Author Topic: Excessive false positives  (Read 8673 times)

0 Members and 1 Guest are viewing this topic.

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Excessive false positives
« on: May 27, 2013, 05:02:23 AM »
I have been using Avast for over 7 years and have found it to be pretty good compared to other anti-virus solutions out there. I use it on multiple systems daily and even used to pay for it before all the useful stuff became completely free. One thing I have noticed lately that is different from the past 7 years is that the number of false positives seems to be through the roof. It seems that Avast has a fear of just about every zip or self extracting exe, or even just exe files in general. It's starting to get tedious and I fear that it will foster complacency because it is getting to the point that I cannot go a full day without Avast blocking me from doing something legitimate. I wonder if this is where the software is heading (excessive paranoia), or a temporary blip on the radar of smooth sailing.

In the meantime I'll keep filling out the false positive reports and hope that Avast pay attention to them.

Offline Aventador

  • Poster
  • *
  • Posts: 622
Re: Excessive false positives
« Reply #1 on: May 27, 2013, 05:10:41 AM »
Well whatever programs you are using are obviously out of the ordinary. I have AL of Avast's shields set to high and still have never received once false positive. As in matter of fact Avast has recently scored very well in AV Comparatives false positive test.

http://chart.av-comparatives.org/chart1.php

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #2 on: May 27, 2013, 05:15:32 AM »
Yeah obviously...  :o  ???

My last Avast virus warning was September 2011, but I have had almost 20 since the start of April this year. So I guess I just started using weird applications 2 months ago... Uh I think not. I'm doing the same stuff I have always been doing.


Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #3 on: May 27, 2013, 05:23:15 AM »
I'll add that most (if not all) of the false positives seem to be reported as "Win32:Evo-gen [Susp]" virus.

Offline Aventador

  • Poster
  • *
  • Posts: 622
Re: Excessive false positives
« Reply #4 on: May 27, 2013, 05:24:40 AM »
So exactly what type of software are you using that generates these false positives? Do you have a Virustotal link to show that these files are not malicious?

http://forum.avast.com/index.php?topic=121661.0

http://www.im-infected.com/virus/win32evo-gen-susp.html

Doesn't seem like a false positive to me. Sounds like your infected.
« Last Edit: May 27, 2013, 05:35:14 AM by Aventador »

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #5 on: May 27, 2013, 05:44:54 AM »
I'm not sure what a "Virustotal link" is, but I know that in all the cases of recent Avast intervention that the applications/files are safe.

Some of the files flagged recently on my system are nothing more than self-extracting executables. Others are small executable files (either old or new). Most have existed on my machine for years and others are newer.

Here's a mainstream one though. The Java 7 installer.
avast! [ASUSP9X79]: File "C:\Users\<UserName>\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe|>[UPX]" is infected by "Win32:Evo-gen [Susp]" virus.
"File System Shield" task used
Version of current VPS file is 130404-0, 04/04/2013

This was the first false positive in the current series.

As an aside, I work for a software company and the Avast auto-sandbox totally annihilates our installation process (that requires several small executable to run elevated for licensing and other administrative steps), but I usually don't run the auto-sandbox, so that is not what I am writing about here; it's just the same kind of paranoid behavior from the heuristic detection.

I did some googling and am seeing a pattern; it seems that something changed in the last few month to increase the incidence of these false positives (typically all Win32:Evo-gen [Susp]) . Now if using one's computer to do more than surf the web, send e-mail and play games is considered different to the mainstream, then I guess I fall into that category (although I do those other three things too).

Offline Aventador

  • Poster
  • *
  • Posts: 622
Re: Excessive false positives
« Reply #6 on: May 27, 2013, 09:22:47 AM »
So you work for a business using Avast Free? You cannot do that. Avast Free is for home users only. Virustotal is a website to verify if a file is malicious or not.
Java 13 is also out of date. Java 13 is back from February. The current version of Java is 21. There has been HUGE problems and vulnerabilities found in Java. Update to Java 21 and your false positive will cease. Clean out your temp files also.

https://www.virustotal.com/en/

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
« Last Edit: May 27, 2013, 09:50:38 AM by Aventador »

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #7 on: May 27, 2013, 11:24:29 AM »
<soapbox>So you work for a business using Avast Free? You cannot do that. Avast Free is for home users only.</soapbox>

Is it possible to talk about the current topic without being preached at? I always feel like when I come on to a forum like this to discuss something it ends up being a pissing match between the forum self proclaimed uber-nerds and real users with real issues. That said, yes I have a job, and yes my work computers have paid A/V software. My home computers, however, run Avast free. Like I said before I used to pay for it when the stuff I needed had a price tag attached, but I'm not inclined to pay for fluff and that is all Avast currently seem to charge for.

>> Virustotal is a website to verify if a file is malicious or not. <<
OK, thanks. In my case I am certain the files are fine; they are either published by well known publishers or they are published by official organizations (US govt) or my own company (the one I work for, not the one I own).

>> Java 13 is also out of date. Java 13 is back from February. The current version of Java is 21. <<
Pretty sure it's Java v7, unless you are talking about the update number. In any case that was the message back in April and it was current at that time since I remember hitting the Avast message at the time I was downloading it directly.

