Lineage 2 marked as trojan horse

[progrock]

l2.exe False positive, using vista SP1 Avast pro 4.8.1185
Identifies as Win32:Rootkit-gen [Rtk] Rootkit

already set the l2.exe in the exclusion list but still gives false positive

[DavidR]

I hope you mean avast Pro 4.8.1195 (that is the latest version of 'avast')

When is this detected, on-demand scan or when booting, lineage2 loading, etc. ?

There are two areas of exclusions, on-demand which is in the Program Settings, Exclusions. You probably need to add it to the Standard Shield, Customize, Advanced, Add list that deals with on-access scanners.

If you have added it there also please post the full text/path that you input in the exclusion list/s ?

You could also confirm the file detection is an FP at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If confirmed then send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[progrock]

This is what i get. i've added the path to the standard shield and nothing changed. clicking no action still deletes the .exe

[time5]

This is what i get. i've added the path to the standard shield and nothing changed. clicking no action still deletes the .exe

though this problem of mine and very much annoys!    sorry bad angol!
exclusions add bad in that manner! = delete avast = disappointment 

[DavidR]

No action doesn't delete the file, it should remain in the original location, but avast won't let it run (as the screenshot shows) even if you choose no action.

What is the full path/text that you have entered in the exclusions ?
Try d:\lineag~1\system\l2.exe or d:\*\l2 (the * wildcard replaces the two folders), if d:\lineage 2\system\l2.exe didn't work.

Did you confirm using virustotal ?
- Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect (or D: drive). Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[progrock]

No action doesn't delete the file, it should remain in the original location, but avast won't let it run (as the screenshot shows) even if you choose no action.

What is the full path/text that you have entered in the exclusions ?
Try d:\lineag~1\system\l2.exe or d:\*\l2 (the * wildcard replaces the two folders), if d:\lineage 2\system\l2.exe didn't work.

Did you confirm using virustotal ?
- Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect (or D: drive). Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

yeah that seems like an awful lot of work. how about avast just fix this problem and send a new set of definitions...
i really don't want to perform surgery just to play my game O.o

here is the virus total scan conclusion http://www.virustotal.com/analisis/0325f59a3acb9a1c2c1f8218169a6d6e

[DavidR]

Well if you want a permanent solution you need to submit the file to avast as I said earlier for avast to fix the problem they need the file to analyse it so they can adjust the signatures, but if its too much trouble

[progrock]

i tried to send the file through the method showed earlier but it wouldn't allow me to send a file larger than 1024 kb

"Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that."

[DavidR]

Right click the avast 'a' icon, select Program Settings, Chest and increase the file size limitation to one that will allow it to be sent.

[time5]

let him make something it avast! 
may not be game!!!!!!     repaired who =update

[progrock]

*sigH* i don't use lookout express so sending via SMTP or MAPI won't work for me. any other suggestions?

[progrock]

let him make something it avast! 
may not be game!!!!!!     repaired who =update

not sure what your saying but it IS a game i downloaded directly from their website. i've been playing it for over 3 and a half years. it's NOT a rootkit. although it acts as one with stupid game guard.

[DavidR]

You don't have to use outlook express, what is your email program ?
The only issue would be if you only used webmail.

If I try to send with SMTP it fails if I don't change the MAPI default option it succeeds. In the program Settings, SMTP you need to put the details in for your default email account.

Have you been able to get the exclusions working yet using the suggestions I gave ?

[progrock]

i only use webmail.
and no the exclusions don't work with either the standard shield method or the program settings exclusion list

[alanrf]

If I am wrong I am sure the avast team will be very ready to correct me (and I will be very happy to be wrong) - but I believe that the rootkit detection pays attention to no exclusion list at present.  Should I be correct then attempting exclusion is an exercise in futility.

avast team please advise the forum

The only workaround that may assist (with slight risk) is to disable the rootkit scan in the avast Program Settings > Troubleshooting options