Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Trial_user_Reinstalling_Avast on October 27, 2005, 08:43:29 AM

Title: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Trial_user_Reinstalling_Avast on October 27, 2005, 08:43:29 AM
Hi!

Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.

Well, I decided to analyze your engine's behavior in the code I sent to your support team, by removing/adding tidbits of code and rescanning to see what triggers the positive.... as funny as it may sound, there seems to exist many conditions to create a trap for your engine in the context of the code I hereby supply and I get the funny feeling this has been hardcoded in your engine. I'm using the latest free home edition, with the latest definitions db on WinXP SP2, latest patches. The conditions I note are as follows:

1- Request of favicon.ico in the head section of the html page - really, the name of the file itself.
2- Standard html comments <---! with string numbers date/version of their page I guess
3- <script> declaration with function declaration + window.open (even with partial code and no argument passed to window.open)!!!

Have you hardcoded these conditions in your engine? That would be some strange and funnily liberal interpretation of some of the Code Red symptoms, server side.... For what purpose? I noticed if I put another name than favicon.ico, then your engine no longer sees a virus. The favicon.ico in question is 2kb and does not contain viral code as your engine doesn't flag it. Note that I can omit language=javascript and arguments passed altogether but window.open seems another condition as your engine no longer traps if I remove that code. I mean, I'm not asking if this is a virus. I know it's not, I'm just wondering, as a trial user, why should I continue using your product if hardcode in your engine creates such flaky false positives?

I mean, if I were not a power user, extremely familiar and proficient field, I would go around tell all my friends I found a virus when in fact this is the consequence of a poorly coded routine in a heuristic scanner, I guess... unless this is really a virus? :) I mean, we all know favicon.ico is used to add a website to the favorites list in IE and we also know that html comments are just comments and that declaring window.open is not enough in itself to warrant an alarm, or is it? I wonder if an engine that considers this code viral is of any service to low-level users, who will waste lots of time dealing with false positives and warning others, and ppl like me wil waste time explaining and debugging, which is why I come to you now.

Please reply promptly, as I need confirmation on your part that my analysis is correct. No engine is perfect I know. Don't get me wrong, I'm trying the product, free, and I like many things I see in it. Please be technical if you answer this mail as I have no use for general support jargon.

Thanks in advance,
A trial user wondering,

Code (if I put that in notepad and save and scan, this is detected as VBS.Jscript/virus/worm):

<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>
function vp( viewurl )
{
    window.open( );
}
</script>
Title: Re: False Positive on AFF chat page?
Post by: Cloussau on October 27, 2005, 08:57:18 AM
If you seriously want an answer i suggest you e-mail vlk@avast.com
This is probably not an issue they will or should discuss openly ;)

good luck finding a friend
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on October 27, 2005, 09:01:47 AM
I've mailed support@avast.com ;-) Is that what you are referring to? What is vlk? But hey, thanks;-)
Title: Re: False Positive on AFF chat page?
Post by: Cloussau on October 27, 2005, 09:09:01 AM
Vlk is the author/writer  :)
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on October 27, 2005, 09:17:45 AM
Mail was just sent to vlk@avast.com
Thanks!

I know I may have trouble finding a friend here since so many ppl are adamant about avast. I'm not bashing at the product... but some newbies came in the chat room I was and started making bold claims that there was a virus etc. in the channel script.

I mean, nothing is perfect... I use to remember that a version of Norton AV would not detect a virus present in a folder with a path longer than 255 characters etc... Symantec would never confirm my analysis.... so I don't expect much from support teams anymore.

I've been working many years as a security consultant, specially in the micro field, advising clients, preparing procedures for virus recovery, hardening pcs etc, and those ppl were saying that since they had installed avast, they saw so much more alerts than with AVG or other products... I told them it was ridiculous to make a judgment based on the number of alerts an AV will generate... as these alerts may be false. Now I see that some pages on Ebay will trigger the same alert VBS.Jscript I had. Those ppl are newbies, amateurs, so I understand their behavior... I'm used to users who "think" they know, as I've seen that often in a corporate setting. But I'd like the support team to confirm my analysis and if that can help them, more power to all of us!

