Author Topic: Pop-Up says Suspicious, Right Click says No Threat?  (Read 4722 times)

0 Members and 1 Guest are viewing this topic.

Offline Muad'Dib

  • Jr. Member
  • **
  • Posts: 74
    • The underwater sound of the Antarctic Ocean
Pop-Up says Suspicious, Right Click says No Threat?
« on: July 22, 2014, 02:57:25 AM »
I received an alert the file FilMsg.exe. and I'm 99% sure it's a false positive (and have already submitted the file to Avast Virus Lab). But I'm wondering why Avast gives me two completely different responses for the same file. Here's the text of the submission I sent to the Virus lab:

I get a "Virus Found" alert, being told that the infection is Win32:Evo-gen [Susp]

This is a file from 2006 (from a firewall program FilSecLab), that I've used continuously since that time. I extracted a copy of the same file from a backup made about 4 months ago, and it also generates the same alarm (yet until today, I've never received an alert for this file). I also ran a file comparison program, and my 4 month old version of the file is byte-for-byte identical with the current one.

I submitted the file to Jotti and VirusTotal, with a clean bill of health from both.

Finally (and strangely), if I right-click on the file and scan with Avast, I get a "NO THREAT FOUND" response. I don't understand why some routine of Avast thinks this is a suspicious file, yet explicitly scanning it results in no threat response.


Note the last paragraph in boldface - this is what is confusing me. Any ideas why this happens?

So I've currently included the file in my list of exclusions, but since it is an .exe and could potentially become actually infected in the future, I'd rather not keep it excluded forever. I seem to remember reading that submissions to Virus Labs rarely get a response back to the user, but I would hope that even if they don't respond, they'll fix the false positive. If so, any idea how long it normally takes then to update the definitions to fix this (if it is actually a false positive)?
« Last Edit: July 22, 2014, 04:13:45 AM by Muad'Dib »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #1 on: July 22, 2014, 09:22:33 AM »
Evo-Gen is ONLY detected when you execute some program, but not when doing on-demand scans or right click scans. That's why you see this "inconsistency".

The rest of procedure is the same as with any false positive. Report it and they will fix it.
Visit my webpage Angry Sheep Blog

Offline Muad'Dib

  • Jr. Member
  • **
  • Posts: 74
    • The underwater sound of the Antarctic Ocean
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #2 on: July 22, 2014, 10:26:11 AM »
Thanks for the info. Since I won't be able to scan the file to see if the (hopefully) false positive has been fixed, any suggestions on how to determine that it has been fixed? And again, typically how long does it take for false positives to be corrected? Are we talking within a day or two, or might it takes weeks or months? And will I get any sort of notification (I did provide my email in the report)?

Normally I could simply not run the suspicious program for a certain period of time, until I know for sure whether or not it is a false positive. But since this file is part of a firewall, it seems that not running it has risks as well.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #3 on: July 22, 2014, 10:35:31 AM »
Looks like it is time for you to get another firewall.
This one is 8(!) years old and Windows 7 isn't even supported.
With all the new threads that are around, I very much doubt this one can handle them.

Offline Muad'Dib

  • Jr. Member
  • **
  • Posts: 74
    • The underwater sound of the Antarctic Ocean
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #4 on: July 22, 2014, 04:26:04 PM »
The firewall works well on this machine. Its age is irrelevant to my question.

I'm just tryiing to get a rough estimate of when a reported false positive will be fixed and if I'll be notified of the fix (or if there's another way to detect that it's been fixed, since RejZoR explained that on-demand scanning won't detect Evo-Gen). This would be useful information for anyone making such reports.
« Last Edit: July 22, 2014, 04:36:10 PM by Muad'Dib »

REDACTED

  • Guest
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #5 on: July 22, 2014, 06:17:05 PM »
I got the same or similar thing this morning, but a little late around 11 AM when I booted my PC. First said "Rootkit found". "Svc. ATT MA Host Service >C Rootkit"  Then avast pops up and says, Win32:Evo-gen[susp].  I clicked recommended action to put in vault.  After a boot-time scan, PC came up okay. Then I went to log file and it said this suspicious file was located in "Program Files\ATT\8.3.0.34\MA\BIN". I went there with Explore and those files are from several years ago. I suspect this is a FP, or false positive.

So far everything is working. I have ATT as my internet provider still and no problems... yet.
« Last Edit: July 23, 2014, 03:10:36 PM by Rick F »

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #6 on: July 22, 2014, 07:17:50 PM »
Use this form to report false positives.
Or, if it's in the virus chest, right click and send to the lab.
If it does in deed turn up as a false positive avast will correct it via
a vps update.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

REDACTED

  • Guest
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #7 on: July 23, 2014, 03:14:38 PM »
Use this form to report false positives.
Or, if it's in the virus chest, right click and send to the lab.
If it does in deed turn up as a false positive avast will correct it via
a vps update.

Thanks. I did submit the file to avast as suspected FP. I can't complete the report in your link as it won't go through if I can't submit the file too -  :o.  Since it's in the vault I can't browse to find it.  When submitting the file, I didn't have a copy of this forum thread so tried to give them that info in the report.  Oh well.
« Last Edit: July 23, 2014, 03:16:13 PM by Rick F »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #8 on: July 23, 2014, 03:16:33 PM »
Right click file in chest..... from menu, send to avast

www.avast.com > support > FAQ ..... search for chest ..... see how to use chest


REDACTED

  • Guest
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #9 on: July 23, 2014, 03:22:43 PM »
Right click file in chest..... from menu, send to avast

www.avast.com > support > FAQ ..... search for chest ..... see how to use chest
I did that already and stated so above.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user

REDACTED

  • Guest
Re: Pop-Up says Suspicious, Right Click says No Threat?
« Reply #11 on: July 25, 2014, 04:27:45 PM »
Thanks for replies... and thank you to avast for correcting this FP.  I restored "MAHOSTSERVICE.EXE" and all is fine. Also tested the file at VirusTotal and all were green.

File is 314K and is part of AT&T Management service which help setup wireless devices. File resides (on XP machine)at: "Program files\ATT\8.3.0.34\MA\BIN".