Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Morro41 on August 15, 2011, 02:43:22 PM
-
After having updated the drivers for my Nvidia Geforce G100 to 280.26 Avast believes that the file nvlddmkm.sys shows behavior. A manual scan of the file with Avast and MBAM shows that it is clean.
Also Virus Total shows that the file is clean.
http://www.virustotal.com/file-scan/report.html?id=4ad0556df8a833074b723a15fc3e99314fb457157c91238c44e933b13294bb17-1313410147
So i would like to report it as a false positive, but even packed with 7z set to maximum compression the file is still 3.18 mb. This makes it to big to use the standard way of reporting a false positive, so how can i report/send the virus labs this file to examine?
-
Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.
If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.
-
Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.
So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?
-
Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.
So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?
Avast updated to 110815-0 just after i hat rebooted after having installed the latest Nvidia drivers, and shortly after that indeed popped up with a warning about the file i mentioned in the first post.
Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.
If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.
That was the method i already tried, it does not seem to allow uploading a packed file of 3.18mb. But for now i will indeed exclude the file. Still this should be reported as a false positive , because it has to be one i guess. So just to be certain they would need to examine that file at the Virus Labs, just the method i tried does not allow to send a file of that size.
-
If you have no alternative, you could post here a link to the download location of the drivers, and EXACT information about it.
I can't promise that it would be evaluated using the link here, but it is better than nothing.
In case you post here a link, please replace the http://... of it with hxxp://... so to reduce problems with it.
Anyway, I would tend to agree with DavidR on this one. If Avast is not currently identifying it as a problem with a normal scan, and VT also shows no problems, then maybe it was a "glitch"!? What was the exact message?
-
Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.
So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?
Avast updated to 110815-0 just after i hat rebooted after having installed the latest Nvidia drivers, and shortly after that indeed popped up with a warning about the file i mentioned in the first post.
Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.
If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.
That was the method i already tried, it does not seem to allow uploading a packed file of 3.18mb. But for now i will indeed exclude the file. Still this should be reported as a false positive , because it has to be one i guess. So just to be certain they would need to examine that file at the Virus Labs, just the method i tried does not allow to send a file of that size.
You can send FP file via email(virus@avast.com) also. ;) Try it. As far I know latest Nvida drivers has/had some problems.
Bye
-
You can send FP file via email(virus@avast.com) also. ;) Try it. As far I know latest Nvida drivers has/had some problems.
Bye
Thank you very much JuninhoSlo, through that method i was able to send the False Positive archive to them. Now all i have to do is wait for their answer. :)
-
That is why I'm trying to pin down which shield or scan alerted ?
If it is the anti-rootkit scan (image1 example of anti-rootkit detection) there isn't a huge amount that can be done right now, but if it is another shield, like the behavior shield (image2). But the behavior shield example alert only comes up if you have set that shield to Ask and not Auto, the default action.
So which shield, scan is it ?
-
That is why I'm trying to pin down which shield or scan alerted ?
If it is the anti-rootkit scan (image1 example of anti-rootkit detection) there isn't a huge amount that can be done right now, but if it is another shield, like the behavior shield (image2). But the behavior shield example alert only comes up if you have set that shield to Ask and not Auto, the default action.
So which shield, scan is it ?
That would be the first one, the one in the anti-rootkit_alert_actions.png. So would that mean that sending the file to the Virus labs will not achieve the result i am hoping for?
-
If they don't realise that the detection is from the anti-rootkit scan the normal signatures have no effect, as you found in the VT results.
So when the alert comes up, I take it that is the Suspicious Files found rather than Rootkit found, etc. ?
If so You have two options and the default Ignore is the one you should select, don't check the 'Don't tell me about these files in the future (as you would never know if this is resolved and I don't know if you can reverse this decision). Whilst this will mean it will come up in future boots, telling avast to Ignore should trigger the CommunityIQ to report this back to avast and should get analysed and hopefully corrected soon.
That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.
-
If they don't realise that the detection is from the anti-rootkit scan the normal signatures have no effect, as you found in the VT results.