Thanks!
Title: Re: False Positive on AFF chat page?
Post by: Abraxas on October 27, 2005, 09:41:14 AM
Hi Trial_user  :)
Quote
Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.
We would all be interested to know what ALWIL'S / Vik's response to your analysis of Avast! .I doubt it would be discussed openly here though.
Technically I can add nothing, but using common sense the  above mentioned site is a part of a  huge network of data collection sites, permeating substantially throughout the web. Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D
If you seriously want an answer i suggest you e-mail vlk@avast.com
This is probably not an issue they will or should discuss openly ;)

good luck finding a friend
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on October 27, 2005, 09:19:16 PM
Hi Trial_user  :)

Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D

I read that and I fail to see what you really mean? This is a dating service web site... the biggest in the world, some 20 million users. And yes it is quite a network, but Avast only reacts to the chat room script. And the script is absolutely fine. Even if it were not fine, I've proven here that Avast traps the script even without arguments passed to windows.open.... as it is the script in my proof of concept cannot do a single thing. How can you say Avast's response, seems quite appropriate? You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted. Realtime defense against what? Common Jscript? In what buffering of simple chat data is something we should be defended against? Is Avast an antivirus or a privacy/confidentiality suite - and even if it were the latter, I fail to see how Avast protects my confidentiality be stopping me from accessing the chat room? Because I would talk about myself in the room or what lollllllllllll Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?l lolllllllllllllllllllllllllll That's too funny.... but I respect your opinion.....

And why would they not reply to that openly... I mean, I'm not showing a terrible weakness, I haven't decompiled their code or reverse engineered it to show anything wrong... what can happen though, and I'm expecting that, is that at some point I will update my definitions and the code I show will no longer be trapped by Avast... and my analysis will be confirmed!

I'm curious as to what you meant, but hey thanks anyway ;) ;) :)
Title: Re: False Positive on AFF chat page?
Post by: Lisandro on October 28, 2005, 03:13:54 AM
You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted.
Wait if the new VPS file corrects the false positive... Are you sure about it is not infected?

Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?
I won't think this... maybe something into the HTML code is warned as false positive, not only the scripts...
Title: Re: False Positive on AFF chat page?
Post by: Abraxas on October 28, 2005, 09:35:39 AM
Hi Trial_user  :)

Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D

I read that and I fail to see what you really mean? This is a dating service web site... the biggest in the world, some 20 million users. And yes it is quite a network, but Avast only reacts to the chat room script. And the script is absolutely fine. Even if it were not fine, I've proven here that Avast traps the script even without arguments passed to windows.open.... as it is the script in my proof of concept cannot do a single thing. How can you say Avast's response, seems quite appropriate? You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted. Realtime defense against what? Common Jscript? In what buffering of simple chat data is something we should be defended against? Is Avast an antivirus or a privacy/confidentiality suite - and even if it were the latter, I fail to see how Avast protects my confidentiality be stopping me from accessing the chat room? Because I would talk about myself in the room or what lollllllllllll Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?l lolllllllllllllllllllllllllll That's too funny.... but I respect your opinion.....

And why would they not reply to that openly... I mean, I'm not showing a terrible weakness, I haven't decompiled their code or reverse engineered it to show anything wrong... what can happen though, and I'm expecting that, is that at some point I will update my definitions and the code I show will no longer be trapped by Avast... and my analysis will be confirmed!

I'm curious as to what you meant, but hey thanks anyway ;) ;) :)

I better clarify / append my comment Trial_user :
1. AFF "Chat" triggered a response from Avast! Your analysis of this response indicates a false positive.
2. This site and it's affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn't come back :) but I'd be checking out for Tracking cookies / and their scripts.
3. We're talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further. I have no idea what script programs you're  running, or your browser settings,  but have a look at your java script settings . Yes I'm off topic with your queeries about Avast! , but maybe it's false  response may lead you to another problem , as regards to scripts... ;)
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on October 28, 2005, 02:39:11 PM
Quote
2. This site and it's affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn't come back  but I'd be checking out for Tracking cookies / and their scripts.
Yes, that may be right... tracking cookies for sure, multiple scipts etc... but this is all the inner workings of a complex site... cookies can be flushed, scripts can be disabled from IE, whatever, I agree. But indeed this is remote from the subject ;)

Quote
We're talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further.
I have examined the script in high detail, here it is again:

<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>
function vp( viewurl )
{
    window.open( );
}
</script>

Won't there be a single programmer in Jscript that will have the guts to testify that this is completely harmless? I mean, take this code, put it in notepad, change the extension to .html and run it... it does nothing... there is NO ARGUMENT passed to window.open!!!!!

Will someone help!
Title: Re: False Positive on AFF chat page?
Post by: brijones on October 30, 2005, 03:35:20 PM

Won't there be a single programmer in Jscript that will have the guts to testify that this is completely harmless? I mean, take this code, put it in notepad, change the extension to .html and run it... it does nothing... there is NO ARGUMENT passed to window.open!!!!!

Will someone help!

