Author Topic: False positive (Read 3512 times)

guta89 · « **on:** July 06, 2012, 06:35:13 PM »

How can i report a false positive?

!Donovan · « **Reply #1 on:** July 06, 2012, 06:40:06 PM »

You can report a possible false positive here: http://www.avast.com/contact-form.php

There is the possibility of legal detection.

DavidR · « **Reply #2 on:** July 06, 2012, 08:55:19 PM »

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

guta89 · « **Reply #3 on:** July 06, 2012, 10:34:42 PM »

The file is kavremover.exe. I tried to download,but avast has stopped it.

polonus · « **Reply #4 on:** July 06, 2012, 10:39:24 PM »

This is Kaspersky Removal Tool. Did you check it against the Virustotal scanner to see if it is a legit file? Is avast the only one flagging it, as that could be a sign of it being a FP,

polonus

!Donovan · « **Reply #5 on:** July 06, 2012, 10:43:17 PM »

Where did you try to download kavremover.exe?
https://www.virustotal.com/file/27a2e9bc09ea17e6b6a6d8b6c648ce4460cdf2ec1609355001ab78425a514e16/analysis/1341607258/

guta89 · « **Reply #6 on:** July 07, 2012, 12:11:34 AM »

from support.kaspersky.com

polonus · « **Reply #7 on:** July 07, 2012, 12:20:58 AM »

Could have been a false packer detect - binayries,
Given clean here: http://vscan.urlvoid.com/analysis/17a04bf49a4c9a8d4d1b316bd45e0ea6/a2F2cmVtb3Zlci1leGU=/
Suspicious here: http://zulu.zscaler.com/submission/show/2d656ab36507c2f407123b779775b435-1341613048
Something here, IDS alerts: http://urlquery.net/report.php?id=84321 Some botnet spoof executable flowbit alert
(possibly bad PCAP) users of Kaspersky Removal Tool don't wanna drop that executable, net admins might (pol)

polonus

!Donovan · « **Reply #8 on:** July 07, 2012, 12:24:06 AM »

Is it Sandbox?

Author Topic: False positive (Read 3512 times)

guta89

False positive

!Donovan

Re: False positive

DavidR

Re: False positive

guta89

Re: False positive

polonus

Re: False positive

!Donovan

Re: False positive

guta89

Re: False positive

polonus

Re: False positive

!Donovan

Re: False positive