Author Topic: [Mini Sticky] False Positives  (Read 70125 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9274
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
[Mini Sticky] False Positives
« on: October 10, 2004, 09:43:03 AM »
I wrote this as a small tutorial on how to treat false positives.
It might help if you encounter any from time to time (i have only 1 in 1 year :) ).

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)

- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:
Left click on "a" ball next to the clock and select Standard Shield.
Click Customize... and select Advanced tab.
Now just enter full path (path plus filename with extension) into the line and press [Enter] on keyboard.

This will exclude the file from scan, so you can use it untill false positive is resolved. Do this with caution or if you're 100% sure that the alert was false positive for that file.

Alwil staff deals with false positives very fast, so they are usually fixed on next VPS update, or even immediately if the false positive is found in any widely used program.
Try to address false positives directly to Alwil virus submission mail and not here on forums. This way the false positive is solved faster.
« Last Edit: November 19, 2007, 10:38:29 PM by RejZoR »
Visit my webpage RejZoR's Flock of Sheep

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: [Mini Sticky] False Positives
« Reply #1 on: April 06, 2006, 07:27:16 PM »
Update on Jotti URL - Jotti - Multi engine on-line virus scanner
Or an alternate scanner VirusTotal - Multi engine on-line virus scanner

Exclusions continued:
You will also need to add this to the avast! Program Settings, Exclusions section so on-demand scans don't pick it up either. Right click the avast icon, select Program Settings, Exclusions, Add and type the path to the file to be excluded. You can use the * wildcard to shorten the path, e.g. C:\*\foldername\filename, etc.
« Last Edit: May 06, 2006, 03:25:30 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32086
  • malware fighter
Re: [Mini Sticky] False Positives
« Reply #2 on: July 07, 2006, 03:39:17 PM »
Hi RejZoR,

There is another aspect to FP's that we have to consider.  Did you put it there yourself?
If you put wget on your computer yourself, with or without the gui, this could be flagged as malware (riskware), but it is normal software, that you can even use to safely analyze webpages. If it was put there without you knowing this, it could be used as a hacking tool or to upload malicious content onto your machine.
As in the real world: you can use a hammer to build something nice, or to clubber someone over the head. FP's can be FP's or not, just from this point of view as well.
In doubt ask our forum or investigate using google.
With riskware the lines become a bit shady and grey. Some even flag animations as virus, because people could think it was real and get a heart attack from it.
So an alert, your harddisk is now being deleted, 1..2..3. While others would say, it is a joke. This is called Jokeware, and sometimes clearly a FP.


polonus
« Last Edit: July 07, 2006, 03:42:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: [Mini Sticky] False Positives
« Reply #3 on: July 07, 2006, 03:55:07 PM »
We can't second guess the reason why a person thinks it is a false positive, especially in the case of a tool that can be used of evil as well as good avast can't determine intent. avast isn't in the business of waiting to see if you will use the hammer for good or evil, it might be too late then.

Not too long ago the UK police shot dead a man who had a wooden table leg in a bag, someone thought it was the butt of a shotgun sticking out of the bag and phoned the police. Fear that if you wait too long you might be killed was I believe a huge factor in their opening fire and a court cleared them of blame.

That is after all why they are reporting the FP and they usually give their reason for thinking it a FP. If they indeed installed the file/program, etc. that is why we give the option to exclude it, but you have to investigate it first and that is true of all possibly false positives, otherwise why would the user think it a false positive.

It is also worth considering should also investigate ALL detections to ensure that it was indeed correct, I would but then that's just me ;D
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: [Mini Sticky] False Positives
« Reply #4 on: May 06, 2007, 05:31:32 PM »
You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline serpentine5

  • Newbie
  • *
  • Posts: 1
Re: [Mini Sticky] False Positives
« Reply #5 on: December 17, 2008, 10:48:25 PM »
This is more or less about files giving false positives.... What about websites?
I have a site I am trying to view, I am in contact with the owner and builder and he assures me it is safe, and several other people whom I am in contact with have went there and no one has had issue with their AV except me. The owner also says he runs Avast and it doesnt give him a warning when trying to view the same page.
Page I am trying to look at it:
http://www.johndorrill.com/ls/index.htm
Thanks

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: [Mini Sticky] False Positives
« Reply #6 on: December 17, 2008, 11:10:47 PM »
This is more or less about files giving false positives.... What about websites?
I have a site I am trying to view, I am in contact with the owner and builder and he assures me it is safe, and several other people whom I am in contact with have went there and no one has had issue with their AV except me. The owner also says he runs Avast and it doesnt give him a warning when trying to view the same page.
Page I am trying to look at it:
http://www.johndorrill.com/ls/index.htm
Thanks

Can you start a new thread for your problem?
See the picture.
But, as far I know, avast is quite good on hacking detection of websites...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: [Mini Sticky] False Positives
« Reply #7 on: December 17, 2008, 11:17:17 PM »
Well this should really be in a topic of its own as this one is for reference e.g. how to report false positives.

