Author Topic: Avast-check: "NO THREAT FOUND" if you run it: VIRUS (FileRepMetagen [Rtk])  (Read 16494 times)

0 Members and 1 Guest are viewing this topic.

Offline Anacunga

  • Sr. Member
  • ****
  • Posts: 253
What is that for a behaviour: go and download last FreeDownloadManager 3.9.3 (12.01.2014 - 18:21) from http://files.freedownloadmanager.org/fdminst.exe and then make an avast-check after having downloaded it (NO THREAT FOUND), and then run it; and you will get VIRUS FOUND:

Object: fdminst.tmp
Infection: FileRepMetagen [Rtk]
Process: fdminst.exe

The question now is: why there is no virus at check, but virus at run ... and how to install FDM without being totally unprotected; as the only solution would be to disable protection during install, and that cannot be the solution!
« Last Edit: March 06, 2014, 10:52:34 PM by Anacunga »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2297
Hello,
it should be fixed.

Milos

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
It is a false positive by itself, but in general, FileRep detections only work On-Execute and not On-Access.
Visit my webpage Angry Sheep Blog

Offline Anacunga

  • Sr. Member
  • ****
  • Posts: 253
It is a false positive by itself, ...
That was to assume ... and that was only one of the problem fields (even if I maybe had stated on that a bit too strongly).

... but in general, FileRep detections only work On-Execute and not On-Access.
Is that really intended? If that is the case, FileRep might be really questionable, as not only avast is "looking inside archives" (and installers usually are "packed to archives"), but FileRep is mostly a "lookup in a big database" (and not avoiding "trying to do something unallowed during runtime"); see also here the description of the FileRep-functioning. And a "lookup-protection" should work on any access (and not on execute), but it seems obvious that a "behaviour-protection" (that would prevent unallowed operations) can only be reacting on execute.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
This is by design to make things difficult for malware writers. To end users, it doesn't change all that much as you'd run the file anyway if needed and it would get caught then.
Visit my webpage Angry Sheep Blog