Author Topic: False Positive?  (Read 12951 times)

0 Members and 1 Guest are viewing this topic.

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
False Positive?
« on: July 07, 2006, 02:37:09 PM »
A scan using avast! 4.7.844 Home Edition, VPS version: 0627-3, 07/07/2006, produces a warning screen "A Trojan Horse Was Found", with the following information:

D:\Purrint 23\PurrintInst.exe

Win32:Zapchast-S [Trj]

Trojan Horse

Prior to this scan the last scan was one week ago, Friday 30th June, 2006 and nothing was detected. Scans with ewido anti-malware, Ad-Aware and Spybot do not detect anything.

Purrint is a program to "manage your Print Screen button" and I've been using it for about 3 months.

http://www.snapfiles.com/get/Purrint.html

All things considered I think it highlylikely this detection is a false positive.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83348
  • No support PMs thanks
Re: False Positive?
« Reply #1 on: July 07, 2006, 03:24:08 PM »
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: False Positive?
« Reply #2 on: July 07, 2006, 03:31:38 PM »
Thank you for your reply. I'll carry out your suggestions and see how things go.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83348
  • No support PMs thanks
Re: False Positive?
« Reply #3 on: July 07, 2006, 03:34:54 PM »
Your welcome, let us know what you find.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: False Positive?
« Reply #4 on: July 08, 2006, 07:22:28 AM »
I uploaded the detected file to Jotti's and to VirusTotal, and D:\Purrint 23\PurrintInst.exe was only
detected by avast!

I have also sent the detected file to virus @ avast.com.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83348
  • No support PMs thanks
Re: False Positive?
« Reply #5 on: July 08, 2006, 03:29:42 PM »
You can add the file to the exclusions as I mentioned and restore the file from the chest, this will allow you to continue to use it. Check periodically after VPS updates to see if the FP (if confirmed) has been corrected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Iso-G

  • Avast translator
  • Full Member
  • ***
  • Posts: 141
  • I'm a llama!
    • Grandpa's Notebook
Re: False Positive?
« Reply #6 on: July 08, 2006, 03:41:36 PM »
I have also sent the detected file to virus @ avast.com.

Hello WDGC, welcome to the forums

No security software detects every malware, 100% of todays's malwares, as you know.
Your efforts exactly help avast! users.
Thank you very much. ;)

Alwil team will analyze the file you sent, probably.
I wish seeing your footprints on avast! VPS ASAP.
( of cause, if it is a malware certainly. )
Windows XP Home SP3 / avast! 6.0 Free Antivirus (Japanese) / Microsoft Security  Essentials(v2,Japanese) / COMODO Firewall 5.3 (D+(full),English) / Secunia Personal Software Inspector (v2,English) / Opera / Thunderbird 3 / Open Office 3

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: False Positive?
« Reply #7 on: July 10, 2006, 11:33:45 AM »
A scan using VPS version: 0628-0, 10/07/2006 does not detect D:\Purrint 23\PurrintInst.exe.

However it does make the following detection:

File name: C:\Program Files\Mozilla Firefox\updater.exe
Malware name: Win32:Sality-W
Malware type: Virus/Worm
VPS version: 0628-0, 10/07/2006

When uploaded to Jotti's and VirusTotal, C:\Program Files\Mozilla Firefox\updater.exe is only detected by avast!

I, once again, think it highly unlikely this is a virus or worm and have sent the detected file to virus @ avast.com.



Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: False Positive?
« Reply #8 on: July 10, 2006, 12:00:11 PM »
Need, I think, for a very quick fix on this one - otherwise we will see a whole lot of "me too" posts. 

Very clearly an issue with the latest VPS update ... no problem with the prior VPS release.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: False Positive?
« Reply #9 on: July 10, 2006, 12:17:27 PM »
The same virus message is produced on scanning the updater.exe for Mozilla Thunderbird too.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9336
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: False Positive?
« Reply #10 on: July 10, 2006, 12:44:40 PM »
I've reported Firefox FP like hour ago...
Visit my webpage Angry Sheep Blog

Offline lava1

  • Full Member
  • ***
  • Posts: 140
  • I'm a llama!
Re: False Positive?
« Reply #11 on: July 10, 2006, 01:06:03 PM »
Hi My roommate got the same virus in Firefox and Thunderbird this morning to when he did a scan and he deleted and he deleted this morning and did not move it to the chest and before he did the update with avast he was surfing and checked is mail and all his mail came up clean.  I hope by deleting this worm win32:sality-w he did not mess up.  Maybe I am worry for nothing.  (Just curious if is False one dose that mean I have to reinstall Firefox and Thunderbird)  sorry in asking this question but we are both older people and still learning things on the computer.)  Thanks for the info

Offline psadi

  • Newbie
  • *
  • Posts: 17
  • Lapsus memoriae
Re: False Positive?
« Reply #12 on: July 10, 2006, 01:27:43 PM »
The program update.exe in the programs from Mozilla (Thunderbird, Firefox and Sundbird) where all effected at work.  Though I doubt they are infected.

The updater.exe program is used to update the programs itself and the functionallity of the programs is not effected in any other way that you cannot auto update the program.

If you deleted the update.exe program I think you have to reinstall the program to get back that functionallity. Though you dont have to do that until there is a new version out. If you moved it to the cheast instead of deleting it you can always restore the file from the cheast and should get back the functionallity by it.
Aliquando et insanire iucundum est

Offline lava1

  • Full Member
  • ***
  • Posts: 140
  • I'm a llama!
Re: False Positive?
« Reply #13 on: July 10, 2006, 01:41:34 PM »
Thanks for the info I looked in program files it still shows that I still have the file update file so maybe I am still safe.  Thanks again!  Plus when I pushed to check update it shows no updates at this time. 
« Last Edit: July 10, 2006, 01:47:12 PM by lava1 »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9336
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: False Positive?
« Reply #14 on: July 10, 2006, 01:46:34 PM »
I just got report from Alwil virus lab that Mozilla updater.exe false positive is already fixed in latest VPS update.
Visit my webpage Angry Sheep Blog