However, in the case of an alert on a web site where you have no file to send, you send the email without an attachment, but including the suspect URL and all the other details previously mentioned.

There would appear to be more to this as I can't get to the page to check it nor can any of the scanners I use to check.

Quote
Error

Can't fetch file pointed by your url. This may be caused by several reasons:

    * Remote file is not available (not found, requires authentication, permission denied)
    * Remote site is down, or very slow, or busy
    * No network connectivity between Dr.Web online server and remote web-site
    * File too big

So please take this to a topic of its own in the Viruses and worms forum and we will try to help.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Walls

  • Newbie
  • *
  • Posts: 3
Re: [Mini Sticky] False Positives
« Reply #8 on: July 06, 2011, 03:51:25 PM »
I bought a game from the steam store yesterday called "Fate of the World" and I have been unable to play, the reason apparently being a false positive type of situation with my avast anti virus the free version.
Is this report enough? here is the log of the error i received, I don't know if you'll be in need of it or not but still..

Fate of the World 1.0.8
uncaught exception (std::runtime_error)
SHGetFolderPathAndSubDirA failed

 0x531502 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x130502
 0x6fc4c449 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0xb449
 0x6fcb7ba3 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x76ba3
 0x6fcbfaaf 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x7eaaf
 0x52c062 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b062
 0x52c2ac 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b2ac
 0x420a03 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x1fa03
 0x4013db 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x3db
 0x76e63677 'C:\Windows\syswow64\kernel32.dll' .text+0x3677
 0x77b69f02 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29f02
 0x77b69ed5 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29ed5

Offline SpeedyPC

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3257
  • Avast shall conquer the whole world
Re: [Mini Sticky] False Positives
« Reply #9 on: July 06, 2011, 03:58:54 PM »
ASUS G75VX-T4153H - Avast Premier v19.8.2393 - W8.1 64bit - Avast SecureLine VPN - Avast Secure Browser - Firefox 64bit - Thunderbird 64bit - MBAM Premium - Adguard Premium - CryptoPrevent Premium - Privacy Eraser - MCShield - WinPatrol PLUS - Macrium Reflect Home Edition

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 62363
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: [Mini Sticky] False Positives
« Reply #10 on: July 06, 2011, 04:00:04 PM »
Link not found please check ;)

Very old topic... ;D
W8.1 [x64] - Avast PremSec 19.9.2394.B1 [UI.440] - CC 5.63 - EEK - Firefox ESR 68.4.1 [NS/AOS/uBO/PB] - Thunderbird 68.4.1 - ASL.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline SpeedyPC

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3257
  • Avast shall conquer the whole world
Re: [Mini Sticky] False Positives
« Reply #11 on: July 06, 2011, 04:01:18 PM »
ASUS G75VX-T4153H - Avast Premier v19.8.2393 - W8.1 64bit - Avast SecureLine VPN - Avast Secure Browser - Firefox 64bit - Thunderbird 64bit - MBAM Premium - Adguard Premium - CryptoPrevent Premium - Privacy Eraser - MCShield - WinPatrol PLUS - Macrium Reflect Home Edition

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: [Mini Sticky] False Positives
« Reply #12 on: July 06, 2011, 05:16:53 PM »
Link not found please check ;)

Very old topic... ;D

Positively ancient, almost 7 years October 2004 ;D

VirusTotal - Multi engine on-line virus scanner

Some internet companies are born, grow up and die in less than 7 years.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Walls

  • Newbie
  • *
  • Posts: 3
Re: [Mini Sticky] False Positives
« Reply #13 on: July 06, 2011, 05:18:29 PM »
I bought a game from the steam store yesterday called "Fate of the World" and I have been unable to play, the reason apparently being a false positive type of situation with my avast anti virus the free version.
Is this report enough? here is the log of the error i received, I don't know if you'll be in need of it or not but still..

Fate of the World 1.0.8
uncaught exception (std::runtime_error)
SHGetFolderPathAndSubDirA failed

 0x531502 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x130502
 0x6fc4c449 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0xb449
 0x6fcb7ba3 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x76ba3
 0x6fcbfaaf 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x7eaaf
 0x52c062 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b062
 0x52c2ac 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b2ac
 0x420a03 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x1fa03
 0x4013db 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x3db
 0x76e63677 'C:\Windows\syswow64\kernel32.dll' .text+0x3677
 0x77b69f02 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29f02
 0x77b69ed5 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29ed5

Did any of the mods try to solve this problem?
I'd appreciate it.

Offline Walls

  • Newbie
  • *
  • Posts: 3
Re: [Mini Sticky] False Positives
« Reply #14 on: July 06, 2011, 06:55:34 PM »
No one has done anytning about this yet ? are there any active mods left in this forum that can help me ?