Do I REALLY have a virus or malware?

That description of the file's purpose and reason for existing helps us to understand your concern, but as you've realized it does nothing to change anything I described in my earlier post.

The reason that older files like your own might tend to be detected is that most modern software that's widely distributed today is digitally signed, since it's impossible to insure the integrity of any file that doesn't contain one of these.

That's also why such files can often trigger a false positive detection, since the lack of a signature today leads security software like Microsoft's Defender to immediately consider such a file suspect.

During the period when I performed vulnerability scans for financial institutions among others, a malicious code vulnerability was once detected via an open port contained on an Automatic Teller Machine device located on a small bank's dedicated network reserved for these.  After I urgently notified the bank's personnel, the investigation performed by their ATM vendor discovered this detection was due to something that got embedded within the code operating these ATM devices while being configured.

I never confirmed with the bank whether the malware involved was truly active on the ATM or the open port was the only symptom, but this was a case where such malicious code was included to at least some extent in the installation of a 3rd-party device.

However, since as I discussed the NAS itself doesn't operate using Windows and in fact uses their own proprietary DiskStation Manager (DSM) operating system, the only point at which any true malware might become active is once downloaded to a Windows client.

For that reason, I'd personally consider such a detection found within the NAS as nothing more than a sanity check rather than truly effective protection and treat it exactly the way you have.

I also started my career with some schooling in minicomputers, though I had previously built my own microprocessor based computer and most of my programming experience was using assembly language on early Intel 8-bit microprocessor based systems.  Any software that's still around targeted for such outdated or specialized devices might be highly susceptible to false positive detection, since it often contained code intended to directly access hardware like the early BIOS software I wrote for many of those systems.

Rob

Thanks for typing all that.  I've been doing programming for 50+ years and am aware of what you're talking about.  I've worked on mainframes to minicomputers to little handheld devices to phones.  My concern was that my Windows machine might have had something that Windows Defender might have missed.  One of the files was in fact a download from a vendor and I couldn't be sure they weren't unintentionally passing something down to me.  And that program was an Epson software updater so could be run occasionally by me or in the background. The other was a program *I* wrote.  I know in the past, there are viruses that have been spread by compiling your own code (since the virus infected the compiler).  So I was afraid that this program I created might have been infected without me knowing.  And that program is run at various nuclear power plant facilities.  Which raised my fear level a little more than usual.

So I was concerned that the NAS antivirus program was finding something on my Windows machine that might be infected with something that could in fact be spread to the NAS.  Having my own Synology NAS is the new unknown equation for me.  I've not had one of those before.  So I'm a little uncertain about risks there.  And, although I'm impressed with the easy of installation and use and broad spectrum of applications there, they make it a little too easy and it is hard to tell what their vulnerabilities might be.  But that is another issue for another time.

My main concern was whether my Windows files actually contained something.

Since the NAS McAfee scan AND Microsoft Defender seem to think the files are ok, I'm going to assume they are false negatives unless someone knows something else about these particular viruses.

Or if my whole system comes crashing down  :-)

I'm going to discuss these detections from another point of view, since few consumers seem to understand the difference between real-time or quick scanning and the much less reliable full scan that often results in false positive detections.

The reality is that modern AV products like Windows Defender have become much better at both detecting and properly identifying true malware infections when performing what Microsoft calls a quick scan, since these detections are typically for known malware that are actively operating.

On the other hand, though real-time detections are often signature based as well when known malware is involved, these can occasionally also include items detected via machine-learning or in other words, detections made via artificial intelligence.  Knowing the difference between these types of detections and how those are designated can be important in determining whether a false positive may be likely.

However, the traditional full scan that most AV products perform have always been more likely to result in false positive detections, both due to the often inactive, as well as out of context locations within the file system where these tend to occur.  That's because even the signature based detections that are typically quite effective when the more limited locations where malware actively operates are involved, become mush less dependable when items are found in random areas of the greater file system, where duplication of portions of a signature can be quite common.

This is one of the inherent fallacies of signature based detection that few outside the security community understand, since most people assume a signature is a relatively precise indicator, when in truth the attempt to keep these database elements as small as possible also make them less reliable when the much larger sets of files contained in an entire filing system are involved.

What you should take away from this in your case is that just like the less reliable full scan, any AV product attempting to scan the full set of random file types and arbitrary locations certain to be found on any mass storage device like a NAS, is again almost certain to result in false positive detections.

In fact, one of the most common types of false positive detection that full scans tend to display are those for temporary file system locations like internet or temporary file cache, since it's very common for these to contain partial remnants of malicious code that though these were likely attempts to attack via websites or similar methods, had already failed due to operating system patches that rendered them ineffective.  In other words, these items are nothing more than leftover fragments of a failed attack attempt, so though taken out of context they can appear to be malware, in truth they're effectively neutered and so can safely be ignored.

If you examine those particular detections closely for location, I suspect from your description they may be contained in the backup of such temporary cache portions of the filing system, meaning they're likely just this sort of unimportant detection that a full scan of the local PC filing system might detect, resulting in the same sort of false positive detection of leftover fragments.

In fact, since in the case of a NAS or other shared storage system, the fact that the items these contain are inherently found in a location they can't be executed except by download to another device's file system makes the use of AV scanning questionable at best.  That's because it's really the specific operating system (e.g. Windows) where these malicious fragments could actually operate that must determine whether they're a true threat to itself or not.

In general, the inclusion of AV scanning on a non-active operating system like a NAS is really nothing more than marketing, since the typical consumer sees this as an enhancement, while the technically knowledgeable IT person sees these detections instead as the at best questionable and in many cases simply time wasting detections they truly are.

Rob

Windows Defender and ESET are both very good at detecting and remediating Sality infections. If both come up negative, it's likely a false positive. Upload the detected files to VirusTotal and link to the VT reports if in doubt.

VirusTotal

ESET Online Scanner

http://www.eset.com/us/online-scanner/

Edit: Win.Trojan.Badjoke-7 seems to be a ClamAV detection, so it would seem the NAS AV engine is ClamAV.

ClamAV is not something to be relied upon. It is prone to false detections and mostly non detections.

Hi, I'm Elise, an independent advisor and I'd be happy to help with your issue.

You could perhaps try another utility such as malware bytes to rule out a false positive result

https://www.malwarebytes.com/

Please let me know if you need any further assistance.

Kind Regards,

Elise

Note: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.