I tried the code, and the first thing that happened was "Internet Explorer has restricted this file from showing active content that could access your computer".
Title: Re: False Positive on AFF chat page?
Post by: MrBabis on October 31, 2005, 11:36:34 PM
harmless EICAR?
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 05, 2005, 09:13:01 PM
Well, it's been a full week, and no significant reply from any support staff to acknowledge or infirm what I have written. As of today, the 5th, that code I posted is still trapped by the Avast engine, despite many updates to the signature during the week. What is that. ???

Thanks for replying ASAP.
Trial_user who deactivates Avast before going to the chat room.

Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 05, 2005, 09:27:36 PM

I tried the code, and the first thing that happened was "Internet Explorer has restricted this file from showing active content that could access your computer".

Yeah, yeah, sure, then allow IE to execute it and see if it does anything... it does nothing because it's only a declaration of a function which has no argument. It's sad when newbies try to help me when it should be the SUPPORT STAFF that should take this more seriously and try.

If newbies are scared off by WinXP script execution prevention, and avast's false positive, I am not - because a newbie considers that if Avast says it's a virus, then it's a virus - but I am not a newbie, this code is harmless, avast is making a flagrant false positive and no one corrects it or shows any intent of correcting it. Lame.

The thing is, my analysis is CORRECT, there is no viral or harmful code on the chat page I was describing, the code I pasted is inoperative, and I don't need the support staff to confirm that to me. What I can confirm though is that this trial user will no longer be using that product shortly....i.e. when I take the 30 secs to do an uninstall in a few mins.

Thanks for your support! (Note I did not say thanks "support" - I wanted to thank those who took the time to write, some even despite their lack of knowledge, but always with the intent to help, in opposition to the support staff silence). :D
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 05, 2005, 09:31:07 PM
harmless EICAR?

I don't know where you took that reference but yeah, www.eicar.org, on this site you will find a file that contains a single string of characters that will make any antivirus pop an alarm. This is called the eicar test string, but I fail to see the link with what we were discussing, unless I missed something....
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 05, 2005, 09:38:22 PM
You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted.
Wait if the new VPS file corrects the false positive... Are you sure about it is not infected?

Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?
I won't think this... maybe something into the HTML code is warned as false positive, not only the scripts...

I just wanted to comment on your last point... You are totally right, but I analysed that in my very first mail - the combination of the script, and the head with the favicon.ico - there's many factors together that generate this false positive, of course. If it would only take window.open for avast to make this false positive, I'd say this AV is crap and I wouldn't waste any time. This case is a bit more complex. It is this exact combination of the call for the .ico file, the jscript with window.open and the html comments.... but why is this not corrected yet, since there's been many updates to the signature since my initial post?? And why won't support comment on that once and for all? Well, I guess this is no better than Symantec support... for me to make it better I would need to send my CV ;D
Title: Re: False Positive on AFF chat page?
Post by: brijones on November 06, 2005, 02:19:20 AM
Have you tried lowering your security settings in avast? It would be great if you could have a play around with the sliders and see whether it's still detected.

Also, I am no newbie, I program in VB and VC++. I didn't get any messages from Avast on my computer when I ran the code. As for the .ico, is it possible this isn't a hidden script server side? There is an exploit of hiding code behind the premise of a gif, jpeg file. Could this be a similar thing?
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 06, 2005, 04:40:44 AM
Have you tried lowering your security settings in avast? It would be great if you could have a play around with the sliders and see whether it's still detected.

I've put the code I pasted in a txt or htm file and scanned it with the shell extension... not the resident shield... so there is no way to change the settings, unless I am mistaken, but when the problem first happened, it was live on the web page chat, so it was the resident web shield, and it is set as it was installed, to normal setting that is. But I've checked the settings in the "custom" option for the different scanners shields, but there's not much to play with that would allow me to differentiate the problem. If only I could disable "heuristics" for instance... that would help. I can't.

Also, I am no newbie, I program in VB and VC++. I didn't get any messages from Avast on my computer when I ran the code. As for the .ico, is it possible this isn't a hidden script server side? There is an exploit of hiding code behind the premise of a gif, jpeg file. Could this be a similar thing?
I'm extremely surprised you didn't get any pop-up from Avast by scanning this code. Can you confirm that you pasted the whole code I put here in an .txt file, and scanned it with the shell extension and it didn't pop up as vbs/script worm? I have a hard time believing that... or are you saying that the resident shield didn't do anything after you ran the file? I should make this clear: If I paste this in a file, rename to html then DOUBLE-CLICK it, I get a script prevention warning from XP but nothing from Avast... but if I SCAN the file with the shell extension, it's detected as a virus, which makes no sense....

