False positives?

[TGB72]

I'm getting warnings from avast when I try to download the latest versions of celestia (a real-time space simulator) and staxrip (a video converter). Both programs are incredible well known and open source, never had these kind of warning from avast in the past. These warning began after the last avast update, I'm using avast home 4.7.1098 with the latest database (25/01/2008).

These is the warning log from avast:

Code: [Select]

25/01/2008 04:02:49 p.m. SYSTEM 1248 Sign of "Win32:Trojan-gen {Other}" has been found in "http://ufpr.dl.sourceforge.net/sourceforge/celestia/celestia-win32-1.5.0.exe" file. 
25/01/2008 04:17:21 p.m. SYSTEM 1248 Sign of "Win32:Trojan-gen {Other}" has been found in "http://www.planetdvb.net/non_drupal/filebrowser/staxrip/download/binary/StaxRip_1.0.0.2.exe" file.
It's really strange, this time I really doubt about these warnings, please if anyone can confirm that these are false positives or avast is really stoping some worm I'll be more than grateful.
The links to download the programs are in the log, thanks in advance for any help.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists and sens a sample to avast:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

You would need to pause or terminate the web shield to be able to download it and then the standard shield would alarm but you could choose to ignore/take no action. You would then need to exclude the file if it is

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I checked one using DrWeb link checker and that was OK (but only one checking source), the other failed to be scanned, permissions.

[TGB72]

Thanks for reply DavidR. After terminate the web shield I dowloaded both files and the standard shield didn't bother at all, I scanned both files several times and avast didn't found anything, the warnings appear only at time to download through the web shield.
I upload "Staxrip_1.0.0.2.exe" to VirusTotal for a scan and this was the analisys result. So like you said looks like the file is clean and the web shield made a false alarm.
I tried to upload the other file but VirusTotal said that is too big (19.4MB) so I couldn't check it with this service. Anyway I suppose that it's clean too since nor the standard shield or the scanner jumped .
Thanx for your help and best regards.

[DavidR]

No problem, glad I could help.

It may just have been an issue at the site there have been a few detections (usually on a web page rather than a download file) associated with the trojan-gen {other} malware signature. It is possible that this generic signature (detects more than one variant with the one signature) has been updated (VPS) correcting the fault.

You could try enabling the web shield again and kick off the download again and see if it hiccups, if it did then it is possibly something on the download page/process it doesn't like.

Welcome to the forums.

[ght1]

1 
2 

[DavidR]

1. With 10 detections I think you can be reasonably sure it is a god detection.
2. Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
Or you can also send it from the chest, Infected Files section, as a copy remains after exporting (select the file, right click, email to Alwil Software).
No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[ght1]

Thank you David 

[DavidR]

Your welcome.