old files now have virus ( FP IMHO )

[ady4um]

I have a zip archive which includes, among others, 2 dll's. The zip contains a portable program that I use once in a while.

Suddenly, Avast Free 5.1.889 says the dll's are infected (Threat: Win32:Malware-gen).

I blocked and accepted to send the dll's to Avast so they can be checked.

That was 2 days ago, and after several Avast antivirus database updates, the dll's are still being identified by Avast as infected.

I wanted to send the whole zip archive to VirusTotal.com, but I can't, indeed because "it contains a virus", according to the dialog window displayed when I try to select the specific zip to be sent.

I still think this is only a case of FP.

Should I keep sending those dll's each time I recheck the zip?

How much time is normal to expect any kind of response in the antivirus database for these type of cases?

I guess that if/when those dll's' will be recognized by Avast team as FP, the antivirus database will be updated and I should see that Avast will stop "complaining" about these files. Am I correct?

Is there anything that I can do to help resolve this (whether there are or not infected dll's) ?

Suggestions?

TIA.

[DavidR]

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If these files were extracted from the archive (what are the file names and archive location) and placed in the avast chest, then you can Extract from the chest to the suspect folder and upload them to virustotal. It is advisable to have the actual files sent rather than the archive as some of the scanners may not scan or be able to unpack the archive file type.

~~~~
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

[ady4um]

DavidR, thank you for your answer.

For those reading your post, you posted instructions for the case when the zip archive was already expanded.

For the case where the zip archive is not yet expanded, the "exclusion rule" should be applied to the current folder where the zip is currently located.

If the folder where the zip archive is located is NOT excluded, then moving files to the chest that are currently inside the zip is probably going to "break" the zip.

Once the specific location is excluded, you can expand the zip archive and send the specific files to VirusTotal.

After sending them to VirusTotal, the exclusion could be reverted back to the previous setting before the addition of the specific location.


Now, about the files that Avast suspects about, Virustotal changed the number of suspicions to about 19/43 on 2011FEB10.

The problematic dll's are a French and a German versions of the "same" dll. BTW, the English version is not suspected.

For who wants to recheck them in VirusTotal, here's their info:

Code: [Select]

EMTWINFR.DLL
MD5   : 2baca6e4592e6074f7f2a790f4089c48
SHA1  : b388e414ecacbaefe0d7e6a24012c914940b4ff7
SHA256: 88039ff63d0cd556f9ef20eeffc2de66e012724085cf4311ebe73fbfc6c5ea6b

EMTWINDE.DLL
MD5   : 793472ef8e1b2cdaea655f73b98b5f46
SHA1  : 0d6c467b9603172a58cf697c0b43ad710436e7dc
SHA256: 88caba6dc5aaf083dc4af70bf26f95d3824ea2967ddeb764636817f72dc9c476

and they are part of a program named EMT4WIN 4.38. The current latest version of EMT4WIN is 4.39, and its files are not suspected.

I still think these are FP, but I don't know exactly what to do so the Avast Team can recheck this suspicion. Moreover, I would like to be sure if those dll's are indeed malware, because I really have no idea how they got infected (again, if indeed they are infected).

Off-Topic: VirusTotal is using 5.0.866, and not the latest Avast version.

[DavidR]

Posting the actual link to the VT results URL is easier and more informative than copying and pasting a limited sub set.

The VT program version is a special build to run in the way it does.

[Pondus]

 
EMTWINFR.DLL - 19/43
http://www.virustotal.com/file-scan/report.html?id=88039ff63d0cd556f9ef20eeffc2de66e012724085cf4311ebe73fbfc6c5ea6b-1297358895


EMTWINDE.DLL - 19/43
http://www.virustotal.com/file-scan/report.html?id=88caba6dc5aaf083dc4af70bf26f95d3824ea2967ddeb764636817f72dc9c476-1297358671

[DavidR]

Whilst this is a high hit ratio, they are all either generic or suspicious/heuristic detections.

There is nothing stopping ady4um sending the sample to avast for analysis.

Send the sample to avast as a possible False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

[ady4um]

Posting the actual link to the VT results URL is easier and more informative than copying and pasting a limited sub set.

It was not a limited set. Those were the checksums / hash codes to reproduce the results in VT.

Thanks Podus for taking the time to check those checksums and for pasting the links here before I did.

Whilst this is a high hit ratio, they are all either generic or suspicious/heuristic detections.

The history of the VT's checks on those dll's gets to more than a year ago, with as low as 3 "positives", and it never got to be positive for all Antivirus's Engines. Actually, the 19/43 result was the one I made yesterday.

Being all "generic" as you say is one of the reasons why I think it is a FP. Of course, in theory there is still the possibility that I was infected.

There is nothing stopping ady4um sending the sample to avast for analysis.

Well, that's exactly what I thought I did when I gave Avast permission to send the files for recheck when I got the first warning dialog. Since those files are still being identify as viruses after several Avast antivirus database's updates, that's why I opened this topic.

Send the sample to avast as a possible False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Thank you both. Although I still don't know the difference between what I did before (from the first warning dialog) and what you are suggesting now, I'll do as suggested and I'll come back to report any feedback.

[Pondus]

Check your message box, see top right corner "MY MESSAGES"

[ady4um]

This is what I did:

Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update

but nothing happened since.

So I add to my exceptions the original folder where the zipped archive is located; then restored the suspected files from the chest, expanded the zip and wanted to send those suspected files.

