Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: belalessandro on September 02, 2007, 12:37:29 PM

Title: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: belalessandro on September 02, 2007, 12:37:29 PM

Avast! Antivirus reports a False Positive alarm (It says Win32:Bifrose-AGY [Trj]) with files created by Multimedia Builder 4.9.7, which are compressed with the UPX packer.
The definitions are the latest: 1.9.2007 - 0771-0

The problem was also reported by the software house of MMB:
http://mmb.mediachance.com/virus.htm

I hope this false positive alarm will be fixed as soon as possible..

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: DavidR on September 02, 2007, 02:47:06 PM

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779), how to report it to avast! and what to do to exclude them until the problem is corrected.

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: belalessandro on September 02, 2007, 02:47:19 PM

I've already sent a mail to virus@avast.com..
However this is the scan with Online malware scan of an exe file created with MMB:

Scan taken on 02 Sep 2007 12:22:49 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Bifrose-AGY
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: DavidR on September 02, 2007, 02:57:59 PM

They are usually quick to correct these after submission of the sample.

In the meantime you can exclude the file form scans.

Welcome to the forums.

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: belalessandro on September 02, 2007, 03:00:20 PM

Here another scan report:

File FalsePositive.exe ricevuto il 2007.09.02 14:18:32 (CET)

Antivirus	Version	Last Update	Result
AhnLab-V3	2007.9.1.0	2007.09.01	-
AntiVir	7.4.1.66	2007.09.01	-
Authentium	4.93.8	2007.09.02	-
Avast	4.7.1029.0	2007.09.01	Win32:Bifrose-AGY
AVG	7.5.0.484	2007.09.01	-
BitDefender	7.2	2007.09.02	-
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.02	-
DrWeb	4.33	2007.09.02	-
eSafe	7.0.15.0	2007.09.02	suspicious Trojan/Worm
eTrust-Vet	31.1.5100	2007.08.31	-
Ewido	4.0	2007.09.02	-
FileAdvisor	1	2007.09.02	-
Fortinet	3.11.0.0	2007.09.02	-
F-Prot	4.3.2.48	2007.09.02	-
F-Secure	6.70.13030.0	2007.09.02	-
Ikarus	T3.1.1.12	2007.09.02	Virus.Win32.Bifrose.AGY
Kaspersky	4.0.2.24	2007.09.02	-
McAfee	5110	2007.08.31	-
Microsoft	1.2803	2007.09.02	-
NOD32v2	2497	2007.09.01	-
Norman	5.80.02	2007.09.02	-
Panda	9.0.0.4	2007.09.01	-
Prevx1	V2	2007.09.02	-
Rising	19.38.62.00	2007.09.02	-
Sophos	4.21.0	2007.09.02	-
Sunbelt	2.2.907.0	2007.08.31	-
Symantec	10	2007.09.02	-
TheHacker	6.1.9.175	2007.08.31	-
VBA32	3.12.2.3	2007.09.01	-
VirusBuster	4.3.26:9	2007.09.02	-
Webwasher-Gateway	6.0.1	2007.09.01	Win32.ModifiedUPX.gen!90 (suspicious)

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: DavidR on September 02, 2007, 04:23:56 PM

The second one I assume is VirusTotal, which is the better of the two as it uses the windows version of avast and includes more packers.

However it still may be an FP as two detections are suspicious, and could be down to heuristics, so I think it was still wise to submit the sample as you did.

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: belalessandro on September 03, 2007, 02:16:55 PM

WOW! Very quick! Thanks a lot!

Scan taken on 03 Sep 2007 10:10:33 (GMT)
A-Squared     Found nothing
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
CPsecure    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus    Found nothing
F-Secure Anti-Virus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32    Found nothing
Norman Virus Control    Found nothing
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
Sophos Antivirus    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing

Title: Re: FALSE POSITIVE on Multimedia Builder 4.9.7's compressed files
Post by: DavidR on September 03, 2007, 03:31:32 PM

As I said they are generally very quick to correct an FP after analysis.

Thanks for the feed back, glad that the problem is resolved.