Possible False Positive: Phantasy Star Online Blue Burst

[aminimoose]

Avast 4.8 detected a file on my computer saying that it's a trojan. I ran the file called SHPsoBB.exe through VT and got 12/36 positives. This file has not caused problems for me in the past, but seems to have cropped up again after I upgraded to Vista Home Premium.

VT Results here: http://www.virustotal.com/analisis/0ef5f77ff501bc84b390ad4f1048f6ad

Since the file comes from a private server for the game, is there anything I can do besides pause the standard shield when I want to run the game, then restart it? I can't seem to figure out the exclusions list.

I did scan the file in the chest, and it still showed the positive.

Any help would be great, I'm tired of fighting the program just to play a game.

[Lisandro]

I can't seem to figure out the exclusions list.

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586


After all, I'm no sure it's a false positive though... the 12 detections are quite suspicious to say the file is clean...

[DavidR]

I don't think because it hasn't been a problem in the past is any guarantee as signatures are constantly added and modified in the generic signatures.

With 12/36 detections I would normally say this is confirmation enough, but virtually all the detections are heuristic (suspicious) or Generic (-gen .gen) there is certainly a case to send it for further analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I would certainly consider contacting the game maker and point out the VT results URL as some thing is considered suspicious enough to alert in many AVs.

[aminimoose]

Thanks for walking me through the exclusions.
I only brought this up because I downloaded the file sometime ago and it started spazzing out at me a couple days ago, after I upgraded my computer to Home Premium.

I will talk about this to the administrators of the server about this though. Generating that many suspicions about the file (it's an auto-updater) is suspicious to me as well.

[DavidR]

No problem, welcome to the forums.

It is most certainly worth submitting the sample for further analysis as generic and heuristic detections are more prone to false detection.

[Jtaylor83]

Only 11 detections. GData uses two engines: avast! and BitDefender.

[DavidR]

Effectively makes for the same stats if you remove on from the detections you have to remove one from the scanner totals so 11/35 which is why I didn't bother as it would still need further analysis.

[aminimoose]

Ok, talked to the admins on the private server where I got the file.

The file re-directs from the original game server (which went down in March for the US) to the private server, this is probably why avast picks up on it and sounds the alarm. The admins for the server say that the file is ok, just hacked on purpose so people can play on the private server for the game.

Thanks for everyone's help!

[DavidR]

You're welcome.

If you haven't submitted the file to avast you should, so they can see what is being done in the file, they may take the decision it isn't possibly malicious.

Though were I the developers seeing the virustotal results from multiple scanners I would be looking at a way to resolve the problem, not simply say the file is OK, but just hacked to serve a malign purpose.

[Lisandro]

The admins for the server say that the file is ok

They should convince all the antivirus manufactures then...