Your idea of a script hidden in an ico file is not bad, and I've alluded to that in my first mail, saying that they seemed to have hardcoded some symptoms of Code Red server side to trap my code, and it's a very liberal (and flaky) interpretation... and I doubt you can script much in 2k. But I downloaded the ico file from the server and I paste here what notepad shows, you can put that to a txt file, and rename to ico and you'll see this is an icon file....(well not really since I can't really preserve the formatting but hey, this is what's inside the .ico file) I see a BM8 in the header.... that may be either a batch tool for autocad or a compressor for images... which seems fair in this case...


BM8      6   (                               ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿZ9{Þÿÿÿÿÿÿÿÿÿÿ{Œy¥h„`Æl)yÖ~ÿÿÿÿÿÿÿÿ”zc`!T„d¥lc`!XÆlœÿÿÿÿÿœs~)yÆly)}ï}ï}çt¥lÎ}ÿÿÿÿ1~Œ}R~ï}­}­}k})})}ï})}ÿÿÿœ)}Œu÷vÿÿÿÿ9~)})}­}ÿÿÿÿ~Æl!X)i9÷~÷~½ÿ÷~)})}µ~ÿÿÿœk}uB\c\B\„dÆl”zÖ~R~)})}œÿÿÿ9)})}çtçp¥l„dB\„d)}Œ}Zÿÿÿÿÿ÷~)})}J}Î})}çpçtÎ}½ÿÿÿÿÿÿÿZÖ~ÞÞ­}Î}µ~ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 


Thanks for you help! ;)
Title: Re: False Positive on AFF chat page?
Post by: brijones on November 06, 2005, 07:57:34 AM
Your idea of a script hidden in an ico file is not bad, and I've alluded to that in my first mail, saying that they seemed to have hardcoded some symptoms of Code Red server side to trap my code, and it's a very liberal (and flaky) interpretation... and I doubt you can script much in 2k. But I downloaded the ico file from the server and I paste here what notepad shows, you can put that to a txt file, and rename to ico and you'll see this is an icon file....(well not really since I can't really preserve the formatting but hey, this is what's inside the .ico file) I see a BM8 in the header.... that may be either a batch tool for autocad or a compressor for images... which seems fair in this case...


BM8      6   (                               ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿZ9{Þÿÿÿÿÿÿÿÿÿÿ{Œy¥h„`Æl)yÖ~ÿÿÿÿÿÿÿÿ”zc`!T„d¥lc`!XÆlœÿÿÿÿÿœs~)yÆly)}ï}ï}çt¥lÎ}ÿÿÿÿ1~Œ}R~ï}­}­}k})})}ï})}ÿÿÿœ)}Œu÷vÿÿÿÿ9~)})}­}ÿÿÿÿ~Æl!X)i9÷~÷~½ÿ÷~)})}µ~ÿÿÿœk}uB\c\B\„dÆl”zÖ~R~)})}œÿÿÿ9)})}çtçp¥l„dB\„d)}Œ}Zÿÿÿÿÿ÷~)})}J}Î})}çpçtÎ}½ÿÿÿÿÿÿÿZÖ~ÞÞ­}Î}µ~ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 


Thanks for you help! ;)

What I did mean by the icon file, is not that it's sending you just a plain icon, or that there is anything in the icon file that in itself has any impact. It is possible to setup the server to send something else next to the icon file. Which you won't pick up plainly in downloading the file.

I suggest going to dos prompt and loading up Telnet against the server and port number, and I think typing GET (...file name with directory structure). I think that is the one, I have an ebook which lists in great detail HTTP connections and using other methods other then a browser to obtain the header information that goes back and forth which isn't visible in the HTML. There is even a proxy style program you can place inbetween to grab the header before it's sent and alter it. There are many types of vulnerabilities that reside in the HTTP headers.
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 12, 2005, 09:51:37 AM
Pls delete
Title: Re: False Positive on AFF chat page?
Post by: Trial_user_Reinstalling_Avast on November 12, 2005, 10:50:12 AM

What I did mean by the icon file, is not that it's sending you just a plain icon, or that there is anything in the icon file that in itself has any impact. It is possible to setup the server to send something else next to the icon file. Which you won't pick up plainly in downloading the file.

I suggest going to dos prompt and loading up Telnet against the server and port number, and I think typing GET (...file name with directory structure). I think that is the one, I have an ebook which lists in great detail HTTP connections and using other methods other then a browser to obtain the header information that goes back and forth which isn't visible in the HTML. There is even a proxy style program you can place inbetween to grab the header before it's sent and alter it. There are many types of vulnerabilities that reside in the HTTP headers.

This is no voodoo magic my friend. "send something else next to the icon file"...."the header information that goes back and forth which isn't visible in the HTML". I mean, obviously you are referring to 2 things which must be named. 1- Content of headers 2- Packet headers. These are 2 different things.

