Author Topic: False Positive? Win32:Dropper-gen [Drp]  (Read 48779 times)

0 Members and 1 Guest are viewing this topic.

dave118

  • Guest
False Positive? Win32:Dropper-gen [Drp]
« on: April 24, 2014, 02:59:20 PM »
Avast has started reporting Win32:Dropper-gen [Drp] on a file c:\hp\documentation\OPS_Shortcut.exe on my system.

I ran it through Virustotal, results are below. Only GData and Avast are reporting a problem.
https://www.virustotal.com/en/file/2f156c703e4ef1048b48f83bd2d9abdf3df23c9f8505c5ad486c7f0a51e1ec3a/analysis/1398318561/

This behavior started with a recent Avast update (4/22/14).

False Positive? How can I tell?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #1 on: April 24, 2014, 03:05:52 PM »
I'd say FP...

First Submission 2010-06-19 01:57:08 UTC ( 3 years, 10 months ago )
Last submission 2014-04-24 05:49:21 UTC ( 7 hours, 14 minutes ago )


Copyright
© 2010 Hewlett-Packard Development Company, L.P.

If you want a quick check for viruses/malware:

Go Here

Download and Run: OTL, Malwarebytes Anti-Malware & aswMBR

Attach the following log files in your next reply.

    -OTL.txt
    -Extras.txt
    -aswMBR.txt
    -Malwarebytes.txt
« Last Edit: April 24, 2014, 03:07:24 PM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #2 on: April 24, 2014, 03:08:11 PM »
Process : Operationing Specifications
Company : undefined company name
Part Of: Operationing Specifications
Size: 469346 Bytes
Product Version: NA
Path: c:\hp\documentation\ops_shortcut.exe
MD5 (click to check anti virus scan result):  4f97bc6cce41355f3e7b9143a2d65fe2

If that is the file, it is safe and a FP.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #3 on: April 24, 2014, 03:10:40 PM »
We have recently seen some  Win32:Dropper-gen [Drp] false positives appear for compressed packer files, here INNO.
Gen meaning it is a generic find, and therefore also meaning more false positive prone.
This apparently is caused by the «runtime packed» a.k.a. «execution compression» feature of the compiler (or linker?)
A kind of similar INNO_set.up false positive issue was also flagged in June 2007.
If it is solved with a coming update, you will be certain it has been a false positive, which is rather likely i.m.o.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2295
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #4 on: April 25, 2014, 08:30:55 AM »
Hello,
it will be fixed in next stream update.

Milos

Lazer

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #5 on: April 25, 2014, 04:58:44 PM »
Avast put the file in my the virus chest. Can I restore it back on my computer?

Lazer

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #6 on: April 25, 2014, 05:03:49 PM »
Yes you can, right click and restore. ;)
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #7 on: April 25, 2014, 05:04:34 PM »
Avast put the file in my the virus chest. Can I restore it back on my computer?

Lazer
right click file in chest and rescan..... when not detected anymore you can restore

avast! 2014: Using the Virus Chest  http://www.avast.com/en-eu/faq.php?article=AVKB21#artTitle


Lazer

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #8 on: April 25, 2014, 05:35:18 PM »
Thank you

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #9 on: April 25, 2014, 05:35:38 PM »
Or right click + add to exclusions
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline herojig

  • Newbie
  • *
  • Posts: 4
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #10 on: August 03, 2014, 05:51:27 AM »
Avast put the file in my the virus chest. Can I restore it back on my computer?

Lazer

Does not work here. I restore it and the next time I run it, it's put back in the chest. Arg.

REDACTED

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #11 on: August 03, 2014, 10:50:11 AM »
Did you scan it first while in the Chest as Pondus said?

REDACTED

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #12 on: October 23, 2014, 06:49:21 PM »
Avast put the file in my the virus chest. Can I restore it back on my computer?

Lazer
right click file in chest and rescan..... when not detected anymore you can restore

avast! 2014: Using the Virus Chest  http://www.avast.com/en-eu/faq.php?article=AVKB21#artTitle



Thank you, Pondus. I just got FPs on a couple of uninstall files for legitimate purchased software. I followed your instructions, and they both came back with "no virus" messages and were removed from the chest.

This definitely got my heart rate up - does it count as aerobic exercise?  :o

REDACTED

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #13 on: February 18, 2015, 02:37:18 AM »
Hello,
it will be fixed in next stream update.

Milos

I've just installed Avast and ran a boot-time scan and it's saying doubleTwistSetup.exe contains Win32:Dropper-gen... is this an Avast false positive or not?

http://www.malwareremovalguides.info/win32dropper-gen-drp-removal-instructions/

REDACTED

  • Guest
Re: False Positive? Win32:Dropper-gen [Drp]
« Reply #14 on: February 18, 2015, 03:06:22 AM »
Hello,
it will be fixed in next stream update.

Milos

This isn't fixed yet (by either you, doubleTwist, or OpenCandy which owns the "dropper" software), but here is what doubleTwist said:

Henry Kwan
6:36 PM
1
 
Hello,

I'm sorry that you are experiencing problems with downloading and installing our application.

This detection is erroneous or a "false positive" as OpenCandy is not adware. OpenCandy is partners with some of the largest anti-virus and anti-malware companies. Here is their statement on these false positives.

http://www.opencandy.com/learn-more-about-opencandy-and-false-adware-detections/

We are working with OpenCandy and the major anti-virus companies to remove any false positive detections from their databases. In the meanwhile, please temporarily disable your anti-virus software to install doubleTwist.

To disable installation of any OpenCandy suggested applications, please carefully review the choices available and choose the appropriate option so that it does not install. You do not need to install any of the OpenCandy suggested applications in order to install the doubleTwist application.

http://www.doubletwist.com/help/question/how-do-i-opt-out-of-installing-the-opencandy-suggested-application/

Thanks,
Henry

---
XP/Vista