So when the alert comes up, I take it that is the Suspicious Files found rather than Rootkit found, etc. ?
If so You have two options and the default Ignore is the one you should select, don't check the 'Don't tell me about these files in the future (as you would never know if this is resolved and I don't know if you can reverse this decision). Whilst this will mean it will come up in future boots, telling avast to Ignore should trigger the CommunityIQ to report this back to avast and should get analysed and hopefully corrected soon.
That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.
Well i just rebooted again and Avast warns that a suspicious file(rootkit) is found and that it could point to a malware infection? I have told it to ignore for the moment. Before i installed the new Nvidia drivers today Avast did not warn me with that message, it did so right after i hat installed those new drivers and hat rebooted my computer. Also i downloaded the new drivers from here...
hxxp://www.nvidia.co.uk/page/home.html
which is the Official UK Nvidia website so they should be trustworthy should they not?
-
It isn't saying it isn't trustworthy or infected or the regular avast signatures would be doing the detection. It is just the method of checking is different to the conventional signatures, and I don't know why this graphics driver (if that is what it is) needs to be hidden. Rootkits try to hide from conventional scans, so it is this which is found to be suspicious.
Your image is different Rootkit Found, as that is saying suspicious hidden object (rootkit) found rather than the one I posted.
As The old avast5 one when expanded had an option to, submit the file for further analysis. Does the Advanced Option open up when clicked ?
If it does you should elect to submit it on each time that it is detected.
-
It isn't saying it isn't trustworthy or infected or the regular avast signatures would be doing the detection. It is just the method of checking is different to the conventional signatures, and I don't know why this graphics driver (if that is what it is) needs to be hidden. Rootkits try to hide from conventional scans, so it is this which is found to be suspicious.
Your image is different Rootkit Found, as that is saying suspicious hidden object (rootkit) found rather than the one I posted.
As The old avast5 one when expanded had an option to, submit the file for further analysis. Does the Advanced Option open up when clicked ?
If it does you should elect to submit it on each time that it is detected.
That would have been handy if i could, but that option is not present anymore. In the picture in my previous post you can already see the "advanced" mode. Makes me wonder why they took that option out?
-
It does me too, so my only reasoning is what I mentioned about the CommunityIQ feature passing anonymous data back about the detection. If you are selecting Ignore, I would say that would by implication mean you feel it is an FP.
-
Yeah, have done that 3 times since yesterday plus having send the file and i send them the link to this thread. Now i will just have to wait and see when i get an answer. :)
-
Yeah, have done that 3 times since yesterday plus having send the file and i send them the link to this thread. Now i will just have to wait and see when i get an answer. :)
Yes, unfortunately waiting is never easy.
-
Okay how long can it take for the virus labs to check a file. I realize that the one i send them is not the only one they have to check but still. It is now 4 days ago that i send them the file i mentioned in the opening post of this thread, and so far i have not received any email back from them.
When i boot my computer i still get the warning that can be seen on the first page. So it is not that they fixed it or something and then forgot to email me with the end result.
-
As I said in other such posts you are unlikely to get a reply unless they need more information.
The difference being in this case if they scan the file in isolation, they aren't going to find anything as essentially the file is clean, it is just that it is being detected by the anti-rootkit scan which isn't using the conventional virus signatures and that would have to be made clear in any submission and a link to this topic which I said 4 days ago.
<snip>
That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.
-
As I said in other such posts you are unlikely to get a reply unless they need more information.
The difference being in this case if they scan the file in isolation, they aren't going to find anything as essentially the file is clean, it is just that it is being detected by the anti-rootkit scan which isn't using the conventional virus signatures and that would have to be made clear in any submission and a link to this topic which I said 4 days ago.
<snip>
That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.
I remember and that is why i did send them another email that same day after i saw your post in which i gave them a link this thread.
-
If the second email was just to give the link to the topic it would be in isolation from the first would be hard to tie to the other email; so hopefully you attached the file and copied the other information.
-
If the second email was just to give the link to the topic it would be in isolation from the first would be hard to tie to the other email; so hopefully you attached the file and copied the other information.
