Avast WEBforum

Other => Viruses and worms => Topic started by: Roxas on March 07, 2009, 06:12:30 AM

Title: Avast heuristic False Positive?
Post by: Roxas on March 07, 2009, 06:12:30 AM

I'm not sure if this topic is in the right section. I was using superantispyware's program update when avast pop up with this message below.
(http://i479.photobucket.com/albums/rr156/CrimeorPunishment/AvastHeuristic.png)
I check the file on google and the file belongs to superantispyware; a legitimate company. I uploaded the file to http://virustotal.com and http://virusscan.jotti.org and it did not find anything wrong with the file. Is it a false positive with avast heuristics?

Title: Re: Avast heuristic False Positive?
Post by: Tarq57 on March 07, 2009, 06:44:33 AM

Simple answer, yes, it's a false positive.
Less simple, heuristic detection (by any program) is more likely to report a legitimate file as being a possible threat, because of the expected or projected behaviour of that file. (Don't ask me how Avast makes this determination.)
This especially seems to be true of security software, I think because good security software has the ability to access parts of the file system not usually accessible.
Superantispyware has a feature called "DDA", for Direct Disk Access.
I suspect the driver for this is what's being flagged.

So, if this file belonged to something else, the suspicious behaviour would definitely be a cause for further investigation.
NOt really a "False Positive", more a genuine and valid detection, that in this case proves harmless.

Title: Re: Avast heuristic False Positive?
Post by: Lisandro on March 07, 2009, 01:46:57 PM

I'll click Ignore and send the file to Alwil for further analysis. Hope they correct the false positive soon.

Title: Re: Avast heuristic False Positive?
Post by: DavidR on March 07, 2009, 06:25:14 PM

Whilst this is a valid file, I have SAS Pro installed and a) this services isn't running, b) there is no detection by the avast anti-rootkit scan, obvious I guess since it isn't running.

Now I don't know what version of SAS you have free/pro or why this might be running on your system but not mine ?

It may be that your SAS update happened to coincide with the avast anti-rootkit scan 8 minutes after boot (or why it would be a hidden service) ?

I have just initiated an SAS update and is progressing, but a) no detection by avast and no sasdifsv.sys running.

You should however, as Tech mentions