Author Topic: [Mini Sticky] False Positives (Read 91680 times)

RejZoR · « **on:** October 10, 2004, 09:43:03 AM »

I wrote this as a small tutorial on how to treat false positives.
It might help if you encounter any from time to time (i have only 1 in 1 year

).

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:
Left click on "a" ball next to the clock and select Standard Shield.
Click Customize... and select Advanced tab.
Now just enter full path (path plus filename with extension) into the line and press [Enter] on keyboard.

This will exclude the file from scan, so you can use it untill false positive is resolved. Do this with caution or if you're 100% sure that the alert was false positive for that file.

Alwil staff deals with false positives very fast, so they are usually fixed on next VPS update, or even immediately if the false positive is found in any widely used program.
Try to address false positives directly to Alwil virus submission mail and not here on forums. This way the false positive is solved faster.

DavidR · « **Reply #1 on:** April 06, 2006, 07:27:16 PM »

Update on Jotti URL - Jotti - Multi engine on-line virus scanner
Or an alternate scanner VirusTotal - Multi engine on-line virus scanner

Exclusions continued:
You will also need to add this to the avast! Program Settings, Exclusions section so on-demand scans don't pick it up either. Right click the avast icon, select Program Settings, Exclusions, Add and type the path to the file to be excluded. You can use the * wildcard to shorten the path, e.g. C:\*\foldername\filename, etc.

polonus · « **Reply #2 on:** July 07, 2006, 03:39:17 PM »

Hi RejZoR,

There is another aspect to FP's that we have to consider. Did you put it there yourself?
If you put wget on your computer yourself, with or without the gui, this could be flagged as malware (riskware), but it is normal software, that you can even use to safely analyze webpages. If it was put there without you knowing this, it could be used as a hacking tool or to upload malicious content onto your machine.
As in the real world: you can use a hammer to build something nice, or to clubber someone over the head. FP's can be FP's or not, just from this point of view as well.
In doubt ask our forum or investigate using google.
With riskware the lines become a bit shady and grey. Some even flag animations as virus, because people could think it was real and get a heart attack from it.
So an alert, your harddisk is now being deleted, 1..2..3. While others would say, it is a joke. This is called Jokeware, and sometimes clearly a FP.

polonus

DavidR · « **Reply #3 on:** July 07, 2006, 03:55:07 PM »

We can't second guess the reason why a person thinks it is a false positive, especially in the case of a tool that can be used of evil as well as good avast can't determine intent. avast isn't in the business of waiting to see if you will use the hammer for good or evil, it might be too late then.

Not too long ago the UK police shot dead a man who had a wooden table leg in a bag, someone thought it was the butt of a shotgun sticking out of the bag and phoned the police. Fear that if you wait too long you might be killed was I believe a huge factor in their opening fire and a court cleared them of blame.

That is after all why they are reporting the FP and they usually give their reason for thinking it a FP. If they indeed installed the file/program, etc. that is why we give the option to exclude it, but you have to investigate it first and that is true of all possibly false positives, otherwise why would the user think it a false positive.

It is also worth considering should also investigate ALL detections to ensure that it was indeed correct, I would but then that's just me

DavidR · « **Reply #4 on:** May 06, 2007, 05:31:32 PM »

You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

serpentine5 · « **Reply #5 on:** December 17, 2008, 10:48:25 PM »

This is more or less about files giving false positives.... What about websites?
I have a site I am trying to view, I am in contact with the owner and builder and he assures me it is safe, and several other people whom I am in contact with have went there and no one has had issue with their AV except me. The owner also says he runs Avast and it doesnt give him a warning when trying to view the same page.
Page I am trying to look at it:
http://www.johndorrill.com/ls/index.htm
Thanks

Lisandro · « **Reply #6 on:** December 17, 2008, 11:10:47 PM »

Quote from: serpentine5 on December 17, 2008, 10:48:25 PM

This is more or less about files giving false positives.... What about websites?
I have a site I am trying to view, I am in contact with the owner and builder and he assures me it is safe, and several other people whom I am in contact with have went there and no one has had issue with their AV except me. The owner also says he runs Avast and it doesnt give him a warning when trying to view the same page.
Page I am trying to look at it:
http://www.johndorrill.com/ls/index.htm
Thanks

Can you start a new thread for your problem?
See the picture.
But, as far I know, avast is quite good on hacking detection of websites...

DavidR · « **Reply #7 on:** December 17, 2008, 11:17:17 PM »

Well this should really be in a topic of its own as this one is for reference e.g. how to report false positives.

However, in the case of an alert on a web site where you have no file to send, you send the email without an attachment, but including the suspect URL and all the other details previously mentioned.

There would appear to be more to this as I can't get to the page to check it nor can any of the scanners I use to check.