You are implying specially crafted packet and headers, with buffer oveflows and privilege elevation, etc, but this has nothing to do with VBS.Jscript.worm - AVAST will not react to only the header of my code and will react to my code LOCALLY - it also needs the window.open part, which proves we are not talking only about stuff parsed in the html head - , nor does it actually react right away to the chat room code, it'll take some minute or so. In any case your point is moot since AVAST traps my code LOCALLY as containing a virus....I paste the code I put in my first post in notepad and scan the file with the shell extension... so there's no header stuff or anything. It is important to read the facts before speculating - were this a test you would have failed miserably. This is a lesson - read the facts. You can cut your network cable, paste my code to notepad then scan the file, it'll be trapped by big-mouthed AVAST... and he will bark VBS.Jscript.worm...!!!! Must be some hidden matrix signal in the tcp/ip ... in between 2 layers!!! Go Neo!

"loading up Telnet against the server " Man, this is right out of a comic book... :o you're an extra for the Hackers movie or what? ;D do you think I can "telnet" that commercial server? This is not Mission Impossible. GET a brain. lollllll This is so good! Yes I can read the packet content and headers using tools like etherpeek etc. so what? You want me to parse that garbage and look for what... your naked picture? I don't have to prove that there is no virus here; rather, once I think I have a well documented false positive, a support staff minimally concerned about their product and willing to respond to good questions instead of hiding behind newbies questions should confirm if this is a virus or not. Here, no one has confirmed anything nor dares anything, as if I were talking about area 51. Lame this is. We must always remember there is always an explanantion in IT, and I don't like that concept of technogical speculation babble rambling... with half-baked junk. It is obvious ppl here behave like they know but they're just clueless, most of the time well intentioned though... In my firm you could work xeroxing documents and things like that, bringing me nice coffees, and that would help ;) ;D Using you guys in my IT department and I would be bankrupt by now!

 I can only stress again that it is not by forwarding this idea that it is "cool" because your AV traps more false-positives than others that we help users. Are you wearing AVAST pins or caps, or bling? You guys think you're part of this cool bunch of virus super-heroes with their smart AV that "sees more things" than other AV... like daredevil....or is it the Million dollar Man Steve Austin??  nah, you're just suffering from a case of bad coding and ignorant fellow users and silent support staff who tell me: "Wait for a new def update", and it's been like 10 wtf.... wake up ppl. Your AV traps my harmless garbage script. I'm trying your software and helping along the way, and I deserve a nice little post.. don't you think?

Avast should correct this false positive or demonstrate that my code is harmful. Attemps at techno-babble will fail with me, as I am not easily impressed, and I am a professional, for one. It is doubtful any of you would pass an entry CCNA exam or C++ or even MS TCP/IP... or a college sat for that matter! There are many nice books readily available. College education is possible. It is possible to not say dumb things even without a degree. If you collect MS's little hologram cards, at some point you can call yourself an "engineer" lolllllll With reserved speech, limiting oneself to his own limited knowledge and not trying to impress ppl with techno-babble, we can discuss and come up with some answers. Weak reasonning, panic, secret agent cult AV club mentality is for dummies.

It is amazing in some week or so no one in the support team can write anything interesting... I mean, if I'd work there I'd find that fun, investigating a well documented issue. But no, I get the general verbiage and speculation from "power" users. When will someone with minimal knowledge of html/javascript take a look at this and stop speculating? Ppl are ready to tell me that the matrix is for real instead of just agreing with me that there is no virus in my code, simply because they like Avast - I mean, come on - avast is not perfect and I get the "you should parse the packets during html communication to capture the bit that triggered avast" and jokes like that. Children, leave the matter to grown-ups. When will I get someone's attention? 

But thanks anyway for the half-baked effort :D Better than support staff! I found it pretty imaginative.... I'd try maybe Newline or Paramount... good luck!
Trial_User until more and more soon uninstallation
Title: Re: False Positive on AFF chat page? What kind of support is that!!?? Ppl stink.
Post by: Trial_user_Reinstalling_Avast on November 19, 2005, 11:11:37 AM
Well, it's been sometime... it's clear I will get no intelligent replies whatsoever. It stinks. I have uninstalled Avast from my computer... Avast may look pretty good, and it "may" be, put it doesn't have such a small footprint, and I find it slows down my pc quite a lot, on top of the false positive and the lame support - but make no mistake, my forum experience is very good though, elevating ppl's thinking, crushing lame solutions provided by incompetent or ignorant ppl :P :o 8) :-X Some ppl are really  :-X :o ;D ??? f.. ::) :-X :-* ??? clueless about it... for them, Avast is great because it takes care of their need for false positives since they are really dying for something to shake their day, like an unknown virus in a simple script of a commercial website used by millions of people.... and avast provides. They'll find tons of viruses to brag about, like that tag team trio that brought this "virus" to my attention and which I have documented for you here to stear you maybe towards college education or prepare you for some SAT or sth like that. Yep, they have the privilege of having discovered a virus that does nothing at all.... I mean, I say it's a virus because Avast trapped it... hell, it even traps it when I remove all potency to the code...  so yeah, saying window.open at the same time as requesting favicon.ico will kill you!!!

