair affected applications. I myself did not take the risk of using anything that was labeled as being infected. In most cases repairing would probably involve removal of the offending resource from the application's resource fork. I remember Disinfectant as popular anti-virus software. Possibly anti-virus software was also part of Norton Utilities.
Last edited by Ronald P. Regensburg on Sat Aug 02, 2014 11:49 am, edited 1 time in total.
Reason:  
User avatar
adespoton
Forum All-Star
Posts: 3109
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Use caution with Avast! in Windows!

Post by adespoton »

Disinfectant will cover all 68k Mac malware and clean up all viruses. It doesn't cover the PPC malware that came out during the transition to OS X; notably the Autostart worm and a couple of other specific variants. Norton Antivirus from that time will, but had significant overhead, and scanned for other things like word macro viruses as well. The current Intego and Sophos scanners will still scan and clean classic Mac malware, and both do a decent job of it. Checking the Symantec results on VirusTotal for classic Mac files should also give decent results.

I wouldn't turn to Avast for scanning Mac files; I've seen too many FPs.

The general rule is, if you're seeing a non-Mac detection on a Mac file, ignore it and take everything that AV scanner reports (including FNs) with a grain of salt.
Post Reply