Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on September 09, 2014, 12:11:22 AM
-
I don't seem to be able to find a board for False Positives and I also don't know where to post bug reports. Anyway here are the troubles I'm having.
Firstly: The Grime Removal program is behaving oddly. It's a bug. After informing me of five apps that were not needed, I decided to investigate. I couldn't find information about what they were. I thought perhaps I missed something and clicked a button saying analyse again. I did this a couple of times and then all of a sudden it found nothing. I have no idea what happened or whether the apps were removed. That is annoying.
Secondly - and this is pretty bad: I have to disable Avast to download the file CheckSumVerify.au3 at the following link.
http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/?p=1196863
Once Avast finished doing whatever it did, I couldn't find a way to reverse the blocked URL. How do I do that please?
Thirdly: why on Earth is the file download being blocked in the first place? What is actually triggering the FP? The code can't be run unless you accidentally download and install AutoIt, and that's extremely far-fetched. Even so, the code is related to security and intended to prevent unauthorized tampering with compiled scripts. Blocking the download is contrary to the objective of keeping computer users safe because injecting code into compiled scripts is both unacceptable and undesirable.
Edit: modified the forum link above to point to the exact forum post containing the blocked download.
-
The virus and worms forum can also be used for reporting of a suspect FP.
However, you can send it to the avast virus labs from the virus chest for analysis and correction of the signature as required.
Or you can use the contact form http://www.avast.com/contact-form.php?loadStyles (http://www.avast.com/contact-form.php?loadStyles) for: Report false virus alert in file; or Report false virus alert on website, issues.
No one can really say why it was detected, that requires analysis, but one thing the autoit stuff is regularly used by some script kiddies for malware and some of the routines could well look suspect.
Links to suspect files/sites should be modified so they aren't active to avoid accidental exposure - change the http to hXXp in the URL.
-
Well I wasn't sure if that I could copy the URL. I normally copy from the address bar in Firefox. I'll try it now and post it here:
http://www.autoitscript.com/forum/index.php?app=core&module=attach§ion=attach&attach_id=45061
It seems to work. We'll see when I post the responce. The point I was trying to make was that the file is simply plain text. There are two dead giveaways - the file extension is .au3 and the encoding (although I haven't tested it) is likely to be UTF-8. Avast is flagging a text file which would require a specific interpreter to become a threat.
Anyway, I want to know how to unblock the URL I posted here. I would also like to know what is AutoItInjector [tri]? I might have mispelled that, the Avast Threat Dectected message wasn't visible for very long.
Edit: I meant what is AutoIt:Injector-G [Trj] ?
-
VirusTotal
https://www.virustotal.com/nb/file/489f0848463403a0e5a054b08ec8431bf5c554113895258399ab973a57ac9ec0/analysis/1410218486/
-
VirusTotal
https://www.virustotal.com/nb/file/489f0848463403a0e5a054b08ec8431bf5c554113895258399ab973a57ac9ec0/analysis/1410218486/
Good demonstration of my point. Thanks. :)
-
No security program have 100% detection
No security program have zero False Positives
-
No security program have 100% detection
No security program have zero False Positives
I know and I also understand it's important to the developers. I suppose au3 files could represent a threat, but only to someone who decides to run code from an author they don't trust (or if they don't understand it) through the afore-mentioned interpreter. That person would not likely be an average user and also should be aware that running code in that way will always involve a degree of risk. That's part and parcel of learning how to become a programmer.
I sent a message about the URL. I still don't know how to reverse or override Avast URL blocking. This feature seems to be missing from the program.
-
So is there a way to undo/override the blocked URL or not? For someone who uses the Internet a lot, this is a serious concern.
-
you report it here http://www.avast.com/contact-form.php? and upload that file and they will fix it
you may give a link to this topic
-
I did all those things. It isn't everything I want though. I want to have control over what web links I click when I know I can trust the author/s. I would like to be able to tell Avast to ignore safe URLs if it flags them as harmful when they are not.
Having to disable shields is less secure than adding a single exception. Having to tell others to disable their AV is also pretty bad. I am all for better security, and I see being forced to take such actions as a big security risk. I feel it is necessary to point this out. The risk comes from all the malicious stuff that might occur with web based scripts, not with au3 files containing code that browsers can't even run.
-
This post was an accident (I meant to modify the above post), but I might as well add to it now. I have tried to discover what AutoIt:Injector-G is. On Google I find a few references, mainly from AV scans which say it is a trojan. There isn't much detailed information. Is it written in AutoIt, or simply a general category detected by heuristics?
At some point I will be releasing a program that will become unstable if illegally decompiled. I'm wondering what AV detection tools will make of that. I will not be able to predict the result if someone breaks the EULA and tries to reverse engineer my program - I can only say that it will become unstable. The binary itself will most likely be extremely difficult to interpret (almost impossible if I do a good job).
