« previous next »
Pages: [1]   Go Down

Author Topic: Did I catch a false positive?  (Read 4291 times)

0 Members and 1 Guest are viewing this topic.

drahnier

  • Guest
Did I catch a false positive?
« on: September 10, 2006, 07:01:21 PM »
For several months now I have a small program on my system wich I use to learn pronunciation of chinese tones (PinYin).

Today avast picked the file I downloaded from http://www.eztechinc.com/product_list.php?id=4
up claiming it has Win32:Troja-gen {UPX!}.

Previous versions of avast did not bark on this file. But the latest Beta version 4.7.881 (running on on XP.Pro.SP2) with up to date 0636-3 VPS does. The file has been sitting on my hard drive for several months and until today avast never picked it up during a full scan.

When trying to re-download the file, avast resets to connection to to server and claims the very same trojan is in the file.

It appears I can  not send the file to avast for testing from the virus chest: "The following file cannot be sent by email:
npinyin.exe (FileID: 5). The file is bigger than the limit: 1024 kB"

« Last Edit: September 10, 2006, 07:33:48 PM by drahnier »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89029
  • No support PMs thanks
Re: Did I catch a false positive?
« Reply #1 on: September 10, 2006, 07:36:28 PM »
It is possible that updates to the VPS and especially the -gen (generic) signatures might detect something on your syatem that wasn't deteced before. You need to confirm if the detection was correct.

You can check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won't be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

drahnier

  • Guest
Re: Did I catch a false positive?
« Reply #2 on: September 10, 2006, 07:43:28 PM »
Quote from: DavidR on September 10, 2006, 07:36:28 PM
It is possible that updates to the VPS and especially the -gen (generic) signatures might detect something on your syatem that wasn't deteced before. You need to confirm if the detection was correct.

You can check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won't be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.


Thanks for your kind recommendations. I'll start with Windows Live online virus scanner ...

Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Did I catch a false positive?
« Reply #3 on: September 10, 2006, 07:49:39 PM »
Quote from: drahnier on September 10, 2006, 07:01:21 PM
I downloaded from http://www.eztechinc.com/product_list.php?id=4
Site seems ok...
Quote
Dr.Web (R) daemon for Linux v4.33 (4.33.0.09211) Copyright © Igor Daniloff, 1992-2005
Last update time: 2006-09-10,19:28:44 File size: 37450 bytes

product_list.php?id=4 - archive HTML
>product_list.php?id=4/JavaScript.0 - OK
>product_list.php?id=4/JavaScript.1 - OK
>product_list.php?id=4/JavaScript.2 - OK
>product_list.php?id=4/JavaScript.3 - OK
product_list.php?id=4 - OK
 

I give on trying to submit the file to Virus Total... it's very slow just to have possibility to access the service nowadays.
On-line scanners are 'loaded' and 'flooded'...  :P

Quote from: drahnier on September 10, 2006, 07:01:21 PM
It appears I can  not sind the file to avast for testing from the virus chest: "The following file cannot be sent by email: npinyin.exe (FileID: 5). The file is bigger than the limit: 1024 kB"
You can make higher this limit... Chest settings of avast.
Logged
The best things in life are free.

drahnier

  • Guest
Re: Did I catch a false positive?
« Reply #4 on: September 10, 2006, 08:09:39 PM »
Thanks, Tech.


Neither Windows Defender nor Windows Live AV scanner report the file as infected.
« Last Edit: September 10, 2006, 09:09:43 PM by drahnier »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89029
  • No support PMs thanks
Re: Did I catch a false positive?
« Reply #5 on: September 10, 2006, 09:19:56 PM »
The Blue text in my post are links to multi-engine scanners (27 in the case of VirusTotal) better than any single scan for confirmation one way or another.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security
Pages: [1]   Go Up
« previous next »