Well i did copy the text from the previous email to them but not the file itself. I thought since they already have it, i did not need to send them the file again. Should i send them another email with the same request and the file plus link to this thread?
-
Personally I would send the complete package file, info and link to the topic again.
-
Alright i will send it to them with the information you mentioned, thanks DavidR.
-
You're welcome, I have also tried another avenue to draw attention to this.
-
You're welcome, I have also tried another avenue to draw attention to this.
I have no ides what that avenue is, but thanks none the less. :)
-
I have received a reply to my request and this will be passed over the the person responsible for this area (presumably the anti-rootkit scan detections). So finger crossed it should be resolved soon.
-
I really hope so because that message at boot up is really...really starting to get annoying.
-
Tomorrow it will be two weeks since i first reported the problem i mentioned on the first page. On the 19th i have re-send the False positive file and all information suggested by DavidR. So they have gotten the FP file twice plus the needed information...all in two weeks time.
Now DavidR has mentioned that you do not always get an email back so that is not the problem i have with right now. But what i do have a problem with is that after two weeks i still get that message at boot up(Got it just now again when i booted up.). I am a patient man but right now i am also getting a bit PO to keep things polite. To me it looks like nothing has been done about my problem in the past two weeks.
And i really do not like to feel that way but i do right now...so i would like to know what is up with this situation. This is not what i am used to from Avast!!
-
It isn't what I'm used to from over seven years of using avast and these forums either and it is quite frustrating.
-
It most certainly is frustrating, i just scanned the file again with Virus Total and again as before it shows the status "clean".
http://www.virustotal.com/file-scan/report.html?id=4ad0556df8a833074b723a15fc3e99314fb457157c91238c44e933b13294bb17-1314285329
Also a friend mentioned to me today that i should use Norman Sandbox to scan the file. I did not know the site and i do not know how reliable their scans are but i just got this information after only a few minutes.
nvlddmkm.sys : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Filename: C:\analyzer\scan\nvlddmkm.sys.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Kernel driver.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* File length: 10304104 bytes.
* MD5 hash: 4152708c0c24e30dae7fa87d5afe1d7b.
* SHA1 hash: fef5332389e85b0992a7ae656cca807c6ea0b3a3.
[ Changes to registry ]
* Creates key "HKLM\System\CurrentControlSet\Services\SAMPLE".
* Sets value "ImagePath"="C:\sample.sys" in key "HKLM\System\CurrentControlSet\Services\SAMPLE".
* Sets value "DisplayName"="SAMPLE" in key "HKLM\System\CurrentControlSet\Services\SAMPLE".
[ Process/window information ]
* Creates service "SAMPLE (SAMPLE)" as "C:\sample.sys".
Which also shows that it is a clean file.
-
Scanning with VT is a waste of time, as it can't replicate the anti-rootkit scan, which isn't just signature based.
No scanner can do the same as you can on your system as an anti-rootkit scan compares what your windows API says is running, compared with what is actually running. It is these hidden processes/drivers that are suspicious and this which can't be replicated on a signature based scan.
-
Scanning with VT is a waste of time, as it can't replicate the anti-rootkit scan, which isn't just signature based.
No scanner can do the same as you can on your system as an anti-rootkit scan compares what your windows API says is running, compared with what is actually running. It is these hidden processes/drivers that are suspicious and this which can't be replicated on a signature based scan.
Well in your first post in this thread you mentioned that it was a strange thing that on the VT results avast did not detect anything. So i think you mean that the results do matter, just that it should not be trusted for 100% correct? And if so then i agree but it does give a good idea, so many scanning engine should find something i think if something was wrong with the file i mentioned on the first page, right?
Any way i just hat MBAM do a full scan of my Hard drive and it found nothing bad.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7566
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
25-8-2011 19:47:56
mbam-log-2011-08-25 (19-47-56).txt
Scan type: Full scan (C:\|)
Objects scanned: 346368
Time elapsed: 59 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Only because you hadn't said what scanner or scan had detected it, in the same post I also said that if it was the anti-rootkit scan, essentially VT wouldn't find anything.
Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.
So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?