virtualbox.org

Hello. I have quite a problem in my hands.
I lived happily without antivirus software on my laptop for more than a year. I don't know what possessed me to install AVAST today, but I did.
After a full system check, I clicked "fix all problems ". I did check the list of "infected" files first, but I did it poorly because I didn't notice the vertical scroll bar. I know that is my fault! It turns out that the last file was a .vdi file for my virtual machine. Maybe there is an infected file inside, maybe it's a false positive. The problem is that Avast couldn't fix it, it couldn't quarantine it (maybe because of large size?), so it deleted it. Just like that!

I started this post as a plea for help, but fortunately, as I was typing (in another computer), the file recovery software I was running (recuva) found the file, although it had been corrupted by a torrent I was downloading at the moment. I figure it can only be a couple of megabytes since I stopped it less than 5 minutes after the file deletion and my Internet is not too fast (thanks Jupiter for my crappy ISP!)
I restored the file and was able to boot up the virtual machine and make a copy of the file I care most about (a bit of source code, if you care). It should be noted that the .vdi does not correspond to the VM's system drive, but a secondary data drive.

As I said, I started this as a plea for help, but now I'm just posting it to serve as a cautionary tale: If you use AVAST triple check the files is going to "fix". I personally am about to uninstall the hell out of it!

Yup. Resident AV has all the hallmarks of a "Denial Of Service" malware attack, except that it has an unusual replication mechanism: people are peer pressured and otherwise persuaded to install it themselves. After all, if you have a nebulous and scary threat to counter, you must need to install an equally nebulous prophylactic right? Right.

Or the alternative approach: make regular whole disk backups, and do regular checks with an offline (non resident) AV scanner, especially after installing new software. If problem found, restore last clean whole disk backup.

p.s. You were lucky that "undelete" worked. IME it usually doesn't, when the file is that big.

mpack wrote:p.s. You were lucky that "undelete" worked. IME it usually doesn't, when the file is that big.

I know! It wasn't that big, actually: 1.8 GB. Also, there was some file corruption detected by the undelete program, but I haven't found where yet.
About the resident AV: you are totally right! I always relied on my common sense to keep away from malware, and it rarely failed! I installed this one now because I was experiencing some annoyance with my mouse and touch-pad buttons: some clicks are detected as double clicks on my host. I thought it could be virus related.

JokoGarcia wrote:It wasn't that big, actually: 1.8 GB.

Well, with 4K clusters that is still a chain of 450 clusters that had inferred and restored. Your file must have been more or less contiguous (unfragmented), otherwise it wouldn't have worked.