Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: Charlton6131 on September 28, 2008, 02:24:25 PM

Title: Win32:Banker detected ......but seems like false alarm
Post by: Charlton6131 on September 28, 2008, 02:24:25 PM

Avast reports an infection with Win32:Banker in PostCast server files HOWEVER, after carefully reading the "pathology" of this virus (the files it creates, registry changes, where it places files etc), none of these were found.

Not ONE of the signs that the virus exists on the computer were found, yet Avast reports the infection.

Is this an Avast "False Alarm"?  Perhaps Avast is incorrectly identifying a legitimate file as containing a virus when it really doesnt?  The file it is flagging is PBBalloon.ocx

Thanks

Title: Re: Win32:Banker detected ......but seems like false alarm
Post by: DavidR on September 28, 2008, 04:15:32 PM

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.

Title: Re: Win32:Banker detected ......but seems like false alarm
Post by: Charlton6131 on October 04, 2008, 12:13:32 AM

I went to virus total and it scanned the file but the result is about as useful as a broom with no straws.

It just tells me what I already knew...that AVAST says it is infected.  One or two more say the same but its like 3 of of 36 virus scanners (I think is what it is saying)  claom it may be infected?

So what does that mean.   That 3 of 36 virus engines believe its infected while most do not?

Since I looked over ALL the virus information on the particular virus in question and NONE of the signs (registry changes, file creations etc) seem to have occurred, I guess I will assume that the 3 engines reporting the virus are just stupid.

Thanks

Title: Re: Win32:Banker detected ......but seems like false alarm
Post by: Lisandro on October 04, 2008, 12:23:47 AM

Quote from: Charlton6131 on October 04, 2008, 12:13:32 AM

I guess I will assume that the 3 engines reporting the virus are just stupid.

Which are the engines? I won't call stupid, but just false positives...
Can you post a link to the virustotal analysis?

Title: Re: Win32:Banker detected ......but seems like false alarm
Post by: DavidR on October 04, 2008, 01:21:12 AM

The report isn't about as useful as a broom with no straws to us as we can see what other AVs detect it and what the malware name is.

GData uses two scanning engines, one being avast so it is possible that that would effectively reduce the hits to 2/35, so finding out the other scanners that detected it and what they called it help greatly.

Whilst there is still a strong possibility that it is a false positive we can't say for certain without information.