My intention was to try a different method, or even the same. My suspicion was that, since the origin of the files in the chest was a zipped archive (as oppose to files by themselves), maybe there was a problem when sending those dll's for inspection.
To my surprise, the zipped archive was modified by Avast when it sent those dll's to the chest. Avast did not restored the suspected files as I selected to do, and my zip archive doesn't have those suspected dll's anymore 

Fortunately, I could get those suspected files from elsewhere, I deleted the exclusions, and I checked the folder again. By this, I got those dll files again in the chest. Now I have the previous files coming from the zip, and the same dll's but coming from a simple folder.
I once again sent the files (actually, one of them) to inspection, using the same method (from the chest).

I received several Avast antivirus database updates since then, but I still can't release those files from the chest.

The whole point of this topic is (for me) to know how to proceed. But now I am waiting for some kind of comfirmation that those files are indeed FP or not, with no indication how to proceed or how much time to wait.

Moreover, it seems to me that, in case those files are not FP, I will never know. If they are FP, then a new scan would tell me. But if they are not FP, then how would I know? Am I missing something here?

TIA.

[ady4um]

Well, finally I got some kind of answer.

After days of waiting, and after sending the suspected files to Avast (from Avast Chest), the files were identified as FP.

But I can learn several additional things from this experience.

First, the zip archive where the suspected files came from is "broken". Once a file inside the zip was "extracted" by Avast so to put it in the chest, the zip was altered. THIS IS VERY VERY BAD.

Moreover, after the files were "cleared" by Avast (in this case, since they were FP), I couldn't restore the files to their original source (inside the zip). THIS IS VERY VERY BAD.

In addition, since the files were finally identified as FP, I have a "kind of answer". I mean, I had no idea if the files were actually received by Avast Team, of if they were checked. For days, anything was possible. Maybe the files failed to get to Avast's server? Who could know? I had no way to corroborate the status of the process.

If the files were NOT FP's, then I would had *never* seen any change, any response, any kind of knowledge about these files. They had been stayed in the chest with no kind of positive or negative answer/confirmation.

In conclusion, the most basic response I have is somehow random: my files were FP, then I had luck and after several days they were cleared. I am thankful to Avast Team for this and for the program.

The most important conclusion is that the process, the communication, from the point of view of the simple user, is based on luck (although, to be fair, not only on luck). The only way I think is available to the user is to come to the public Avast forum and specifically ask for some kind of response, in hope that someone of Avast Team can answer directly through the forum.

In the middle, I have to keep in mind for the next time not to allow Avast to send anything to the chest that comes from inside a zip or any kind of archive. It is much better to block it, temporarily put the specific location as exclusion, expand the archive, then send the specific files to the chest, and restore the exclusions to the previous state.

I hope this experience can help other users, and specially that can help to improve Avast for future versions.

[Pondus]

Moreover, after the files were "cleared" by Avast (in this case, since they were FP), I couldn't restore the files to their original source (inside the zip). THIS IS VERY VERY BAD.

I dont think any AV can do that, since they dont have a built in zip....they will restore it back to the folder created when unpacking.......or am i wrong ?

[ady4um]

Pondus,

Let's go back for a moment.

Avast scans a zip, identifies files inside the zip as suspicious, I accept to send those files to the chest.

Avast needs, somehow, to extract the suspected files from the zip, so to put them into the chest. Probably Avast uses some kind of temporal folder to do this.

The suspected files are sent to Avast Team; they are FP. So I want to restore the files to their origin. But I can't!!!

Avast won't restore the files, for whichever reason. Let's assume that Avast "restores" the files to the temporal folder from where it took them to the chest. Is that of any interest to the user? I don't have to care about the internal methods for Avast to put those files into the chest.

Moreover, Avast simply won't inform me of this temporal folder. And even if I knew, my original zip archive has been already changed, and the suspected files are not inside it anymore.

Yes, I could find some workaround in my particular case. But why? And Avast made a change (to the zip) I was not informed about, hence I couldn't decide if I agree with this change.

If indeed Avast is not able to do the complete whole full process without changing the zip, then:

A_ it could inform so and give a chance to decide; and

B_ it should give an alternative method, like putting in the chest the complete zip without changing it, or maybe having the possibility (after informing) to block the zip instead of sending the files to the chest. Then, there should be some kind of instructions on how to proceed so to put the files into the chest without changing the zip (which *is* possible BTW).

The possibility to block *is* there, but not after selecting to send to chest. Generally speaking, after a user decides to send to the chest, no additional question should be needed. But if Avast is going to change something (currently, without permission) that can't be restored to the way it was before, the "block" option (or any alternative method for that matter) should be allowed (after informing about the possible irreversible change and asking if it is acceptable).

The most simple alternative would be to send the entire zip to the chest (if the user won't accept the change that Avast should make if only sending the suspected files alone). This is only ONE alternative, and each possibility has its own pros and cons.

Currently, the only option (with no permission) is changing the zip and no real possibility to restore the files.