Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Osc on January 13, 2006, 05:36:44 PM

Title: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: Osc on January 13, 2006, 05:36:44 PM

VPS version 0602-3, 2006-01-13 detects psinfo.exe (available from http://www.sysinternals.com/Utilities/PsInfo.html) as Win32:Doomber-C [Wrm] . This is incorrect.

avast home edition
build dec2005 (4.6.744)
toolkit version 1.9.4.0
activeskin version 4.2.7.3
vps compilation date 2006-01-13
version 0602-3

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: DavidR on January 13, 2006, 08:37:36 PM

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus or false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)

If it is indeed a false positive, add it to the exclusions lists and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779)

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: Osc on January 14, 2006, 12:31:22 AM

perfect, thanks.

that "mini sticky" should be a real Sticky.  =]

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: DavidR on January 14, 2006, 01:36:00 AM

No problem, welcome to the forums.

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: Lisandro on January 14, 2006, 04:02:14 AM

Same thread here: http://forum.avast.com/index.php?action=display;topic=18657.0

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: WDGC on January 14, 2006, 10:39:13 AM

Quote from: DavidR on January 13, 2006, 08:37:36 PM

If it is indeed a false positive, add it to the exclusions lists and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779)

I too get the Win32:Doomber-C [Wrm] detection for psinfo.exe

http://forum.avast.com/index.php?action=display;topic=18657.0

and so followed the "Mini Sticky" directions to exclude the file from scans.

However when I run a standard scan the file is still detected. Is there something else I need do to exclude the file?

.

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: XMAS on January 14, 2006, 10:57:50 AM

The problem seems to be fixed with the latest VPS update(0602-4) ;)

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: WDGC on January 14, 2006, 01:05:35 PM

So it is. Avast should be commended for attending to the matter so speedily.

.

Title: Re: False positive Win32:Doomber-C [Wrm] for Psinfo.exe
Post by: pmi on January 15, 2006, 10:13:31 AM

I also got a false positive with w32:doomber-c on WOL.EXE (Wake on Lan utility) with vps 0602-3. This software has been on my machine for months.

This also seems to have been fixed with the later VPS (0603-0) - I wasn't online to update to 0602-4 so can't confirm if this was fixed in that version.