-
I don't quite know what the problem is but I'm getting more FP results. The 7zip download on this page is not malicious. I have had an older version on my computer for a while now and it appears the sha-1 hash has not altered on the earlier version but that is also throwing a FP right now. Here's the URL where the download for the current version of this file can be found.
http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609
I have a feeling that this is just the tip of the FP iceberg. Something is seriously broken. The one thing I can't do is download these files without disabling Avast - that makes me a little nervous. I will delete the files on my computer (I don't need them anyway) and report this latest version.
UPDATE
I changed my mind and also sent the older 7zip file on my computer for analysis. When I tried to remove the file to the Virus Chest, Fix Automatically or Repair, I get the following error:
The operation is not supported for this type of archive. (42111)
I can delete the file manually but I didn't try this with Avast - I guess Avast can delete the file. Malwarebytes considers the file to be clean. I have never come across this error before.
After a little searching I found another person who had the same error with a false positive, so I'll just wait and see.
Now I'll delete the file because I have a backup.
-
The operation is not supported for this type of archive. (42111)
it will not rip out the infection from a zip archive
virustotal
https://www.virustotal.com/nb/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/
-
The operation is not supported for this type of archive. (42111)
it will not rip out the infection from a zip archive
Gotcha!
virustotal
https://www.virustotal.com/nb/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/
OMG, what a set of results. "Suspicious_Gen2.VXSQX" doesn't appear to even exist - at all. Not even "Gen2.VXSQX" exists. Really Norman. ::)
Well I can't be 100% certain, but it seems a bizarre coincidence that two different versions of the same program, separated by about two years, on computers thousand miles apart both get infected by the same virus without anyone noticing, unless it was there all along and has been dormant until now, or maybe someone is actually targeting the AutoIt community - also possible.
-
How long would it normally take for a False Positive to be removed once a report has been sent? Still unable to access:
http://www.autoitscript.com/forum/index.php?app=core&module=attach§ion=attach&attach_id=45061
-
Once sent and confirmed they are generally corrected quickly. But sending just a report isn't going to help much unless you submit samples of the detected file.
That said, autoit scripts get hit/detected on a fairly regular basis. But that is normally if it is a generic signature detection designed to catch multiple variants of similar malware.
-
I submitted my report about 24 hours ago along with the download URL.
That said, autoit scripts get hit/detected on a fairly regular basis. But that is normally if it is a generic signature detection designed to catch multiple variants of similar malware.
Well the code may be partially useful to me for protecting my own application from decompilation. This means that whatever is throwing the FP will also prevent my program from running or even being downloaded by people with computers running Avast. I haven't decided to use the code, but every bit of protection is potentially useful. Do you see my dilema?
Actually it's everyone's dilema in a way. Developers get their code ripped off and redistributed with keygens and such things. So developers try to prevent that by making the code as impenetrable as possible with lots of security features. But then the binary can't be analysed so easily by AV companies and heuristics tend to throw a lot of false positives. Ultimately technological creativity and advancement suffers. This is a real shame.
Also, with it being an autoit script (not compiled), it is nothing more than information. It won't run on your computer unless you know how to run it yourself, or have some malware installed that will run it secretly behind your back - in which case you the antivirus should be targeting the malware rather than the script. Blocking an AutoIt script download is akin to censorship. I am prevented from accessing data, not some rootkit or nasty virus that is going to trash my computer without warning - just plain and simple text. Here is where I think the water gets rather muddy.
'Hiting/detecting AutoIt scripts on a fairly regular basis' means the Avast team are misleading people to thinking a language is a virus. I really would like to know why.
-
As an avast user I simply can't answer the 'why' questions, I'm basically recounting what I have seen over time in the forums in relation to autoit detections.
-
DavidR - I know you are giving assistance here by donating your free time to help people. I appreciate your responces and thank you for trying to help me.
Maybe the Avast dev team are trying to fix things and it's just taking a little longer than I had hoped. If I still can't access the URL in a day or two, I'll resubmit the report.
-
Okay I have resubmitted the first FP. In order to make things simpler, I will make a summary.
1. False Positive @ http://www.autoitscript.com/forum/index.php?app=core&module=attach§ion=attach&attach_id=45061
VirusTotal URL scanner: https://www.virustotal.com/en/url/81ed97568dbd1fd3429d9dea0e0eb869dde9c38bbfb1278a47f0ed175af5fa95/analysis/
Earlier File scan https://www.virustotal.com/nb/file/489f0848463403a0e5a054b08ec8431bf5c554113895258399ab973a57ac9ec0/analysis/1410218486/
Information about this file can be found in the following forum topic: http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/
The URL (file download link) has been submitted as a false positive twice.
The file can not be run unless you know how to run it using the AutoIt interpreter which needs to be downloaded from https://www.autoitscript.com/site/ and then installed on your system. I've never heard of this happening by itself. The file could also possibly be run by a malware program, but the same could be said of practically any file, so we can dismiss this as a reason to target .au3 file extensions containing nothing more than plain text, since by themselves they are totally harmless to any computer. That's something that is unlikely to change in the foreseeable future.
