Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Spiritual2016 on February 23, 2017, 05:22:16 AM
-
At 8:20pm Pacific on Wed, I updated my automatic dialer software program 'Gravis Easy Phone' but Avast detected it as a false positive threat:
Object: C:\Users\User\AppData\Local\Apps\..\Gep8.exe
Infection: IDP Generic
'Threat was detected and blocked just before the attack.'
-
The detection is from Avast! Behaviour shield that monitors for malware like behaviour.
So necessarly the app did something identical to malware that triggered this.And since IDP Didn't prompt you for action means it had a high accuracy for the file being bad.
I will try and get someone from Avast! To take a look.
-
TrueIndian:
I updated my automatic dialer software 'Gravis Easy Phone' but Avast detected it as a threat.
I went into the Virus Vault, selected Gep8.exe, and right-clicked 'Restore and add excursion' but it is still in the Virus Vault.
After signing into the software, Windows firewall blocked it so I gave permission to allow access.
Does restoring it keep a copy in the Virus Vault (and it has to be deleted manually) or is the Virus Vault supposed to empty when a file is restored?
-
TrueIndian:
I went into the Virus Vault and selected 'Restore and add excursion' but it is still in Virus Vault.
Does it restore a copy and save a copy in Virus Vault that has to be deleted manually or is the Virus Vault supposed to empty when a file is restored?
Yes it restores and saves a copy in the chest.This may actually not be a fp since it was caught via behaviour.Its better off not adding it to exclusion since we don't want to infect the system if it is bad by any chance.
-
TrueIndian:
Every time there is a software update for Gravis EasyPhone, Avast detects it as a threat but it is a legitimate update so it 'is' a false positive.
I already 'restored it and added it as an exclusion' so that it is not recognized as a threat again.
What I am asking: Since Avast saves a copy in the Virus Vault even after restoring it, should I delete it manually from the Virus Vault?
-
Yes you can.
Also,can you upload the detected file to www.virustotal.com and post the link to the results here please.
It will give us a clear view of the file. :)
-
Gep8.exe is the file and here is more info on it: https://www.reasoncoresecurity.com/gep8.exe-d4f9056e945705d9644fe9ad436b8f45bc8d37ed.aspx:
*Since my software update is always named Gep8.exe: By selecting 'Restore and Add Exclusion,' will Avast recognize it as a threat again the next time it is updated or will Avast ignore future updates as a threat because Gep8.exe has been excluded from being detected?
-
No once added to exclusions will not be monitored or detected.Sorry but you need to upload the file here:
www.virustotal.com
and post the results here and I already saw the website link you posted.I google searched it. :)
-
Thanks for your assistance.
I 'know' that the file is legit because GEP8=Gravis Easy Phone Version 8.
I access the software through the desktop shortcut icon not an .exe file. I checked the Gravis Folder but it only the Setup file is listed and Windows Search did not detect Gep8.exe
I just ran a full virus scan and no threats were detected.
-
Hi,
If you access the file via shortcut, right click the shortcut, select Properties and look at the "Target" field. That is the path to the file that needs to be sent to us, either directly, or if you upload it to virustotal, we will know which file it is.
-
Gep8 is not listed in Properties or in the Windows Explorer 'Gravis' directory.
When Avast detected the threat, the Object was: C:\Users\User\AppData\Local\Apps\..\Gep8.exe so I found it that way
Do I email it to Avast at 'submit@virus.avast.com with the subject line Undetected Malware' or upload it at Virus Total and click 'Scan It?'
-
Gep8 is not listed in Properties or in the Windows Explorer 'Gravis' directory.
When Avast detected the threat, the Object was: C:\Users\User\AppData\Local\Apps\..\Gep8.exe so I found it that way
Do I email it to Avast at 'submit@virus.avast.com with the subject line Undetected Malware' or upload it at Virus Total and click 'Scan It?'
I suggest you upload to VT
-
I am uploading it to Virus Total now.
Please provide me with an update once there is one.
-
I am uploading it to Virus Total now.
Please provide me with an update once there is one.
Post the link to the scan results here once it finishes analysing. :)
-
Link to Virus Total Summary: https://virustotal.com/en/file/80e2673f2989a3b81df5ab12a2ac9e1d9f0e1c77ad4eb342895af5bd3eddf2ee/analysis/1487835120/
*Keep in mind that Avast does not detect it because I 'Restored and Added Exclusion' earlier, remember?
-
*Keep in mind that Avast does not detect it because I 'Restored and Added Exclusion' earlier, remember?