>> The current version of Java is 21. There has been HUGE problems and vulnerabilities found in Java. Update to Java 21 and your false positive will cease. <<
I try to keep the systems that are running Java up to date; this was just a relic from a download a couple of months ago. I pulled that Avast message from e-mail archive. The Avast message/interaction has ceased for that file since it's not on my system anymore. I'm not surprised that Java has huge problems; personally I think it's a mess, but I needed it for a game that my kids run.

Thanks for taking the time to respond to my post. I noticed that Avast responded to one of my false positive reports today saying that it will be fixed, but I have submitted more than one.

Whilst I have your attention do you know anything about how the heuristics work in Avast? i.e., for a false positive do they just add the specific binary signature/hash/whatever to a white-list or do they review/modify the heuristic algorithm? It would be nice to know that if the Java heuristic trigger and the one I just reported help the overall robustness of the heuristic rather than just building upon a white-list of known safe files. The latter approach will of course be a never ending exercise.






Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Excessive false positives
« Reply #8 on: May 27, 2013, 12:18:46 PM »
Guys,send the false positive files to virus@avast.com via e-mail with subject false positive.

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #9 on: May 27, 2013, 12:28:48 PM »
I have been using http://www.avast.com/contact-form.php or the software itself.

Offline Aventador

  • Poster
  • *
  • Posts: 622
Re: Excessive false positives
« Reply #10 on: May 27, 2013, 12:52:42 PM »
Java 7 Version 21. A link is provided. The version being detected is Java 7 version 13 from your statement. If that's the case then update to Java 7 version 21.

Offline mad dog

  • Newbie
  • *
  • Posts: 1
Re: Excessive false positives
« Reply #11 on: May 27, 2013, 03:59:18 PM »
I have also been using free Avast for many years, always been  the perfect answer for me! I've used it on w9x, wXP, and w7, absolutely no problems!

Then recently it's beginning to become a complete pain in the ass! Popping false positives on anything and everything. Even the simplest of known good programs! I suggest that Avast consider looking into their recent revisions/updates because they are going to lose paying customers else!

Quote
It seems that Avast has a fear of just about every zip or self extracting exe, or even just exe files in general. It's starting to get tedious and I fear that it will foster complacency because it is getting to the point that I cannot go a full day without Avast blocking me from doing something legitimate. I wonder if this is where the software is heading (excessive paranoia), or a temporary blip on the radar of smooth sailing.

I agree totally! I've been programming for years in vb, devC MSVC, MSVC++, Delphi, and ASM, and only once can remember a false positive triggered by one of my programs! But lately I can't hardly compile or execute a couple of lines (in various languages) without avast coming up with false positives, and not allowing the exe file to run...

Yes Win32:Evo-gen is the most common warning, and the exe files are clean, I can guarantee it!

Didn't come here to start a war, Either avast gets mended or I'll stop using it, and stop recommending it...

Oh yes, it's NOT the java responsible! Already have the latest installed:
Your Java configuration is as follows:
 Vendor: Oracle Corporation
 Version: Java SE 7 Update 21
 Operating System: Windows 7
 6.1 Java Architecture: 32-bit

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #12 on: May 27, 2013, 04:58:05 PM »
Java 7 Version 21. A link is provided. The version being detected is Java 7 version 13 from your statement. If that's the case then update to Java 7 version 21.
Thanks, but that Avast message about Java is an old one from the start of April. I was just using it to illustrate the type of false positive I have been seeing.

Offline Abdul69

  • Jr. Member
  • **
  • Posts: 34
Re: Excessive false positives
« Reply #13 on: May 27, 2013, 05:04:21 PM »
I have also been using free Avast for many years, always been  the perfect answer for me! I've used it on w9x, wXP, and w7, absolutely no problems!

Then recently it's beginning to become a complete pain in the ass! Popping false positives on anything and everything. Even the simplest of known good programs!

That's pretty much my experience too. Great for years, now all of a sudden (early this year) getting a number of false positives. The most recent one I had prior to this current batch was in 2011 when Avast pegged kernel32.dll in syswow64 as a virus! That one caused all sorts of problems I am sure people will remember.

avast! [WHAR-XPS420]: File "c:\windows\syswow64\kernel32.dll|>[Emul]" is infected by "Win32:Cycbot-KI [Trj]" virus.
"Full system scan" task used
Version of current VPS file is 110924-1, 09/25/2011


Then after that not a single virus alert until April this year for me, and now almost 20 since then.


Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6800
  • volunteer
Re: Excessive false positives
« Reply #14 on: May 27, 2013, 05:17:43 PM »
I have also been using free Avast for many years, always been  the perfect answer for me! I've used it on w9x, wXP, and w7, absolutely no problems!

Then recently it's beginning to become a complete pain in the ass! Popping false positives on anything and everything. Even the simplest of known good programs!

That's pretty much my experience too. Great for years, now all of a sudden (early this year) getting a number of false positives. The most recent one I had prior to this current batch was in 2011 when Avast pegged kernel32.dll in syswow64 as a virus! That one caused all sorts of problems I am sure people will remember.

avast! [WHAR-XPS420]: File "c:\windows\syswow64\kernel32.dll|>[Emul]" is infected by "Win32:Cycbot-KI [Trj]" virus.
"Full system scan" task used
Version of current VPS file is 110924-1, 09/25/2011


Then after that not a single virus alert until April this year for me, and now almost 20 since then.


we need that file

You can send the file via email to avast lab
virus@avast.com
put "false positive" to email subject