Author Topic: Win95SK False Positive - FIXED! :-) (Read 14429 times)

wallyweb · « **on:** May 05, 2005, 12:39:21 AM »

I am running Windows 98SE and Avast 4.6 Home
Vps: Already up to date
(current version 0518-3)

I recently downloaded an update of a file that is known to be virus free. The file was created on a Linux system. It is the 49th update of a patch for a popular game. The game was originally designed for Windows 95 but it runs natively on Windows98 with or without the patch. The previous patch versions have never been an issue. These patches are used by a large group of fans of the game. The only antivirus program that finds a problem with patch 49 is Avast.

I believe this to be a false positive and have set the file to be excluded from scans. I have sent a copy of the file in to Avast to be checked.

My question is if Avast confirms that the file is virus free, how long before it will be reflected in a Vps update? Or would this be addressed by a program update? Or will it never be addressed and I'll have to keep the file excluded? If by some slim chance the file does prove to be infected with Win95 SK, will Avast let me know so that I might relay the information to the author of the patch?

Lisandro · « **Reply #1 on:** May 05, 2005, 12:52:20 AM »

Quote from: wallyweb on May 05, 2005, 12:39:21 AM

My question is if Avast confirms that the file is virus free, how long before it will be reflected in a Vps update? Or would this be addressed by a program update? Or will it never be addressed and I'll have to keep the file excluded? If by some slim chance the file does prove to be infected with Win95 SK, will Avast let me know so that I might relay the information to the author of the patch?

In fact, avast! does not confirm the status of the submitted files as the number is very huge and an automatic answer won't help that much.
Posting here is a good manner to get answers.
The speed of response (the VPS update) varies if the virus is in-the-wild or not, the availability of the virus analyst team, etc.
The false positives, when any, are not addressed to program update but only VPS updates.
If it is really an infected one (which does not seem so...) you can submit the file to Jotti and let us know the results, i.e., if it is or not a false positive.

wallyweb · « **Reply #2 on:** May 05, 2005, 01:00:57 PM »

Quote from: Technical on May 05, 2005, 12:52:20 AM

IIf it is really an infected one (which does not seem so...) you can submit the file to Jotti and let us know the results, i.e., if it is or not a false positive.

Results:
File:     ttdpatchw.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning (Not on their system, but my Avast still warns!), the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5    879cc92dedc4179b471a703904eee4ab
Packers detected:
UPX

Dwarden · « **Reply #3 on:** May 05, 2005, 01:12:02 PM »

May i ask what version of TTDpatchw.exe is it ?

igor · « **Reply #4 on:** May 05, 2005, 04:13:36 PM »

I believe it is a false alarm.
I'm afraid this one will be hard to fix, though

wallyweb · « **Reply #5 on:** May 06, 2005, 12:25:22 AM »

Quote from: Dwarden on May 05, 2005, 01:12:02 PM

May i ask what version of TTDpatchw.exe is it ?

49 ... and like all the previous patches (which don't provoke an alarm) it has UPX 1.24 . But 49 was the first one to be compiled on a Linux box. The author is going to upgrade to UPX 1.25 in patch 50, so I'll keep it on my exclusions list until then.

Quote from: Igor

I believe it is a false alarm.
I'm afraid this one will be hard to fix, though

It's no longer critical. We know the file is safe. We have Avast's excellent Exclusions to use. I'm just surprised that it hasn't come up before because this can't be the only time a program with UPX 1.24 was compiled on a Linux box, can it?

Dwarden · « **Reply #6 on:** May 06, 2005, 11:35:28 PM »

Quote from: wallyweb on May 06, 2005, 12:25:22 AM

Quote from: Dwarden on May 05, 2005, 01:12:02 PM
May i ask what version of TTDpatchw.exe is it ?
49 ... and like all the previous patches (which don't provoke an alarm) it has UPX 1.24 . But 49 was the first one to be compiled on a Linux box. The author is going to upgrade to UPX 1.25 in patch 50, so I'll keep it on my exclusions list until then.

Quote from: Igor
I believe it is a false alarm.
I'm afraid this one will be hard to fix, though

It's no longer critical. We know the file is safe. We have Avast's excellent Exclusions to use. I'm just surprised that it hasn't come up before because this can't be the only time a program with UPX 1.24 was compiled on a Linux box, can it?