You are correct, but for a wrong reason :) Avast does not seem to detect it in VT, but this is not because someone added it to exclusions; it is because virustotal does not run the file (and therefore does not scan it with behavioral shield).
I added the file to our cleanset, along with 31 other files signed with the same digital signature.
I also marked the digital signature as clean, which means IDP detection will never be triggered on files signed by this signature in the future.
-
HondzaZ:
To be clear then, Gep8.exe is clean but detected as a false positive-Correct?
The '31 other files with the same digital signature'-What do you mean by that and who uploaded them?
Was I correct to 'Restore and Add It As An Exclusion' earlier? I was aware that it was a false positive because Avast recognizes it as a threat every tine the software is updated.
-
HondzaZ:
:D
To be clear then, Gep8.exe is clean but detected as a false positive-Correct?
Correct. The file is clean, and was mistakenly detected due to suspicious activity.
The '31 other files with the same digital signature'-What do you mean by that and who uploaded them?
When I queried our database of files for the signature, I found 32 files total - one of them was the file you uploaded, the rest we got mostly from other people.
-
Thios is new to me so I would appreciate the following clarifications:
'The file was mistakenly detected due to suspicious activity-Do you mean that Avast mistakenly detected it as suspicious?
What would cause the file to be mistakenly detected due to suspicious activity when it is a legitimate program?
Were the 31 other files the same file that I uploaded or did 31 others upload potentially suspicious files at the same time as I did?
Was I correct to 'Restore and Add It As An Exclusion' earlier? I was aware that it was a false positive because Avast recognizes it as a threat every tine the software is updated.
-
What would cause the file to be mistakenly detected due to suspicious activity when it is a legitimate program?
Some (even legitimate) programs explicit suspicious behaviour. And we at Avast are better safe then sorry, if it is "too suspicious", we rather block it than let our users be infected. Furthermore, how do you define "legitimate program"? How do we know it is "legitimate" if we have no info about it?
Were the other 31 files the same file that I uploaded or did 31 others uploaded potentially suspicious files at the same time as I did?
There were 31 other files signed with the same digital signature. Not necessarily with the same filename, not necessarily submitted at the same time. Some might have arrived a year ago, for example.
Was I correct to 'Restore and Add It As An Exclusion' earlier? I was aware that it was a false positive because Avast recognizes it as a threat every tine the software is updated.
Again, yes, but for a wrong reason. There are many malicious files (viruses, even) that update themselves. Just the fact that something "updates itself" doesn't mean it is clean!
-
By 'legitimate program,' I mean that I have used it at home for work for years-It is an automated dialer program. Every time there has been an update, Avast detects it as suspicious so that is why I 'restored and added it as an excursion' earlier since updates occur on a regular basis.
Even though Avast initially detected the file as suspicious, it is clean-Correct?
I still do not understand what is meant by 'the same digital signature' then.
-
Even though Avast initially detected the file as suspicious, it is clean-Correct?
Correct!
I still do not understand what is meant by 'the same digital signature' then.
It is similar to regular personal signature. Imagine you have a world much like ours, where every paper you write, you sign with your signature. This signature is genuine, ie. it is impossible to forge someone else's signature. Now there is a company that has the signature database and with it, copies of all the papers that were signed by the signature. If I, as an exmployee of that company, then decide that "this person is trustworthy, he never lies on his papers and his papers are harmless", I may keep a "clean" mark next to his signature in your database, and then if someone comes to me and asks about this unknown paper that has this signature, I will tell him "I have never seen this paper, but this signature has a very good record, I trust it even though I didn't even have time to read what is on the paper".
Now do the following substitutions: paper -> file, signature -> digital signature, company -> Avast. That is how we deal with digital signatures.
Did I explain it a little bit? :)
-
HonzaZ:
I apologize but, by the 'same digital signature,' are you 'trying' to state that you marked the other 31 submitted files as 'clean' as well, so that detection from those specific files will never be triggered on files signed by their specific signature in the future and Avast will not detect them as suspicious?
-
are you 'trying' to state that you marked the other 31 submitted files as 'clean' as well, so that detection from those specific files will never be triggered on files signed by their specific signature in the future and Avast will not detect them as suspicious?
Correct!
I marked 31 other (previously) submitted files (with the very same digital signature) clean, so no other detection (IDP or other) will be ever triggered on them.
Furthermore, I marked the digital signature itself clean, which means new (unknown) files with the same signature will not be detected by IDP in the future.
-
What confused me (and still does) is what the 'same' digital signature means.
Since each user's uploaded file is 'different,' how can the digital signature be the same?