Quote

Error

Can't fetch file pointed by your url. This may be caused by several reasons:

   * Remote file is not available (not found, requires authentication, permission denied)
   * Remote site is down, or very slow, or busy
   * No network connectivity between Dr.Web online server and remote web-site
   * File too big

So please take this to a topic of its own in the Viruses and worms forum and we will try to help.

Walls · « **Reply #8 on:** July 06, 2011, 03:51:25 PM »

I bought a game from the steam store yesterday called "Fate of the World" and I have been unable to play, the reason apparently being a false positive type of situation with my avast anti virus the free version.
Is this report enough? here is the log of the error i received, I don't know if you'll be in need of it or not but still..

Fate of the World 1.0.8
uncaught exception (std::runtime_error)
SHGetFolderPathAndSubDirA failed

0x531502 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x130502
0x6fc4c449 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0xb449
0x6fcb7ba3 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x76ba3
0x6fcbfaaf 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x7eaaf
0x52c062 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b062
0x52c2ac 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b2ac
0x420a03 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x1fa03
0x4013db 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x3db
0x76e63677 'C:\Windows\syswow64\kernel32.dll' .text+0x3677
0x77b69f02 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29f02
0x77b69ed5 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29ed5

SpeedyPC · « **Reply #9 on:** July 06, 2011, 03:58:54 PM »

Quote from: DavidR on April 06, 2006, 07:27:16 PM

Or an alternate scanner VirusTotal - Multi engine on-line virus scanner

Link not found please check

Asyn · « **Reply #10 on:** July 06, 2011, 04:00:04 PM »

Quote from: SpeedyPC on July 06, 2011, 03:58:54 PM

Link not found please check

Very old topic...

SpeedyPC · « **Reply #11 on:** July 06, 2011, 04:01:18 PM »

Quote from: Asyn on July 06, 2011, 04:00:04 PM

Very old topic...

Smartarse

DavidR · « **Reply #12 on:** July 06, 2011, 05:16:53 PM »

Quote from: Asyn on July 06, 2011, 04:00:04 PM

Quote from: SpeedyPC on July 06, 2011, 03:58:54 PM
Link not found please check

Very old topic...

Positively ancient, almost 7 years October 2004

VirusTotal - Multi engine on-line virus scanner

Some internet companies are born, grow up and die in less than 7 years.

Walls · « **Reply #13 on:** July 06, 2011, 05:18:29 PM »

Quote from: Walls on July 06, 2011, 03:51:25 PM

I bought a game from the steam store yesterday called "Fate of the World" and I have been unable to play, the reason apparently being a false positive type of situation with my avast anti virus the free version.
Is this report enough? here is the log of the error i received, I don't know if you'll be in need of it or not but still..

Fate of the World 1.0.8
uncaught exception (std::runtime_error)
SHGetFolderPathAndSubDirA failed

0x531502 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x130502
0x6fc4c449 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0xb449
0x6fcb7ba3 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x76ba3
0x6fcbfaaf 'libstdc++-6.dll' (2eb15de7c32dbe4f47a8005d068634eea6b70499) .text+0x7eaaf
0x52c062 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b062
0x52c2ac 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x12b2ac
0x420a03 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x1fa03
0x4013db 'fotw.exe' (177b59aaa770884471d5b75aa7f6c273bba65ddf) .text+0x3db
0x76e63677 'C:\Windows\syswow64\kernel32.dll' .text+0x3677
0x77b69f02 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29f02
0x77b69ed5 'C:\Windows\SysWOW64\ntdll.dll' .text+0x29ed5

Did any of the mods try to solve this problem?
I'd appreciate it.

Walls · « **Reply #14 on:** July 06, 2011, 06:55:34 PM »

No one has done anytning about this yet ? are there any active mods left in this forum that can help me ?

Author Topic: [Mini Sticky] False Positives (Read 91680 times)

RejZoR

[Mini Sticky] False Positives

DavidR

Re: [Mini Sticky] False Positives

polonus

Re: [Mini Sticky] False Positives

DavidR

Re: [Mini Sticky] False Positives

DavidR

Re: [Mini Sticky] False Positives

serpentine5

Re: [Mini Sticky] False Positives

Lisandro

Re: [Mini Sticky] False Positives

DavidR

Re: [Mini Sticky] False Positives

Walls

Re: [Mini Sticky] False Positives

SpeedyPC

Re: [Mini Sticky] False Positives

Asyn

Re: [Mini Sticky] False Positives

SpeedyPC

Re: [Mini Sticky] False Positives

DavidR

Re: [Mini Sticky] False Positives

Walls

Re: [Mini Sticky] False Positives

Walls

Re: [Mini Sticky] False Positives