Author Topic: False positive on logonui.exe windows file?  (Read 2822 times)

0 Members and 1 Guest are viewing this topic.

Offline xninjagrrl

  • Newbie
  • *
  • Posts: 3
False positive on logonui.exe windows file?
« on: November 16, 2012, 01:09:32 PM »
Within an hour of installing Avast free, I go to shutdown my XP machine and get an Avast pop up alerting me to a potentially suspicious file named logonui.exe
The pop up was saying it could be nothing but due to 'low prevalence' it could be something of concern. I googled it and it appears to be a normal Windows system file as it was in the windows\systems32 folder where it should be. It also seems every windows computer has this file. I guess it was a false positive but if this file is on every windows machine, then why is Avast telling me they never heard of this file before and to be cautious? That's not how it was worded but I didn't take screen shot, Avast used the term "due to the low prevalence" of this file. I went ahead and let logonui.exe do its thing but from my googling I would have been screwed if I quarantined or deleted it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive on logonui.exe windows file?
« Reply #1 on: November 16, 2012, 01:23:05 PM »
Send the file to www.virustotal.com and post back the link of the results.
The best things in life are free.

Offline xninjagrrl

  • Newbie
  • *
  • Posts: 3
Re: False positive on logonui.exe windows file?
« Reply #2 on: November 16, 2012, 02:41:16 PM »
https://www.virustotal.com/file/032b6d1f541f180a2fe619664ef180d3fd748aef7e311ba925fced74e7ed4713/analysis/1353073088/

Thanks. I am convinced it's not a virus but it's weird that Avast wouldn't know this.
« Last Edit: November 16, 2012, 02:47:18 PM by xninjagrrl »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Re: False positive on logonui.exe windows file?
« Reply #3 on: November 16, 2012, 02:55:35 PM »
What was the full text of the alert, as 'potentially suspicious file' for me is not a certain infected file (given that avast doesn't detect it in the VT results either) ?

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False positive on logonui.exe windows file?
« Reply #4 on: November 16, 2012, 03:03:33 PM »
https://www.virustotal.com/file/032b6d1f541f180a2fe619664ef180d3fd748aef7e311ba925fced74e7ed4713/analysis/1353073088/

Thanks. I am convinced it's not a virus but it's weird that Avast wouldn't know this.
Seems clean. I'll report a possible false positive.
The best things in life are free.