False trigger: Avast identifies a program as a virus when it is not

[briantokyo]

Your antivirus is firing up when trying to run this application of mine:
http://techsuki.net/nintendo-ds-rom-trimmer/
(download link in the page, hotlink is enabled)

Where can I report it so your database is updated?

[Tarq57]

You could try emailing the file and description to support@avast with a detailed description of why it's a FP.
Interestingly, Prevx, esafe, and Sunbelt also detect this file as a virus, mostly via heuristics/suspicious packing/covert attributes.
As an Avast user (not connected with the company) I think it's a bit rich that on your site you recommend "a real antivirus like Kaspersky". They all have the odd FP at times. Rather the odd FP than a real virus missed, thanks very much.

Edit Send the file, zipped and password protected to virus@avast.com, include details including the password.

[briantokyo]

Thanks, will do.

The program has been out for like a year and is very popular, but only this recent build has been tagged by Avast, even though I also packed with UPX all my previous builds.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location (if you sent it to the chest), periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[briantokyo]

That online virus check is great, bookmarking it.

4 out of 32 found a matching virus pattern

AhnLab-V3    2008.3.12.0    2008.03.12    -
AntiVir    7.6.0.73    2008.03.12    -
Authentium    4.93.8    2008.03.11    -
Avast    4.7.1098.0    2008.03.11    Win32:Trojan-gen {UPX}
AVG    7.5.0.516    2008.03.12    -
BitDefender    7.2    2008.03.12    -
CAT-QuickHeal    9.50    2008.03.10    -
ClamAV    0.92.1    2008.03.12    -
DrWeb    4.44.0.09170    2008.03.12    -
eSafe    7.0.15.0    2008.03.09    suspicious Trojan/Worm
eTrust-Vet    31.3.5608    2008.03.12    -
Ewido    4.0    2008.03.12    -
FileAdvisor    1    2008.03.12    -
Fortinet    3.14.0.0    2008.03.12    -
F-Prot    4.4.2.54    2008.03.11    -
F-Secure    6.70.13260.0    2008.03.12    -
Ikarus    T3.1.1.20    2008.03.12    -
Kaspersky    7.0.0.125    2008.03.12    -
McAfee    5249    2008.03.11    -
Microsoft    1.3301    2008.03.12    -
NOD32v2    2941    2008.03.12    -
Norman    5.80.02    2008.03.12    -
Panda    9.0.0.4    2008.03.12    -
Prevx1    V2    2008.03.12    Heuristic: Suspicious File With Covert Attributes
Rising    20.35.22.00    2008.03.12    -
Sophos    4.27.0    2008.03.12    -
Sunbelt    3.0.930.0    2008.03.05    Backdoor.Graybird (vf)
Symantec    10    2008.03.12    -
TheHacker    6.2.92.243    2008.03.12    -
VBA32    3.12.6.2    2008.03.05    -
VirusBuster    4.3.26:9    2008.03.12    -
Webwasher-Gateway    6.6.2    2008.03.12    -

[DavidR]

Your welcome, virustotal is a great tool for confirmation.

Although 4 report detections two of those are suspicious, which tends to indicate heuristic detections which have a possibility of being wrong. So I would send the sample to avast if you haven't done so already.

Welcome to the forums.

[briantokyo]

Thanks, sent them the sample.

About Kaspersky, it's simply my choice when it gets to customers and I've found it to work best through the years selling and repairing computers.

[Perkele666]

Don't act lke you're surprised, Brian.

When you unpack your UPX-packed file and then start the unpacked executable, Windows reboots without a warning. This is code you confirmed to have built in yourself and this code makes your program a Trojan.

If you remove that code, then your program won't be recognized as a trojan anymore, it's as simple as that.

[briantokyo]

So according to you, any application making use of the well documented windows API "ExitWindowsEx" is a trojan? Thousands of other popular applications would be trojans then! Your statement doesn't make any sense at all.

[briantokyo]

Even removing the reboot function didn't help Avast from thinking it's some other virus; there must be some specific piece of code (sequence of bytes) that matches something in avast db.

[briantokyo]

This has been fixed in their latest update :)

http://www.virustotal.com/analisis/bb330c0bb7e59ca381e3152d95b9584e

[Lisandro]

Thanks for posting. Glad that it get solved