Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: drahnier on September 10, 2006, 07:01:21 PM

Title: Did I catch a false positive?
Post by: drahnier on September 10, 2006, 07:01:21 PM

For several months now I have a small program on my system wich I use to learn pronunciation of chinese tones (PinYin).

Today avast picked the file I downloaded from http://www.eztechinc.com/product_list.php?id=4
up claiming it has Win32:Troja-gen {UPX!}.

Previous versions of avast did not bark on this file. But the latest Beta version 4.7.881 (running on on XP.Pro.SP2) with up to date 0636-3 VPS does. The file has been sitting on my hard drive for several months and until today avast never picked it up during a full scan.

When trying to re-download the file, avast resets to connection to to server and claims the very same trojan is in the file.

It appears I can  not send the file to avast for testing from the virus chest: "The following file cannot be sent by email:
npinyin.exe (FileID: 5). The file is bigger than the limit: 1024 kB"

Title: Re: Did I catch a false positive?
Post by: DavidR on September 10, 2006, 07:36:28 PM

It is possible that updates to the VPS and especially the -gen (generic) signatures might detect something on your syatem that wasn't deteced before. You need to confirm if the detection was correct.

You can check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won't be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779), how to report and what to do to exclude them until the problem is corrected.

Title: Re: Did I catch a false positive?
Post by: drahnier on September 10, 2006, 07:43:28 PM

Quote from: DavidR on September 10, 2006, 07:36:28 PM

It is possible that updates to the VPS and especially the -gen (generic) signatures might detect something on your syatem that wasn't deteced before. You need to confirm if the detection was correct.

You can check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won't be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779), how to report and what to do to exclude them until the problem is corrected.

Thanks for your kind recommendations. I'll start with Windows Live online virus scanner ...

Title: Re: Did I catch a false positive?
Post by: Lisandro on September 10, 2006, 07:49:39 PM

Quote from: drahnier on September 10, 2006, 07:01:21 PM

I downloaded from http://www.eztechinc.com/product_list.php?id=4

Site seems ok...

Quote

Dr.Web (R) daemon for Linux v4.33 (4.33.0.09211) Copyright © Igor Daniloff, 1992-2005
Last update time: 2006-09-10,19:28:44 File size: 37450 bytes

product_list.php?id=4 - archive HTML
>product_list.php?id=4/JavaScript.0 - OK
>product_list.php?id=4/JavaScript.1 - OK
>product_list.php?id=4/JavaScript.2 - OK
>product_list.php?id=4/JavaScript.3 - OK
product_list.php?id=4 - OK

 

I give on trying to submit the file to Virus Total... it's very slow just to have possibility to access the service nowadays.
On-line scanners are 'loaded' and 'flooded'...  :P

Quote from: drahnier on September 10, 2006, 07:01:21 PM

It appears I can  not sind the file to avast for testing from the virus chest: "The following file cannot be sent by email: npinyin.exe (FileID: 5). The file is bigger than the limit: 1024 kB"

You can make higher this limit... Chest settings of avast.

Title: Re: Did I catch a false positive?
Post by: drahnier on September 10, 2006, 08:09:39 PM

Thanks, Tech.


Neither Windows Defender nor Windows Live AV scanner report the file as infected.

Title: Re: Did I catch a false positive?
Post by: DavidR on September 10, 2006, 09:19:56 PM

The Blue text in my post are links to multi-engine scanners (27 in the case of VirusTotal) better than any single scan for confirmation one way or another.