Author Topic: How do I know if this is a false positive if...  (Read 4918 times)

0 Members and 1 Guest are viewing this topic.

rhyme-time

  • Guest
How do I know if this is a false positive if...
« on: December 30, 2013, 12:58:49 PM »
Hi, avast! file system shield told me a virus was found:

Object: C:\Program Files(86)\Fashion Toolbox\english.dll

Infection: Wind32:Evo-gen [Susp]

Process: C:\Windows\System32\runddll32.exe

I did "Move to Chest" but it kept popping up every second until I did "Delete"
Its strange because its from a program I've had there for ages but I haven't used it in aages! I was using the computer today, left it for a few minutes, came back and avast! told me this.

So I deleted it, does avast! make a log of files detected by real-time scanner?

How can I tell if this was a false positive.. even though I've never had an issue before and haven't used this program for ages and I deleted that file?
If it is an infection how do I know if its gone? I've done a full scan with Malwarebytes and SUPERAntiSpyware and they don't detect anything. I am doing a full scan with avast! now...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: How do I know if this is a false positive if...
« Reply #1 on: December 30, 2013, 01:24:10 PM »
Quote
Wind32:Evo-gen [Susp] 
Susp = suspicious ....so notvirus yet

Suspucious files can be tested here www.virustotal.com / www.metascan-online.com / www.jotti.org


rhyme-time

  • Guest
Re: How do I know if this is a false positive if...
« Reply #2 on: December 30, 2013, 02:04:44 PM »
So I'm guessing I'll never know since I deleted it...
But the thing is, I have not used that program in months, then all of a sudden a file from its folder is being flagged as suspicious when I have not touched it...?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: How do I know if this is a false positive if...
« Reply #3 on: December 30, 2013, 02:25:52 PM »
Hello,
send the file to virus@avast.com and put "False positive" to email subject.

Milos

NoelC

  • Guest
Re: How do I know if this is a false positive if...
« Reply #4 on: December 30, 2013, 05:38:02 PM »
So I'm guessing I'll never know since I deleted it...
But the thing is, I have not used that program in months, then all of a sudden a file from its folder is being flagged as suspicious when I have not touched it...?

There are two possibilities:

1.  It was malware all along but the antivirus tool just got improved and now detects it where it did not before.

2.  It is a false positive.

Unfortunately, it seems like this particular "Infection: Wind32:Evo-gen [Susp]" is happening all too often (you're not alone), at least some of the time on legitimate files, and it really underscores Avast's inability to deal with false-positives very well.

As it is, by deleting a module from your Fashion Toolbox application, you may well have broken it.

One possibly better approach to dealing with a false positive on that particular file - if you're fairly sure it's legitimate - is to exclude the folder that contains it from Avast scanning.  That's a bit extreme, but it will allow you time to both report the false positive and continue working without further interruptions - and without destroying the viability of your program by deleting a portion of it. 

I have been through EXACTLY this scenario with this particular "Win32:Evo-gen [Susp]" detection (though not with Fashion Toolbox).  A few weeks after having reported it I found it was no longer being falsely detected in the particular files I use and I could remove the folder exclusion.

It's also possible turning down one or some of the sensitivity settings would reduce the chances of this particular false positive, but I don't know which settings that would be.

-Noel

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: How do I know if this is a false positive if...
« Reply #5 on: December 30, 2013, 06:08:12 PM »
Quote
It's also possible turning down one or some of the sensitivity settings would reduce the chances of this particular false positive, but I don't know which settings that would be. 
To my knowledge you can not adjust this....
It is a on access detection only and it check for similarity behavior to known malware

   

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: How do I know if this is a false positive if...
« Reply #7 on: December 30, 2013, 06:31:21 PM »
@ OP  See this http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

@ Pondus  Thanks I tried to find that article...but couldn't. Now bookmarked.  8)
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

jwoods301

  • Guest
Re: How do I know if this is a false positive if...
« Reply #8 on: December 30, 2013, 08:23:35 PM »
Hi, avast! file system shield told me a virus was found:

Object: C:\Program Files(86)\Fashion Toolbox\english.dll

Infection: Wind32:Evo-gen [Susp]

Process: C:\Windows\System32\runddll32.exe

I did "Move to Chest" but it kept popping up every second until I did "Delete"
Its strange because its from a program I've had there for ages but I haven't used it in aages! I was using the computer today, left it for a few minutes, came back and avast! told me this.

So I deleted it, does avast! make a log of files detected by real-time scanner?

How can I tell if this was a false positive.. even though I've never had an issue before and haven't used this program for ages and I deleted that file?
If it is an infection how do I know if its gone? I've done a full scan with Malwarebytes and SUPERAntiSpyware and they don't detect anything. I am doing a full scan with avast! now...

Another check is to upload and scan the "infected" file on VirusTotal.com and see what the result is...

https://www.virustotal.com/en/
« Last Edit: December 30, 2013, 08:25:22 PM by jwoods301 »

Randissimo

  • Guest
Re: How do I know if this is a false positive if...
« Reply #9 on: January 01, 2014, 04:13:04 PM »
I did "Move to Chest" but it kept popping up every second until I did "Delete"
The exact same bug has occurred to me on Windows 8 x64 while I've had no such problems with Windows 7 x64. Would be interesting to see whether it might be a specific OS bug or not.
Anyways, I had installed Avast 8 for a little while again, because it had got me rid of the bug and had given at least control over suspicious files, however, since it wouldn't have helped me against false positves if they had been rated as "virus" and the chest would have been buggy in reporting download URLs, I've simply switched to another AV solution.

In my opinion, no AV should ever need to exclude whole folders or even have to be turned (temporarily) off. I don't know how tolerant others are, but if you're unsatisfied with a specific program don't hesitate and search for other options. There's no better way to tell the developers you don't agree with their direction of the program than to stop using it.
However, if the majority can deal with it and the forumers will stay as some kind of cult as "Evangelists" (yes, I'm aware it's just a title reaching for a lot of postings, but that doesn't make it look less stupid in my eyes) preaching how good Avast is or how well they're managing with it, then nothing will change.
It's up to the individual whether you want to give a clear sign to have the developers change their program to your liking or to adapt to every change they make and to deal with it, regardless of how bad you think it has become.

« Last Edit: January 01, 2014, 04:46:02 PM by Randissimo »

RF

  • Guest
Re: How do I know if this is a false positive if...
« Reply #10 on: January 02, 2014, 02:48:45 AM »
Win32/Evo-gen is a false positive. I've seen the same question raised elsewhere in these forums and have had this happen to me as well in V.8 Free. Avast apparently can't (or won't) correct it. The best solution IMO is to restore the affected file from quarantine and then exclude it from scanning.

I think it's in Avast's best interests to fix this because over time users will come to regard false positves as the norm, and disregard due diligence in evaluating actions taken by the program.