Avast Support is *very* bad

[REDACTED]

I've detected a false positive in an old medal of honor patch (Breakthrough_patch_2.40b.exe).

This file hasn't been modified since 10 years ago (same md5 I repeat SAME MD5 since 10 years ago), never had any issue with it and it was scanned previously by many other AV without issues ...

Therefore I've raised a ticket to support to flag this as a false positive, and an update of the definition file was eventually released to fix this.
However 2 weeks after the file was marked *again* as a threat by an update.

So I've reopened the ticket and it is going nowhere:

- first the support guy tell me the file is infected, then that it is a false positive that will be fixed in an update (there has been at least a couple of update but it is still not fixed).
- I've asked technical details about why this was flagged as a virus and what actions will be taken to not make this happens but I can get any answers ... The only thing I got is that my ticket was moved to the "private" status. Outrageous!

I'm really disappointed with the unprofessional attitude Avast support has in general, this is not the first time I've to deal with them and they are completely useless and random, I'm wondering why bother to pay a premium for support when you get this poor treatment

In addition I'm very worried to see how bad Avast team seems to tackle virus identification, looks like a big bullshit with very poor tests.
Looks this has become a standard in the industry unfortunately have a read here http://pid.gamecopyworld.com/

[Rednose]

Hi zfil

Can you post your Ticked ID ?
Than I will try to get some attention to this.

Greetz, Red.

[DavidR]

I think that the support ticket route isn't as effective as it should be for FPs.
It would/should have been much quicker to submit it from avastUI - presumably it was added to the virus chest - in which case it can be submitted directly from there.

If you didn't allow it to be added to the chest, you can add it manually and then submit (image1).
Open the virus chest - avastUI > Settings > Scan > Scan for Viruses - at the bottom of that page is 'Quarantine (Virus Chest)' clicking that opens the chest.

You can make that less long winded by changing the home page of the AvastUI, image2.

[Pondus]

detected as supicious
https://www.virustotal.com/en/file/8a700bfbba0298590fd515d6e99f9760abc182161bbefec4d890fca97207d52d/analysis/

First submission 2013-12-09 21:44:31 UTC ( 1 year, 8 months ago )

[REDACTED]

detected as supicious
https://www.virustotal.com/en/file/8a700bfbba0298590fd515d6e99f9760abc182161bbefec4d890fca97207d52d/analysis/

First submission 2013-12-09 21:44:31 UTC ( 1 year, 8 months ago )

Yeah only by this crappy Avast. BTW I would really want to know what makes Avast engine think this is suspicious
As I've give the other example of ProtectionID that is flagged as virus this completely FUD, just dissassemble the thing and give me the problematic code :/ this is ridiculous.

[REDACTED]

I think that the support ticket route isn't as effective as it should be for FPs.
It would/should have been much quicker to submit it from avastUI - presumably it was added to the virus chest - in which case it can be submitted directly from there.

If you didn't allow it to be added to the chest, you can add it manually and then submit (image1).
Open the virus chest - avastUI > Settings > Scan > Scan for Viruses - at the bottom of that page is 'Quarantine (Virus Chest)' clicking that opens the chest.

You can make that less long winded by changing the home page of the AvastUI, image2.

Well tried that before and nothing happened at least with the ticket this file was white listed for a couple of weeks ...
Frankly this is sad and ridiculous

[Rednose]

If you would post your Ticked ID like I asked 

Greetz, Red.

[REDACTED]

Can you post your Ticked ID ?
Than I will try to get some attention to this.

Thank you so much!

The ticket id is : #KMF-493-36836

Cheers
Fil

[Rednose]

I have put it forward

Greetz, Red.

[Pondus]

more info on this detection   
Win32:WrongInf-D [Susp] / Wrongly infected file means it may have been infected by a file infector or not properly cleaned and containe remnants of infection

[REDACTED]

So I've received an "answer" from the support: apparently updating my definitions will solve the issue. Unfortunately this is still not true with tonite 150814-6 version (support message was sent in the morning).
Of course I've not received any technical answers about the root cause of this false positive neither info about what they will do to prevent this as I requested (this is beyond me if I was treating my customers the same way I will have lost my job long time ago ...)
No explanation as well why my ticket was put to private status as well ...

more info on this detection   
Win32:WrongInf-D [Susp] / Wrongly infected file means it may have been infected by a file infector or not properly cleaned and containe remnants of infection

Still in this case this is completely ridiculous. I've even compared the file from the original EA servers (witch didn't changed since 2003) and the hash is the same ...

[Maxx_original]

The file contains a binary (ikernel.exe) with Parite leftover. It's not dangerous, but it is not clean. It's completely ok to detect it at the highest heur level.

[REDACTED]

The file contains a binary (ikernel.exe) with Parite leftover. It's not dangerous, but it is not clean. It's completely ok to detect it at the highest heur level.

ikernel.exe is installshield. Not sure what you mean by "Parite leftover" ... But yes actually now is it only detected at the highest heuristic lvl ...

And BTW if is not dangerous why it is marked as a threat ? Shouldn't it be flagged as a warning ?

[Pondus]

Not sure what you mean by "Parite leftover"

Parite is a file infector virus

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2fParite

https://blog.avast.com/2011/05/27/friendship-and-an-immortal-virus/#more-2722

[REDACTED]

Ok so thanks @Pontus and @Maxx_original now I understand the root cause of Avast reporting a problem at highest heuristic lvl, but:
- I feel sad that even after many exchanges with support I didn't get any useful answers, this is fortunate to have Avast guys answering here (many thanks !!)
- please consider reporting this class of detection as warnings instead of threats

Now for my education why Virus Total still detect the issue as today, do they run avast in high heuristic sensitivity ?