I have uninstalled big-mouthed Avast nonetheless. I'll admit Avast looks cool... I have set the resident scanner to verbose mode and I saw it scanning all those files... and it looked almost like this tool from systeminternals to see OS file and process in real time! COOL! :P :-* :D Jaja

What else should I say? That this new virus we should call VBS.Jscript.window.open.favicon.AFF is really a great discovery by Avast... I mean, AVG doesn't see it, NAV neither, Kaspersky no, Panda no, McAfee no, TrendMicro no.... Avast YES! So I guess I'll have to side with all you and say that yeah, this is really a virus, it's spreading all over the place.... hidden between tcp and ip, in that layer  you know, in the headers of this all. You guys should sniff all those packets that go through your pc for all malformed and irregular packets, and if you see sth wrong, open your mouth and swallow. Then you will be very cool and you can come here post you theories :o :o ;D :o :-\

You better believe in college education!
Thanks for your "support"
Trial_user uninstalling as he is writing this.... support staff, you may reply within 2 mins and I may press the cancel button!
Title: Re: False Positive on AFF chat page? What kind of support is that!!?? Ppl stink.
Post by: Cloussau on November 19, 2005, 11:15:32 AM
how did you go finding that friend?
Title: Re: False Positive on AFF chat page? What kind of support is that!!?? Ppl stink.
Post by: Trial_user_Reinstalling_Avast on November 19, 2005, 11:29:43 AM
Well, Inspector.... I have to admit I'm still waiting... since Avast almost convinced me there was a virus in that chat room there, I couldn't go anymore...so I couldn't find a friend you know.. :'( :( :-X So I had to resort to the only place where I can meet cool people with neet ideas on the world of viruses!!!! Avast "support" forum and its knowledgeable users!!! ???

And so far so good, i'm getting tons of IM thanks to ppl here who find my comments refreshing and my brilliant mind quite a turn on. I clearly see you're part of the crowd!!! :-* :-*

Thanks to Avast, I let go of my search for a date and became an undercover weird virus hunter and avast support post specialist and I can now do the rest in solo..!!!Thank you avast!!! This is better than personals! Guess that's why your engine trapped the code, to convert me to Avast support forum!

Thank you, friend!
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: FreewheelinFrank on November 19, 2005, 11:52:55 AM
Boy! Somebody really needs to get out more!
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Trial_user_Reinstalling_Avast on November 19, 2005, 11:59:53 AM
Boy! Somebody really needs to get out more!
Thanks for your enthusiasm! I wonder if you were always as spiritual in those 725 posts you wrote... or is your pointlessness only limited to this single post? I am flattered by your flatness.

Clearly if you cannot see beyond what I wrote and elevate your thinking and want to remain a first degree avast false positive evangelist, you should go out more:) I note you have like 725 posts! I have some 15. Have a nice day! :-X

p.s. Why not comment on the issue? What do you think of window.open... should it be trapped by Avast? Erectile diff?
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: FreewheelinFrank on November 19, 2005, 12:02:15 PM
I'm serious. Turn off the computer and get some fresh air, you'll feel better.
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Trial_user_Reinstalling_Avast on November 19, 2005, 12:08:46 PM
I'm serious. Turn off the computer and get some fresh air, you'll feel better.
I'm serious too:) I don't take orders like that. Who are you to say... mind your own air fellow evangelist... :)

If you had taken even a second to read my analysis you would see I can challenge anyone technically but you hide behing vile words and sloppy rhetoric. Can you at least understand what I wrote initially or are you just pointlessly replying to my more humoristic comments? Please don't be a sissy... I am no threat... I will never miss going out or taking some air for 726 posts like you;-) Thank you for your concern... it is very much appreciated. A medal could be appropriate...

Thank you for behaving,
I advise college education for manners,
you may also elect training from home, and ask people about "behaving" and things like that!
Enjoy!
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: FreewheelinFrank on November 19, 2005, 12:16:30 PM
You have made your point with your posting and throwing insults around achieves nothing.

Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Trial_user_Reinstalling_Avast on November 19, 2005, 12:21:02 PM
I just want to clarify here that no insult was intended. But I will not take orders.

The fact is, I just want a satisfactory answer and nothing would please me more than avast or anyone serious adressing the problem fortwith and with a minimum of knowledge.... have you read some of the replies I had? It's been like 15 updates + and still no one has even acknowledged really the issue! What the ??? is that?

Quote
We should not multiply the beings pointlessly
It is important to stick to the point at hand. As for me, I have detailed and documented amply my experience with avast and it may be a real good piece of soft but I can't chat on my site with it....I must be really infected by now!!! Virus!!! Virus!!!

People talk about their revised hallucination of tcp\ip and magic in html headers... I say:
Quote
It's like in a cv, you stick to what you know or you know someone will stick it up your  :o

But it's nothing personal, it's an acquired taste!
Take care!
Almost done uninstalling.... a few mins left...!
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Abraxas on November 25, 2005, 07:48:15 PM
I must say Trial_user_Uninstalling_Avast that your attitude towards having a false positive is extraordinary. It's such a simple thing to check with other scanners, there's so many, and put it behind you  :P
Hopefuly you've un-installed and trialling another AV. The response, or lack of it is obviously because you answered your own question in figuring avast! reported a false positive.( Exclude "IT", ::) don't  prepose there's a major glitch in Avast! )
Your obviously  new to Anti-spyware programs . Have a great time with other AV's which in general are not even close to Avast!'s lack of "False Positives" !
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Vlk on November 28, 2005, 10:24:35 AM
Well, I don't know what's taking the virus guys so long to fix this FP but what prevents you to put the site to the list of WebShield's scan exclusions? That would solve the problem immediately...

BTW, as I said multiple times, this IS a false positive, and not an intentional block of the AFF site. It could happen on www.toysrus.com or www.whitehouse.gov as well...


Thanks
Vlk


PS I also very much apreciate the hard work you spent on the analysis of the problem. Your emails were indeed very helpful. ;)
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Trial_user_Reinstalling_Avast on November 29, 2005, 06:20:39 AM
I must say Trial_user_Uninstalling_Avast that your attitude towards having a false positive is extraordinary. It's such a simple thing to check with other scanners, there's so many, and put it behind you  :P
Ahhh, thank you my friend... it is quite a sight indeed and I'm very proud of it! :P By the way, it is clearly stated somewhere in my analysis that I used other engines like AVG and NAV, and that no virus was found and so I suggest improving your reading skills as a way to improve your focus level. As I've explained before, ppl waste lots of time because they don't read. As an exercise, you may go through my analysis from the beginning and take down notes of key points and marvel and its logic. Then you may post it here and I'll grade it and give you my insights ::) ???
Quote
Hopefuly you've un-installed and trialling another AV. The response, or lack of it is obviously because you answered your own question in figuring avast! reported a false positive.( Exclude "IT", ::) don't  prepose there's a major glitch in Avast! )
I knew my analysis was flawless but I needed a confirmation from the support team/author. And it's clear ppl (I won't say like you :D) didn't help much with their far fetched theories and protectionism, fan club like logic. I NEVER implied that this software had a major glitch. It was always in the context of my false positive and was just related to that.  :P
Quote
Your obviously  new to Anti-spyware programs . Have a great time with other AV's which in general are not even close to Avast!'s lack of "False Positives" !
Euh... what did you say, what is an "anti-spyware"? lolllll I admit to being clueless. Come on, you didn't read my post... do the little exercise;-) You are confusing anti-spyware functionality with the heuristic engine... I was talking about the shell extension for virus detection, and resident scanner for the webpage... what the  ??? :-X ;D :o 8) is the link with AS? Are you saying that Avast is picking up a subtle "spyware" on the page? Then why a warning on the jscript and not some dll or local component. And even then so, but what about my stripped down code? It's harmless... windows.open... I'm not talking about my car window you see... :) Do not bash at other vendors... were you to refute my analysis you would be entitled to do so:) :P Ah... but I almost had forgotten your very revealing analysis from very early in the posts, which is clearly confirmed today... and let me quote you, it's really worth it :P:
Technically I can add nothing, but using common sense the  above mentioned site is a part of a  huge network of data collection sites, permeating substantially throughout the web. Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined.
I really like the "whatever the inner workings you have defined" part... as if whatever the logic may be, the response seems appropriate... 1984esque network... lots real time defence....hmmm... may I ask.... do you wear plate-mail armor? Seems like an appropriate response to me;D lollollllllllllllll :P :P


Take care of that logic there;-)
(I appreciate you commenting don't you worry 8) )
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Trial_user_Reinstalling_Avast on November 29, 2005, 06:41:22 AM
Well, I don't know what's taking the virus guys so long to fix this FP but what prevents you to put the site to the list of WebShield's scan exclusions? That would solve the problem immediately...

