Author Topic: Possible false positive?  (Read 8378 times)

0 Members and 1 Guest are viewing this topic.

Offline twn321

  • Newbie
  • *
  • Posts: 7
Re: Possible false positive?
« Reply #15 on: March 08, 2013, 08:36:16 PM »
Well... Ran a boot time scan again today. And the system comes up clean this time around. Without the file ever having had anything done to it. Interesting...

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #16 on: March 09, 2013, 11:23:06 AM »
Well... Ran a boot time scan again today. And the system comes up clean this time around. Without the file ever having had anything done to it. Interesting...
Maybe it's a false positive. Do you find the file? Are you sure that the file was not deleted when avast! find it? If you find the file upload it to the avast! virus lab!. How to upload files to the lab ->-> http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07.
« Last Edit: March 11, 2013, 06:43:55 AM by liubomirwm »

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #17 on: March 10, 2013, 07:26:16 AM »
Win32:Malware-gen is a detection from the proactive part of avast!(heuristic engine, autosandbox, behaviour shield etc.). If you scanned the "infected" directory again with avast! and malwarebytes, and they can't find anything, it is likely to be a false positive. You can scan with Hitman pro to be sure: http://www.surfright.nl/en/hitmanpro/. Hitman pro is a cloud antimalware. It runs a behavioural scan and uploads the suspicious files to the hitman pro servers.
« Last Edit: March 11, 2013, 06:39:55 AM by liubomirwm »

Offline spywar

  • Malware Hunter
  • Poster
  • *
  • Posts: 441
Re: Possible false positive?
« Reply #18 on: March 10, 2013, 09:54:11 AM »
Win32:Malware-gen is a detection from the proactive part of avast!(heuristic engine, autosandbox, behaviour shield etc.). If you scanned the "infected" directory again with avast! and malwarebytes, and they can't find anything, it is very likely to be a false positive. You can scan with Hitman pro to be sure: http://www.surfright.nl/en/hitmanpro/. Hitman pro is a cloud antimalware. It runs a behavioural scan and uploads the suspicious files to the hitman pro servers.
How do you know that any source ? Win32:Malware-gen is a signature generated by automated analysis systems, ATM behavior shield is mostly passive as it reports to virus lab all the suspicious binaries (CommunityIQ).

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #19 on: March 10, 2013, 11:10:01 AM »

Offline spywar

  • Malware Hunter
  • Poster
  • *
  • Posts: 441
Re: Possible false positive?
« Reply #20 on: March 10, 2013, 11:16:07 AM »
Take a look here: http://www.im-infected.com/trojan/win32malware-gen.html
 :)
This is not from Avast ...  ::)
It's mostly a signature generated by automated analysis system (like Win32:Rootkit-Gen or Win32:Dropper-Gen or Win32:Trojan-Gen) they are added very quickly, I can submit an undetected sample from program and 2 hours later it gets detected with one of these signatures.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #21 on: March 10, 2013, 11:33:15 AM »
Ok, then we need to help twn321 to get rid of this. He said that he can't find it in the "stdole" directory and in the virus chest. Do you think that avast! has deleted the threat or he is still infected ?

Offline spywar

  • Malware Hunter
  • Poster
  • *
  • Posts: 441
Re: Possible false positive?
« Reply #22 on: March 10, 2013, 11:36:47 AM »
Ok, then we need to help twn321 to get rid of this. He said that he can't find it in the "stdole" directory and in the virus chest. Do you think that avast! has deleted the threat or he is still infected ?
Avast! never delete file unless the user chose "Delete" instead of "Move to Chest" or he has deleted it from the virus Chest ...

Offline Cluster-Lizard

  • Jr. Member
  • **
  • Posts: 98
Re: Possible false positive?
« Reply #23 on: March 11, 2013, 04:26:40 AM »
So has this Win32: Malware-gen thing been confirmed as a real threat or a false positive?

I'm still suspicious of it but I've had three different files being reported as Win32: Malware-gen by Avast and only using boot time high snesitivity scans. I used Avast's delete option to get rid of the first reported problem which was a file in my Restore Points folder. A new boot time scan afterwards was clean.

That was last weekend. This weekend I did another boot time scan and very quickly up came another case, this time in my Docs & Settings > All Users > Application Data folder. This time I sent it to the virus chest. Later that day I did another boot time scan and there was another reported Win32: Malware-gen this time again in the Restore Points folder but a different file from the previous deleted case.

As I knew where it was I found the folder and used both Spybot and then Malwarebytes to scan the folder. They reported nothing. I then tried a Quick Avast scan and that, which like the Full System scan I'd also done and had shown up nothing previously with this this or the earlier 'infections', was now also reporting the file as a virus.

Again I put it in the virus chest, repeated a boot time scan (clean), Quick scan (clean) and a full system Malwarebytes scan (clean). This morning I did a boot time scan at Normal sensitivity and that came out clean too.

That's where I am at but now no longer sure what to trust and not looking foward to doing a boot time scan at highest sensitivity in case it throws up another Win32: Malware-gen report somewhere else.   

   

I thought I'd check 

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #24 on: March 11, 2013, 07:02:25 AM »
Take a look here: http://www.im-infected.com/trojan/win32malware-gen.html
 :)
This is not from Avast ...  ::)
It's mostly a signature generated by automated analysis system (like Win32:Rootkit-Gen or Win32:Dropper-Gen or Win32:Trojan-Gen) they are added very quickly, I can submit an undetected sample from program and 2 hours later it gets detected with one of these signatures.
If it is signature based then it looks like it's not a false positive. But there still is a minimum chance to be a false positive.
« Last Edit: March 11, 2013, 07:07:22 AM by liubomirwm »

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 84886
  • No support PMs thanks
Re: Possible false positive?
« Reply #25 on: March 11, 2013, 03:28:04 PM »
The win32:Malware-gen or win32:Trojan-gen are generic signatures (the -gen at the end), which are designed to detect multiple variants of the same malware type, this is why you see them on different files and variants, so it isn't a single signature detecting a single piece/variant of malware..
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security