Author Topic: Is Win32:Ircbot-KL FALSE POSITIVE?  (Read 3987 times)

0 Members and 1 Guest are viewing this topic.

Offline jbarr

  • Newbie
  • *
  • Posts: 4
Is Win32:Ircbot-KL FALSE POSITIVE?
« on: December 20, 2005, 04:29:12 AM »
Re: avast! v. 4.6 Home Edition, Build: Dec2005 (4.6.739)
      VPS file version: 0551-0, Compilation date: 12-19-05

Received an infected virus warning this evening when I started up my computer.  The supposed infected file is gss.exe from the Ghost Security Suite program.  The virus name within this file is Win32:Ircbot-KL.

Ran a quick virus scan using ewido and AntiVir AV programs on the supposed infected file.  Neither detected a virus in the gss.exe file.  Tested the same file within Avast's "chest" folder from the Jotti-Multi engine on-line scanner website and none of the virus scanners, not even Avast!, detected a virus.

I was unable to send a zipped copy of the infected file to virus@avast.com because it was restricted.  So I'm unable to allow Avast! to test this file as a false positive.

My RegDefend security program is currently disabled until this issue is resolved.  Any comments or suggestions to remedy this issue is appreciated.

I noticed that someone else was experiencing a similar problem as posted on Wilders Security forums:

http://www.wilderssecurity.com/showthread.php?t=111818&highlight=avast
« Last Edit: December 20, 2005, 04:36:03 AM by jbarr »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #1 on: December 20, 2005, 11:58:56 AM »
Tested the same file within Avast's "chest" folder from the Jotti-Multi engine on-line scanner website and none of the virus scanners, not even Avast!, detected a virus.
Files into Chest are protected. Can't be scanned except by your own local avast installation.
You'll need to extract the file to a floppy or usb drive and submit it to Jotti to know.

I was unable to send a zipped copy of the infected file to virus@avast.com because it was restricted.  So I'm unable to allow Avast! to test this file as a false positive.
Which was restricted? Isn't the file inside of avast Chest? Can't you right click it and send from there to Alwil? (you should choose between two methods of sending, imap or smtp. With smtp you need to configure the settings: right click the 'a' blue icon > Program settings > smtp tab).
The best things in life are free.

Offline jbarr

  • Newbie
  • *
  • Posts: 4
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #2 on: December 20, 2005, 12:55:01 PM »
Hi Tech,

Thanks for your reply to my issue.  As to the gss.exe file being scanned by Jotti, I restored the file to its original location and Jotti indicated that the file was too large to upload. 

The same problem arises when I attempt to send this file via Avast! email.  The following message occurs:

The following file cannot be sent by email:
gss.exe (FileID: 4)
The file is bigger than the limit: 1024 kB

Any suggestions are appreciated.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #3 on: December 20, 2005, 01:10:28 PM »
As to the gss.exe file being scanned by Jotti, I restored the file to its original location and Jotti indicated that the file was too large to upload.
I see...

The same problem arises when I attempt to send this file via Avast! email.  The following message occurs:
The file is bigger than the limit: 1024 kB
You can use the FTP server to transfer big files.
ftp://ftp.asw.cz/incoming
or
ftp://www2.asw.cz/incoming

I won't hurt if you can zip it...
The best things in life are free.

Offline jbarr

  • Newbie
  • *
  • Posts: 4
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #4 on: December 20, 2005, 01:12:44 PM »
It appears that Avast! has taken care of the issue with its latest virus definition update:
VPS file version: 0551-1, Compilation date: 12-20-05

The RegDefend program did not open at startup, however upon manually opening it, the program opened without a virus warning. 

Would be nice if the Avast! technicians would acknowledge this assumption on my part.  Thanks!


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11745
    • AVAST Software
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #5 on: December 20, 2005, 01:13:30 PM »
Yes, the problem should be already fixed.

Offline jbarr

  • Newbie
  • *
  • Posts: 4
Re: Is Win32:Ircbot-KL FALSE POSITIVE?
« Reply #6 on: December 20, 2005, 01:43:22 PM »
Thanks Avast! for addressing this issue promptly. 

Knock on wood this was my first AV virus warning.  So, if there's an upside to this experience, it's a relief to know Avast! will promptly deal with any known virus in the future.

Thanks are also in order for those who provided and continue to maintain this fine, free AV product.  Continued succes to the Avast! staff :)