-
Since each user's uploaded file is 'different,' how can the digital signature be the same?
It is the same with real signature, really. If you personally sign 100 different papers, someone (for example I) can still prove the signature is the same.
And it is the same with files - one signature can sign unlimited number of files, and still the signature is the same.
More info for example here: https://en.wikipedia.org/wiki/Digital_signature but I am sure there are many more explanations on the Internet ;)
-
By the 'same digital signature,' are you saying that all 32 files were marked as clean by you and 'clean' is the digital signature?
If that is not what it means, what was the specific digital signature used for all 32 files, who attached the digital signature, and what is the 'translation' of that signature? :)
-
By the 'same digital signature,' are you saying that all 32 files were marked as clean by you and 'clean' is the digital signature
I marked both the 32 files AND the digital signature as clean, so all Avast will consider this when creating detections.
If that is not what it means, what was the specific signature used for all 32 files, who attached the digital signature, and what is the 'translation' of that signature? :)
You can view the digital signature here: https://virustotal.com/en/file/80e2673f2989a3b81df5ab12a2ac9e1d9f0e1c77ad4eb342895af5bd3eddf2ee/analysis/1487835120/ if you click on "File detail" tab. The digital signature is always issued by the "creator" of the file (in this case, "Gravis Marketing").
-
I understand:
All 32 files were marked as clean by you
All 32 files were added to the Cleanset
The 'digital signature' is issued by the creator, in my case, Gravis Marketing!
What you are 'not' being clear about is:
How were all 32 files signed with the 'same digital signature' when the other 31 files submitted by others were not Gravis Marketing-related but were different creators!
By 'same digital signature,' do you mean that the other 31 files were also IDP? If so, the creators of the other 31 files would 'still' be different so the digital signature would be different.
-
...how all 32 files were signed with the 'same digital signature' when the other 31 files submitted by others were not Gravis Marketing-related! The 31 other files had different creators so how could the 'SAME' digital signature be used?
I never said that! On the contrary - all files were signed by the same signature ("Gravis Marketing").
-
Are you saying that there were 31 other files with the same 'Gravis Marketing' digital signature in the database of files (so I was not the first one to report this ISP detection). As a result, you added all 32 files to the Cleanset so that detection will never be triggered on files signed by Gravis Marketing in the future?
Follow-up Questions:
-Did you mark my file upload as 'clean' before or after checking the database of files?
--Was my file added to the Cleanset before (or along with) the other 31 files signed by 'Gravis Marketing?
-
Are you saying that there were 31 other files with the same 'Gravis Marketing' digital signature in the database of files (so I was not the first one to report this ISP detection). As a result, you added all 32 files to the Cleanset so that detection will never be triggered on files signed by Gravis Marketing in the future?
Correct!
-Did you mark my file upload as 'clean' before or after checking the database of files?
After.
--Was my file added to the Cleanset before (or along with) the other 31 files signed by 'Gravis Marketing?
Along with.
-
I understand now that my file and the 31 other files with the 'Gravis Marketing' digital signature were added to the 'Cleanset' and the digital signature itself was marked as clean but 'how' does my version of Avast 'know' not to detect this signature as a threat in the future?
Will it take effect the next time the virus definition is updated?
-
Hello,
I also have a false positive detected as 'IDP.Generic.39515dfb2d8c.3.2' with 'Vole Media CHM' software.
I sent a report.
Thank
-
Hello,
I seem to have a similar problem with a navigation tracking tool I use for tracking my truck: Geo Navi.
I've been using this program since 2013 with no problems until my last update of the Avast software.
Now it detects it and blocks one of it's components: file named events handler.exe with the message reading IDP: Generic
I have uploaded the file to virustotal and here is the link to the analysis results:
https://www.virustotal.com/pl/file/6fc5b4da63a235ca743ea219360b2f426ffe17fc84fcc0021e34b013732873e4/analysis/1492376150/
Is it a false positive?
Or is the GeoNavi software bugged?
-
Hello,
I seem to have a similar problem with a navigation tracking tool I use for tracking my truck: Geo Navi.
I've been using this program since 2013 with no problems until my last update of the Avast software.
Now it detects it and blocks one of it's components: file named events handler.exe with the message reading IDP: Generic
I have uploaded the file to virustotal and here is the link to the analysis results:
https://www.virustotal.com/pl/file/6fc5b4da63a235ca743ea219360b2f426ffe17fc84fcc0021e34b013732873e4/analysis/1492376150/
Is it a false positive?
Or is the GeoNavi software bugged?
Report it >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438