Author Topic: Possible sdbot-266 false positive...  (Read 5906 times)

0 Members and 1 Guest are viewing this topic.

psikotix

  • Guest
Possible sdbot-266 false positive...
« on: January 22, 2005, 10:58:13 PM »
Greetings!

Being new to Avast, I had it do a full system scan last night after I installed it.

Imagine my alarm when it detected a file containing sdbot-266 on my system, when my old scanner saw nothing.

That kind of bothered me, so I have tested it against other anti-virus programs (including TrendMicro, McAfee, Norton online scanner, Norton Internet Security 2004, Panda's online scanner, and my old scanner), and all detect no problems.

I checked the forums, and found a reference to an online malware scan site (http://virusscan.jotti.dhs.org/), and posted the file there.

Avast is the only scanner that indicates there is an issue.  mks_vir *thinks* there may be an issue with it, and the other scanners on that site passed the file.

I'm beginning to think it's a false positive, here.  The file has never been executed on this system, it is contained to a folder, and nothing else seems to indicate an issue.  Avast indicates this trojan was discovered in June 2004, (TrendMicro was October) so I'm thinking if there was any false positive issues with this Trojan, they would have been resolved by now.

Ideas? :)

Thanks in advance!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Possible sdbot-266 false positive...
« Reply #1 on: January 22, 2005, 11:15:39 PM »
Submit the file to virus@avast.com in a password protected zip. Mention in the body of the mail that you think it is a false positive and the password.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Possible sdbot-266 false positive...
« Reply #2 on: January 23, 2005, 12:18:49 AM »
Quote
Imagine my alarm when it detected a file containing sdbot-266 on my system, when my old scanner saw nothing.

Where was the file (path) found, what was the supposedly infected filename and what program is it associated with (that makes you think it is a false positive)?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

psikotix

  • Guest
Re: Possible sdbot-266 false positive...
« Reply #3 on: January 23, 2005, 03:26:33 AM »
Quote
Where was the file (path) found, what was the supposedly infected filename and what program is it associated with (that makes you think it is a false positive)?

You mean aside from the fact that six other scanners thought the file was clean, and even the malware site I listed earlier passed the file for the most part? :D

Path, filename, associations shouldn't matter in this case...it was a standalone executable.  Even moving it to a controlled system and running tests there didn't produce any positives...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Possible sdbot-266 false positive...
« Reply #4 on: January 23, 2005, 01:47:57 PM »
Path, filename, associations shouldn't matter in this case...it was a standalone executable.  Even moving it to a controlled system and running tests there didn't produce any positives...

Yeah, you seem to be right...
Did you send the file to the email which Eddy posted?
Seems a false positive...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Possible sdbot-266 false positive...
« Reply #5 on: January 23, 2005, 03:21:48 PM »
The reason I asked was not simply for my amusement, but it may help others presented with the same problem (a false positive on the same file).

Identifying the problem/program associated (and the location may be the same for them) with the false positive, may stop them needlessly deleting the file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Possible sdbot-266 false positive...
« Reply #6 on: January 23, 2005, 03:48:22 PM »
The reason I asked was not simply for my amusement, but it may help others presented with the same problem (a false positive on the same file).
Identifying the problem/program associated (and the location may be the same for them) with the false positive, may stop them needlessly deleting the file.

Yeah... you're right too... Different points of view  8)
The best things in life are free.

psikotix

  • Guest
Re: Possible sdbot-266 false positive...
« Reply #7 on: January 23, 2005, 04:50:06 PM »
Quote
Yeah, you seem to be right...
Did you send the file to the email which Eddy posted?
Seems a false positive...

I sent the file yesterday...

psikotix

  • Guest
Re: Possible sdbot-266 false positive...
« Reply #8 on: January 23, 2005, 04:56:31 PM »
The reason I asked was not simply for my amusement, but it may help others presented with the same problem (a false positive on the same file).

Identifying the problem/program associated (and the location may be the same for them) with the false positive, may stop them needlessly deleting the file.

Fair enough, and I understand where you're coming from.  The file in question was an executable a friend sent via e-mail to me.  I never executed the file on my system, so nothing was ever installed. (Thank goodness for Thunderbird)  The file was never part of a larger package or anything of that nature, just a small (161K) executable a "well-intentioned" friend sent me. :)

The only other hint comes from the malware scanning site I mentioned yesterday...it says the file was packed with FSG...hmmm...