Author Topic: Avast false-positive  (Read 12148 times)

0 Members and 1 Guest are viewing this topic.

Splinter hell

  • Guest
Avast false-positive
« on: December 21, 2007, 05:00:39 AM »
When I did a scan with Avast it alerted that Tfmisc.dll located in C:\Program Files\ThreatFire\TFMisc.dll is a Trojan known as win32:knlone-rx but this file belongs to Threatfire which is a safe program from Pctools.
I also uploaded the file to virus-total and only Avast detected it as win32:Knlone-rx and Prev1 as a suspicious file.So, can I resolve this problem.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast false-positive
« Reply #1 on: December 21, 2007, 03:17:02 PM »
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can send it from the avast chest if you chose to send it there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest, with some info and you think it is a false positive, etc. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

smokethapimp

  • Guest
Re: Avast false-positive
« Reply #2 on: April 27, 2008, 08:57:12 PM »
Hello. I have been running Threatfire and Avast together for several months with no difficulties. Today as I was surfing the Web Avast popped up and said that Threatfire


c:\program files\threatfire\tfmisc.dll was infected withWin32:SdBot-5340 [trj]Trojan Horse 080427-1, 04/27/2008.

I suspect this may be a False Positive. Please advise.

When I try to upload this file to VirusTotal I do get a message that

0 bytes size received / Se ha recibido un archivo vacio

and that makes me a bit suspicious unless Threatfire protects its files from being uploaded.

I have scanned the file with AVG AntiSpyware and A-Squared and both report clean.

Thanks for any help.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast false-positive
« Reply #3 on: April 27, 2008, 09:02:05 PM »
Yes, seems a false positive.
Is your avast virus database updated? If so, can you send the file to virus (at) avast (dot) com informing that is a false positive?

Oh, avast will prevent the submission to Virus Total and the email to be sent.
You need to add that file to the Exclusion lists or disable avast protection during these operations.
The best things in life are free.

smokethapimp

  • Guest
Re: Avast false-positive
« Reply #4 on: April 27, 2008, 09:13:06 PM »
Thank you Tech. I figured out how to upload the file to VirusTotal. I had to check the "send it over SSL" option at VirusTotal and then the file was uploaded just fine. Here are the results.    Only Avast and Ikarus showed it as Malware. I will add it to Exclusion List and email to Avast.

 
Antivirus    Version    Last Update    Result
AhnLab-V3   2008.4.25.2   2008.04.25   -
AntiVir   7.8.0.10   2008.04.25   -
Authentium   4.93.8   2008.04.27   -
Avast   4.8.1169.0   2008.04.27                                Win32:SdBot-5340
AVG   7.5.0.516   2008.04.27   -
BitDefender   7.2   2008.04.27   -
CAT-QuickHeal   9.50   2008.04.26   -
ClamAV   0.92.1   2008.04.27   -
DrWeb   4.44.0.09170   2008.04.27   -
eSafe   7.0.15.0   2008.04.27   -
eTrust-Vet   31.3.5736   2008.04.26   -
Ewido   4.0   2008.04.27   -
F-Prot   4.4.2.54   2008.04.27   -
F-Secure   6.70.13260.0   2008.04.26   -
FileAdvisor   1   2008.04.27   -
Fortinet   3.14.0.0   2008.04.27   -
Ikarus   T3.1.1.26   2008.04.27                                 Virus.Win32.Rbot.FTK
Kaspersky   7.0.0.125   2008.04.27   -
McAfee   5282   2008.04.25   -
Microsoft   1.3408   2008.04.22   -
NOD32v2   3057   2008.04.26   -
Norman   5.80.02   2008.04.25   -
Panda   9.0.0.4   2008.04.27   -
Prevx1   V2   2008.04.27   -
Rising   20.41.62.00   2008.04.27   -
Sophos   4.28.0   2008.04.27   -
Sunbelt   3.0.1056.0   2008.04.17   -
Symantec   10   2008.04.27   -
TheHacker   6.2.92.294   2008.04.26   -
VBA32   3.12.6.5   2008.04.26   -
VirusBuster   4.3.26:9   2008.04.27   -
Webwasher-Gateway   6.6.2   2008.04.27   -


Offline startreksuite

  • Newbie
  • *
  • Posts: 10
Re: Avast false-positive
« Reply #5 on: April 27, 2008, 10:12:51 PM »
Yes, seems a false positive.
Is your avast virus database updated? If so, can you send the file to virus (at) avast (dot) com informing that is a false positive?

Oh, avast will prevent the submission to Virus Total and the email to be sent.
You need to add that file to the Exclusion lists or disable avast protection during these operations.
Yep, me too! I had just restarted my comp after some uninstalls and it said that TF was infected! Did the Virus Total scan, and sent this file along. Hope the fix happends soon. And my exclusions didn't work, had to disable the scanner. >:(

smokethapimp

  • Guest
Re: Avast false-positive
« Reply #6 on: April 27, 2008, 10:29:42 PM »
I had to Open the main Avast Program and go to Menu:Settings:Exclusions:Add

and then enter this exact string

c:\program files\threatfire\tfmisc.dll

It took care of it for me.......

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast false-positive
« Reply #7 on: April 27, 2008, 11:10:12 PM »
The Program Settings, Exclusions is the wrong exclusion as that is for the on-demand scanner.

To resolve the issue with the on-access detection, the Standard Shield, Customize, Advanced, Add is the correct one.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

smokethapimp

  • Guest
Re: Avast false-positive
« Reply #8 on: April 28, 2008, 04:24:47 AM »
The Program Settings, Exclusions is the wrong exclusion as that is for the on-demand scanner.

To resolve the issue with the on-access detection, the Standard Shield, Customize, Advanced, Add is the correct one.


David, I followed your original instructions and Avast was still giving Alerts every single time I would open the Main Program interface. Doing the Exclusion the way I posted (thru Settings) took care of the problem for me. :)

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: Avast false-positive
« Reply #9 on: April 28, 2008, 02:06:05 PM »
False positive alert has been fixed in last VPS update

smokethapimp

  • Guest
Re: Avast false-positive
« Reply #10 on: April 28, 2008, 07:32:36 PM »
Thank you!  :)

gdiloren

  • Guest
Re: Avast false-positive
« Reply #11 on: April 28, 2008, 09:02:33 PM »
Oh yes, this alert comes as a second time in 1-2 weeks!!!
http://forum.avast.com/index.php?topic=34951.0
 ???

smc1979

  • Guest
Re: Avast false-positive
« Reply #12 on: April 29, 2008, 12:13:50 AM »
I have avast vps version 080428-0

my setup program on the website www.thetransbroker.com avast is saying has a virus, which it doesnt. I use setup factory 7 to make my setups and I know the file is safe.

Also another tool I have written called cleanmem.exe which I run on my computer is being detected as a rootkit, which it isnt. So many false positives I hope this doesn't keep happening.

If there is any more info I can give let me know. Nothing worse for a programmer than having your favorite antivirus detecting your hard work as a virus!

gdiloren

  • Guest
Re: Avast false-positive
« Reply #13 on: April 29, 2008, 04:26:35 PM »
I have the same problem now with Spyware Terminator wich detects Acer Zone components as Trojan Horses. It's even worst than actually having viruses!!! >:(