STEAM false positive

[jcollake]

Being both an ex-security researcher and member of current security matters (since I author PECompact, and must work with security vendors to ensure interoperability), last year I founded a site dedicated to False Positive Reporting and Resolution. I was grateful to see many vendors willingly monitor it, as they have the best of intentions. Many of their automated submission forms and such aren't always so responsible.

The goal of the site is simple transparency. Who has the biggest problems with false positives - something that can now quickly turn into a whole web site being rated 'BAD'? Who has the fewest problems? Who has the fastest resolution? Etc... It is at http://falsepositivereport.org and I encourage participation if this site is to 'take off'.

Some security vendors did dub it the 'shame and name' project, and I must admit - I kind of like that idea. After all, being a software publisher, you can imagine when the unthinkable happens and your software is called a virus or other malware by error. When it keeps happening (there are lots of vendors, after all), or when there is a delay in fixing the false positive, then it starts to become more than just an annoyance.

NONE of us envy the jobs of the security vendors, and that site is NOT about crucifying them. Keeping up with malware that is regenerated daily is near impossible. Whitelists would work, except they tend to become exclusionary programs that you must pay for. Thus, we're left where we are now. Again, user education is the best defense, as most 0-day malware will slip through most security products (else we wouldn't have much of an issue). Once malware gets installed on your PC, it is often not detectable or removable while the OS is booted. Microsoft issues patches to clean some of it up from time to time. For whatever reason, only a handful of security vendors offer 'offline scans' (not off the network, an unbooted PC). I hope more offer such in the future.

[st.John]

After Steam automatic client update process, Avast 120805-0 detects FileSystem_Steam.dll as a Win32:Malware-gen.

So ... this seems to me as a recurring problem with Steam service and Avast. Hope you can fix this since I have been happy with Avast this far... 

[Raigara]

i seem to have the same problem since i started my PC this morning. looks like im not the only one having troubles with this luckely

[SpeedyPC]

You're not the only person had the same problem I myself are on the same boat and I can tell it false positive, don't delete the file from avast chest until avast solved the issue it may take 24 hrs or less to fix the problem.

STEAM false positive: filesystem_steam.dll   File location is *:\Program Files\Steam\bin

Virus Definitions Update Version: 120805-0 already submitted the sample file to Avast through the chest section half an hour ago.

Edit: WOW! That was bloody quick the problem has been fixed just run the virus definitions update to fix the issue

[leftisthominid]

I got this message. I know it is Steam, not sure what specific file

It is running a boot scan.

Should I just update once the scan is done? Is there anything I should be worried about

[beezleb0b]

Virus Definitions Update Version: 120806-0 is reporting false positive on steam again. *sigh*

This time for Steam\tier0_s.dll , i run the steam beta client, Avast! does not play well with steam.

[DavidR]

There have been several stream updates this afternoon (4), whilst I don't know if these may be related to a fix for the detections, I would suggest that you scan those files again and see if they are still detected.

I'm not a gamer so I can't check if this corrects the detection/s.

[Simmsy]

i scanned Steam it said no threat found but when i try to open it avast blocks claiming it as a virus with the new avast update it seems avast blocks steam every time it updates

[DavidR]

The on-demand scan may not be scanning the file as it may not be present until you start the game - I don't know as I'm not a gamer, so if these files are created at the game start, then it would be the file system shield alerting.

What file is it alerting on ?

[Simmsy]

it does it on steam up or if steam is updated it comes up saying Win32.malware-gen right now steam is working but what happens when avast updates

[DavidR]

I can't answer that as I'm an avast user like yourself.

[Simmsy]

i updated avast it seems fine for now but what i think it might be is that when steam updates avast has not done a update that has the new steam update added to it data base if it happens again after avast updates it self then it something to do with the avast data base

[DavidR]

The avast database will be on signature information, now when steam updates there is a possibility that the changed file could be pinged again.

The reason for this is that no AV whitelists on file name alone as that could be absolutely anything in a malicious file of the same name. So it scans on content rather than simply on file name.

Now there is nothing to stop Steam users from adding the file name to their (avastUI > Settings > Exclusions & File System Shield > Expert Settings > Exclusions) exclusions lists. There would obviously be a limited risk in doing that as should that file become infected it wouldn't have been scanned.

Having seen some exclude the whole steam folder by using the * at the end of the path, this makes a larger hole in your security, so I believe any exclusion should be on the full path and file name not using the * wildcard.

That said, I don't know if Steam digitally sign those files or not, but if they were digitally signed I believe it would probably go a long way to their not being pinged.