BTW, as I said multiple times, this IS a false positive, and not an intentional block of the AFF site. It could happen on www.toysrus.com or www.whitehouse.gov as well...


Thanks
Vlk


PS I also very much apreciate the hard work you spent on the analysis of the problem. Your emails were indeed very helpful. ;)

Yeah, excluding it is possible as a functionality, but I just wanted some kind of confirmation for the false positivie and thank you for providing that. Your attitude is the correct one. Confirming, awaiting correction, providing a solution, to the point. No witchcraft. I hope some posters will heed those comments.

It is redeeming to see that this may have been useful.... I can safely say it was fun!!! :P

Thank you again,
Trial_User_Reinstalling...the trial.
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Cloussau on November 29, 2005, 07:41:35 AM
thank god thats over, thought you might be looking for a refund  :-\
i think theres a moral to this beware the open window look where it took Peter Pan  ;D
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Trial_user_Reinstalling_Avast on November 29, 2005, 08:22:41 AM
Yes it's a nice try at ending the trend but I think I deserve the "last" words... :'( :-\ :-X :-[ After all, I did the analysis and you were worrying about my friendfinding... :D Thanks to the low technical standards of you fellow users who commented on this trend (Vlk excluded for answering directly and without doing a 1984 dance), many women saw in me the great intellectual revelation of their lifetime! I admit I had an unfair advantage. I put aside my RFC techno garbage, didn't entertain you on the subtleties of ADS or post decompiles or real time data of packet analysies etc... nah... I just used the basic notepad, and some common sense. It wasn't much of a challenge but it was creatively stimulating. Of course, I refrained from posting my pic as well as I still wanted some kind of competition. :-X

You're welcome to look at my blog: http://adultfriendfinder.com/blog/St_Amina  (http://adultfriendfinder.com/blog/St_Amina)


Thanks to all!
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Cloussau on November 29, 2005, 09:09:01 AM
im surprised you havent written your own AV program   8)
im too old for another pissing contest and i have friends aplenty ;D
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Abraxas on November 29, 2005, 09:11:13 AM
Trial_user_Reinstalling_Avast:
Quote
...Thanks to the low technical standards of you fellow users who commented on this trend...
Your Welcome  8) I'll just put this together, and find myself a corner.
(http://img.photobucket.com/albums/v194/2B4ANTONY43/duncehatinstructions.jpg)
Trial_user_Reinstalling_Avast:
Quote
It is redeeming to see that this may have been useful.... I can safely say it was fun!!!  :P
Seriously , Thankyou for your analysis  ... and education on this important  matter...   ;)
Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals!!
Post by: Trial_user_Reinstalling_Avast on November 29, 2005, 09:26:43 AM
"I am not responsible for anything above this line. " Says the website your dunce hat stuff was taken:) I wouldn't want to be responsible for solving it either;-) :D :D

The homotopy is chosen so that all the intermediate steps are Möbius transformations as well:

(http://www.ima.umn.edu/~arnold/complex/mobius/all.gif)

I just like having fun!
You're welcome:)

Title: Re: False Positive on AFF chat page? Or why Avast Forum is better than personals
Post by: Trial_user_Reinstalling_Avast on November 29, 2005, 09:35:46 AM
im surprised you havent written your own AV program   8)
im too old for another pissing contest and i have friends aplenty ;D
The fact is, I'm too lazy to code it... but here is the code segment needed to correct Avast FP on AFF... and you'll excuse me if I put that in binary machine code for you... I just code natively in that language(x86/IA-32).... learning IA-64!!!:
Insert at 000AE812:
00111010 10101110 1000001 10100110 10110010 10101101 101010101 111110110 11011001 10001010 11101101 1110101 1010110101 1000001 10100110 10110010 10101101  1000001 10100110 10110010 10101101  1000001 10100110 10110010 10101101  1000001 10100110 10110010 10101101  1000001 10100110 10110010 10101101  1000001 10100110 10110010 10101101 1110101 1010110101 1000001 10100110 1011001110101 1010110101 1000001 10100110 101100 1110101 1010110101 1000001 10100110 101100 1110101 1010110101 1000001 10100110 101100 1110101 1010110101 1000001 10100110 101100 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110 00111010 10101110

C'mon... that was a joke.... I hope you didn't try to decompile this lollllllllllll  ::) :P :P :D

Take care Friend!

Trial_User