2. What is AutoIt:Injector-G [Trj] ? Is it written in AutoIt? When did it first appear as a threat? Why is CheckSumVerify.au3 being flagged as AutoIt:Injector-G ?
3. I believe this is also a False Positive: http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609 - submitted yesterday.
URL (file download link) submitted as a false positive once.
The 7zip probably contains a compiled autoit script (file extension .exe) which may represent a threat because it will run without third party software needing to be installed. Here I accept the possibility of a threat, although the virus scans suggest that no virus scanner has a clue what it is - see for yourself:
https://www.virustotal.com/en/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/
Lot's of apparently contradictory information. Although most virus scanners don't find anything, the 7zip appears to possibly contain several malicious items, one of which appears to have never existed - "Gen2.VXSQX" - at least Google never heard of it. ???
After further tests with other AutoIt scripts, it is clear that Avast does not flag au3 files indiscriminately. My main concern now is about AutoIt:Injector-G. I need to know what it is. If the Avast team know something that other antivirus companies (or computer users) don't know, then it is irresponsible to not share information about this threat. Let's try and keep everyone safe through education!
Finally it would be a shame if I am forced to replace Avast in order to regain control of my computer, especially since it was another AutoIt user who recommended Avast to me in the first place.
-
All I can imagine is that I must be doing something wrong. The file is still being flagged. I have received no emails back. Maybe I need to download the file to submit it, but Avast is blocking me from doing that, so I submitted the URL instead. Please could someone on this forum who knows how to submit CheckSumVerify.au3 found on this page: http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/?p=1196863 submit it as a possible FP.
Although both myself and every other AV is saying that it is harmless, you might not believe that. Look what it is - checksum verification - a security feature. I am waiting to test it, provide feedback and perhaps make suggestions for improvement. I really need some assistance here. Please request feedback when submitting the report and leave a link to this thread.
Thank you!
-
Oops, I missed this, although I linked to this thread and the one on the other forum:
Links to suspect files/sites should be modified so they aren't active to avoid accidental exposure - change the http to hXXp in the URL.
I would have thought a virtual machine would have been enough protection, or using a live linux distro. The file can't be analysed without accessing the URL. Anyway, that's probably where I went wrong, so I'll try again. I must say - this is quite hard work.
-
Maybe I need to download the file to submit it, but Avast is blocking me from doing that,
have you tried right click avast tray icon and pause shields?
-
Maybe I need to download the file to submit it, but Avast is blocking me from doing that,
have you tried right click avast tray icon and pause shields?
Yes, but that isn't solving the false positive. If I use the code and distribute it on the internet I can't exactly start telling people to disable their Avast protection. That is why I need to get this sorted out.
I submitted both reports again with the hXXp. Let's hope that starts the ball rolling.
-
Yes, but that isn't solving the false positive.
no .... in cases where you need to download and send a file to avast lab
-
Yes, but that isn't solving the false positive.
no .... in cases where you need to download and send a file to avast lab
When I said using a virtual machine, I meant for the Avast team to safely access potentially dangerous URLs. If I need to download anything, I can pretty much always do so safely using knoppix - I am a bit paranoid about disabling shields. It ought to be a lot easier to simply submit the URL though. Thanks for responding again. :)
-
I don't quite know what the problem is but I'm getting more FP results. The 7zip download on this page is not malicious. I have had an older version on my computer for a while now and it appears the sha-1 hash has not altered on the earlier version but that is also throwing a FP right now. Here's the URL where the download for the current version of this file can be found.
http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609
This has been fixed in the latest update.
How long would it normally take for a False Positive to be removed once a report has been sent? Still unable to access:
http://www.autoitscript.com/forum/index.php?app=core&module=attach§ion=attach&attach_id=45061
File was fixed in update streaming.
-
I would like to convey my sincerest thanks for this fix, and previous occasions where the avast team have investigated false positives thrown by programs created using AutoIt. I totally understand the need for caution and that security comes first. Please forgive me for slight impatience on my part in this, or any other, thread on this forum. I will continue to recommend Avast to other computer users. Thanks to the developers once more: I'm happy now this has been fixed. ;)
-
I would like to convey my sincerest thanks for this fix, and previous occasions where the avast team have investigated false positives thrown by programs created using AutoIt. I totally understand the need for caution and that security comes first. Please forgive me for slight impatience on my part in this, or any other, thread on this forum. I will continue to recommend Avast to other computer users. Thanks to the developers once more: I'm happy now this has been fixed. ;)
I thank the analyst and the virus lab where the request was sent staff to solve your problem
I am not a member of avast and not even developer.
-
I thank the analyst and the virus lab where the request was sent staff to solve your problem
I am not a member of avast and not even developer.
It was very kind of you to inform me in any case. Cheers to you, the analyst and all parties concerned. :)
-
It was very kind of you to inform me in any case. Cheers to you, the analyst and all parties concerned. :)
Hello
Our virus specialists have been working on the problem and both these files should be whitelisted in next VPS update.
If you have any further questions, don't hesitate to contact me again.
Best regards,
Prokop Kalivoda
you're welcome.