You lost me as my version is 2.0.7.80 and any of older ones was also not producing alarm ... lol

wallyweb · « **Reply #7 on:** May 07, 2005, 07:47:05 AM »

Quote from: Dwarden on May 06, 2005, 11:35:28 PM

You lost me as my version is 2.0.7.80 and any of older ones was also not producing alarm ... lol

Hmm ... Are we talking about the same TTDpatchw.exe? The only one I'm familiar with is the one found here and the current version is 2.0.1 alpha 49 (Windows)

Dwarden · « **Reply #8 on:** May 09, 2005, 04:32:00 AM »

Quote from: wallyweb on May 07, 2005, 07:47:05 AM

Quote from: Dwarden on May 06, 2005, 11:35:28 PM
You lost me as my version is 2.0.7.80 and any of older ones was also not producing alarm ... lol

Hmm ... Are we talking about the same TTDpatchw.exe? The only one I'm familiar with is the one found here and the current version is 2.0.1 alpha 49 (Windows)

http://www.ttdpatch.net/

files i downloaded from there ... in file informations version says 2.0.7.80 ...

wallyweb · « **Reply #9 on:** May 11, 2005, 12:59:43 AM »

Quote from: Dwarden on May 09, 2005, 04:32:00 AM

files i downloaded from there ... in file informations version says 2.0.7.80 ...

Ah yes ... that is the current stable version.
The one that is causing the issue is an Alpha for Windows (The DOS one is clean).
Click on "Source Code" in the menu on the left or
here is the link to the page:
http://www.ttdpatch.net/src/
The zip is "latestw.zip for Windows TTD"

Dwarden · « **Reply #10 on:** May 12, 2005, 05:29:22 PM »

ahm ... very interesant ... i see it now and even more interesant is that only

Avast under windows report this infection , Linux version NOT !!!

i assume some sort of bug / false positive ...

wallyweb · « **Reply #11 on:** May 12, 2005, 11:14:35 PM »

Hopefully Patch 50 is not too far away. It will be interesting to see if the issues follows.

btw ... does Linux version use the same Vps as the Windows version?

Is it possible to scan these files with a Vps that predates May 1, 2005?

Thanks

Modify: Patch 50 ... same file name ... just released.
I scanned the latestw.zip using Avast 4.6 for Windows and got same Win95: SK warning.

Anybody know what Avast 4.6 for Windows would be looking for re Win95: SK?

wallyweb · « **Reply #12 on:** May 15, 2005, 04:23:00 AM »

Sorry for the double post but this question really does need answering ...
Its not so much a critical issue ... just a mild headache ...

ttdpatchw.exe is a popular adjunct to the game Tranport Tycoon. The patch has been available for several years and it has pretty much taken on a life of its own. It is currently into its 50th Alpha and shows no sign of stopping, with new users discovering it daily. I have been using Avast Home edition for Windows for several years and it has lived happily with all the versions of the patch that I have downloaded ... until patch 49 that is. Several other players with Avast have had the same problem ... a Win95: SK warning. Nobody has reported any issues with any other antivirus progam ... As may be seen in the previous posts I have been in communication with the coder of the patch. Other than some coding changes when going to patch 49, the only difference is that for the first time, the patch was compiled on a Linux box. It was released on May 1, 2005. On the Avast side, Vps upgrades occur often. I don't remember whether there was a new one that day. Perhaps there was. Could a change in the Vps cause this issue? It has been determined that this is a false positive. The question is why as of May 1? What's different? If somebody has any suggestions, they would be greatly appreciated. Wherever the problem may lie, if it could be determined what it is, the patch's code could be revised to accomodate it and all would rest easier with no false alarms sounding. Even just a hint would be helpful.

Thank you.

MFB · « **Reply #13 on:** May 15, 2005, 05:25:04 AM »

Quote from: wallyweb on May 05, 2005, 12:39:21 AM

I am running Windows 98SE and Avast 4.6 Home
Vps: Already up to date
(current version 0518-3)

I first might want to recommend you to update your avast! to VPS: 0519-2

wallyweb · « **Reply #14 on:** May 15, 2005, 12:41:26 PM »

Thanks MFB.
Thanks to Avast's excellent and seamless updating I'm already there

Vps: Already up to date
(current version 0519-2)

... and the warning still happens.

Author Topic: Win95SK False Positive - FIXED! :-) (Read 14429 times)

wallyweb

Win95SK False Positive - FIXED! :-)

Lisandro

Re: Win95SK

wallyweb

Re: Win95SK

Dwarden

Re: Win95SK

igor

Re: Win95SK

wallyweb

Re: Win95SK

Dwarden

Re: Win95SK

wallyweb

Re: Win95SK

Dwarden

Re: Win95SK

wallyweb

Re: Win95SK

Dwarden

Re: Win95SK False Positive

wallyweb

Re: Win95SK False Positive

wallyweb

Re: Win95SK False Positive needs fixing

MFB

Re: Win95SK False Positive needs fixing

wallyweb

Re: Win95SK False Positive needs fixing