AVG reports rootkit

[ronzul]

Good morning/afternoon/evening depending on your time zone.

I've installed a Windows XP guest OS, and some development tools, Microsoft Office etc. I shouldn't have a virus already.

I've now installed AVG, and it reports rootkits in ntoskrnl.exe and hal.sys.

Does VirtualBox do anything to the guest OS images? Would it be touching these files?

Thanks
Ronny

[BillG]

No. If your vm is infected, then it was infected in the usual way. There is nothing special about the OS in a vm. It works just the same way as in a physical machine.

[mpack]

In essence VirtualBox is a rootkit, though that probably doesn't explain the report.

VirtualBox knows nothing about guest filesystems, so it can't modify guest files very easily (at least not until you install the GAs, which of course could theoretically add that potential). VBox may however, depending on the code, modify the running code in memory. AFAIK that only applies to 16bit code tho.

I guess it's really AVG who you need to be asking for an explanation of their reports.

[stefan.becker]

Its not the first fail alarm from any antivirus tool.

Have a look at google and you will find that every tool has many fails.

[rpmurray]

ronzul, what version of VirtualBox are you running? I'm seeing the same thing.

AVG was reporting no problems up through a couple of days ago and then I updated AVG and let Windows Update update my VM of XP with the latest patches and all of a sudden I'm getting warnings about ntoskrnl.exe and hal.dll and potentially dangerous rootkits.

I have a clean vanilla VM of XP that I was using in testing a while ago so I installed AVG on it and it reported it clean, then I updated it with the latest patches using Windows Update and AVG still reports it as clean (shooting down my theory that it's something caused by a recent update patch).

[ronzul]

Thanks for the info guys.

And rp, I've just installed the latest version of VirtualBox 4.1.18 r 78361, and the latest version of AVG.

If I get a chance, I might create a new XP install, and immediately install AVG before I do anything else.

Cheers

[ronzul]

Ok, created a new Windows XP VM, and straight away installed AVG.

Same thing, comes up with rootkit reports for ntoskrnl and hal.

[Perryg]

Ok, created a new Windows XP VM, and straight away installed AVG.

Same thing, comes up with rootkit reports for ntoskrnl and hal.

Virus checkers false positives are nothing new. You need to report it to the virus software manufacture. There is not a lot that anyone here can do.

[ronzul]

Thanks for the tip

[digitalm]

I have excatly the same issue, I have logged it with AVG,

cheers

[digitalm]

google

Fresh Install Of XP On VirtualBox False Positive Rootkit

to find it on AVGs forums, cannot post a as only just signed up..

[mpack]

You seem to have told them that the GAs were the issue, though I interpreted the last message from Ronzul above to say otherwise (he claimed a new install of nothing but XP and AVG was enough). Perhaps Ronzul could confirm his meaning.

[digitalm]

http://forums.avg.com/ww-en/avg-forums? ... &id=212923

Yes I have since tested and removed the GA and it still has the same issue.

I'll update here if i hear back from them..

cheers

[mpack]

Frankly, knowing how things go around here, I think your last post on their forums is still open to confusion. You have to bear in mind that they may not be familiar with VirtualBox, and may not be aware of the distinction between VirtualBox and "VirtualBox GAs", in which case your last message on their forum may be read as saying that the problem isn't with VirtualBox at all.

If I was you I would edit your last post on that forum to emphasise that to reproduce the problem they need a VirtualBox VM, with XP and AVG installed, and GAs have no influence either way.