Author Topic: False positive  (Read 331 times)

0 Members and 1 Guest are viewing this topic.

Offline Benítez

  • Software Developer
  • Newbie
  • *
  • Posts: 4
  • Hell is so close to heaven
False positive
« on: September 12, 2017, 05:04:29 PM »
Greetings, I am a programmer and I am currently writing my version of a game, however, avast, and the virustotal scan detected like malicious the game launcher. I would like you to help me report the false positive and investigate my executable, since it does not alter information or take user input. I don't know how or where to report it.

Scan: https://www.virustotal.com/es/file/175e394b605cc9e6676d053a9163e2db48b5ae6f8639b34c8e4f7e9cc14ad577/analysis/

Game launcher: http://www.returnoftibia.tk/Download

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48872
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive
« Reply #1 on: September 12, 2017, 05:05:42 PM »
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.4 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31492
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive
« Reply #2 on: September 12, 2017, 05:08:45 PM »
Looking at the behavior, the application still needs a lot of work.

Offline Benítez

  • Software Developer
  • Newbie
  • *
  • Posts: 4
  • Hell is so close to heaven
Re: False positive
« Reply #3 on: September 12, 2017, 05:12:27 PM »
Looking at the behavior, the application still needs a lot of work.
It is only an autoupdater launcher for the original Tibia executable (Cipsoft), it does not have any malicious behavior and yet it detects it as a virus.

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48872
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive
« Reply #4 on: September 12, 2017, 05:13:36 PM »
It is only an autoupdater launcher for the original Tibia executable (Cipsoft), it does not have any malicious behavior and yet it detects it as a virus.
See Reply #1 and/or you can report a suspected FP here: https://www.avast.com/false-positive-file-form.php
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.4 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31492
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive
« Reply #5 on: September 12, 2017, 05:15:12 PM »
It is not detected as a virus, but as a Trojan.

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48872
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive
« Reply #6 on: September 12, 2017, 05:16:47 PM »
It is not detected as a virus, but as a Trojan.
Yep, and I somehow doubt that this is a FP, but the guys at VL have to decide it.
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.4 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Benítez

  • Software Developer
  • Newbie
  • *
  • Posts: 4
  • Hell is so close to heaven
Re: False positive
« Reply #7 on: September 12, 2017, 05:22:05 PM »
It is only an autoupdater launcher for the original Tibia executable (Cipsoft), it does not have any malicious behavior and yet it detects it as a virus.
See Reply #1 and/or you can report a suspected FP here: https://www.avast.com/false-positive-file-form.php
Thanks, I already did the file report, and it should be simple, in fact I did not protect or obfuscate the code, so anyone can decompile it and verify its behavior. I just encrypted some variants. I could send the .NET project to avast if required.

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48872
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive
« Reply #8 on: September 12, 2017, 05:24:43 PM »
As you reported it, wait for an answer from the VL guys.
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.4 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31492
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive
« Reply #9 on: September 12, 2017, 05:25:46 PM »
If the people from avast need/want more info, they will contact you.

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29842
  • malware fighter
Re: False positive
« Reply #10 on: September 12, 2017, 05:26:14 PM »
Then you have to consider that every IDS alerts a so-called tk_domain....
IP blacklisted
Google   Google Diagnostic Page
My WOT   WOT Score Card
hpHosts   hpHosts listing
MalwareDomainList   MDL listing
Re: https://urlquery.net/queue/75feedf9-6fa2-40ae-927c-9699b8a6a057

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Benítez

  • Software Developer
  • Newbie
  • *
  • Posts: 4
  • Hell is so close to heaven
Re: False positive
« Reply #11 on: September 12, 2017, 05:29:12 PM »
A friend who installed the game yesterday, told me that his avast notified him that my executable would be analyzed in the laboratory, and within a few hours they said it was inoffensive.

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48872
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive
« Reply #12 on: September 12, 2017, 05:49:51 PM »
As said, wait for an answer from the VL guys.
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.4 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline savcin

  • Avast team
  • Jr. Member
  • *
  • Posts: 47
Re: False positive
« Reply #13 on: September 12, 2017, 07:51:35 PM »
Clean status has been set.