Author Topic: IDP.ARES.Generic - How to find out if false positive?  (Read 13814 times)

0 Members and 1 Guest are viewing this topic.

Offline MRTMN

  • Jr. Member
  • **
  • Posts: 22
IDP.ARES.Generic - How to find out if false positive?
« on: July 18, 2020, 01:21:04 AM »
Hi,

I've had two instances of the same file (Reg-MSI_Inventory.exe) trigger a warning for IDP.ARES.Generic in the last 45 minutes or so (both in different locations within c:\windows\temp).

I've quarantined the files in the virus chest and used the interface from within Avast to submit them for analysis.

How will I know if they're false positives?

Thanks!

Offline Kogoro

  • Newbie
  • *
  • Posts: 4
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #1 on: July 18, 2020, 02:14:21 AM »
Hello,

Same Problem happens to me. It starter after the last night... and the last night, it have installed windows update (Automatic update). I dont think that was a coincidence because message of other user start to poping in the forum with the same problem but i also waiting to have more information about this.

Offline Ntamo Tupinamba

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #2 on: July 18, 2020, 03:17:52 AM »
Hello Same thing here.

Right after the lastest windows update avast has found as a threat the IDP.ARES.Generic.
I was reading on the web and other anti-virus has done the same.

Right now I have the file on the virus chest, but it looks like every time the computer turn on the anti virus catch it the file on a different location.

Offline Marc385

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #3 on: July 18, 2020, 04:27:22 AM »
I've also started seeing this appear on my computer today. It showed up three times already. I did a search online which led me to this forum. I feel like it's a false positive but I'm hoping that Avast will respond to clear this up.

Offline Allie5

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #4 on: July 18, 2020, 08:53:27 AM »
I too have had this happen twice now and it was after a windows update! I have been tempted to create an exception but obviously I could be allowing a virus on to my computer, hope avast can tell us soon what we should do

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #5 on: July 18, 2020, 09:31:22 AM »
Test the file at VT (https://www.virustotal.com) and post the link to the result here.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline chris..

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2918
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #6 on: July 18, 2020, 09:46:33 AM »
Avast has already been informed through AVG support, they must certainly already be in the process of annalising this file (FP?) which is already worrying a large number of users (avast + avg)
« Last Edit: July 18, 2020, 09:48:11 AM by chris.. »

Offline s.e.sikma

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #7 on: July 18, 2020, 11:41:49 AM »
After Avast reported this same error I went in the folders using a (administrative) command-prompt and check what else existed in the folder.

At the lowest levell (C:\Windows\Temp\inv7FD4_tmp\RegMSI) I only found the Reg-MSI_Inventory.exe.
One level up there was a file named icredir.txt. which had a reported size of 0.

After letting Avast put the file in the virus vault, the file contained:

Quote
(GetInventory>> CUSBUpdateMananger::GetInventory): PID = VEN_SYN&DEV_0609
<?xml version="1.0"  encoding="UTF-8"?>
<SVMInventory lang="en">
</SVMInventory>
Failed<?xml version="1.0" encoding="UTF-8"?>
<InventoryError lang="en"><SPStatus result="true" module="icsvc"><Message>Completed successfully</Message></SPStatus></InventoryError>

The VEN_SYN&DEV_0609 suggests it is affiliated with Dell Touchpad software

Offline TranscomTim

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #8 on: July 18, 2020, 01:30:33 PM »
I am also having the same problem.  The Avast pop-up says the threat has been secured and moved to the Virus Chest, but when I open the Virus Chest there's nothing in it.

Offline DellG5guy

  • Newbie
  • *
  • Posts: 1
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #9 on: July 18, 2020, 02:12:36 PM »
Same thing happened to me, 3 times already today. I have all 3 moved to the virus chest.

Offline MRTMN

  • Jr. Member
  • **
  • Posts: 22
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #10 on: July 18, 2020, 03:38:09 PM »
I have found a way to trigger this alert:

1) Restart machine
2) Open Dell Update 3.1.2
3) Run a "check"

Running Dell Update again without restarting will not trigger the alert. On reboot, the first run of Dell Update will trigger it again.

Several notes:

1) Most (all?) of us are using Dell machines
2) Only one of my now multiple quarantined events actually contains the file in question (Reg-MSI_Inventory.exe)
3) Virustotal detects nothing when submitting this file
4) Is there a way to "rescan" the vault after an update?
5) How will avast notify us if this is a false positive?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #11 on: July 18, 2020, 04:01:16 PM »
Quote
4) Is there a way to "rescan" the vault after an update?
There used to be a "rescan file in chest" option, dont know if it is still there (think it was a right click option)
Using the Virus Chest in Avast Antivirus  >>  https://support.avast.com/en-us/article/Use-Antivirus-Virus-Chest/


Quote
5) How will avast notify us if this is a false positive?
Did you report it as possible false positive?  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
I think those who report it will get a reply/mail
« Last Edit: July 18, 2020, 04:09:46 PM by Pondus »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #12 on: July 18, 2020, 04:06:24 PM »
@  MRTMN

4)  There used to be, but that has dropped from the list some time ago, why I don't know.
I guess sending it back (Restore) to its original or Extract to a location would trigger a rescan.

5)  You could also send it to Avast for Analysis from the Virus Chest.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MRTMN

  • Jr. Member
  • **
  • Posts: 22
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #13 on: July 18, 2020, 04:32:06 PM »
@  MRTMN

4)  There used to be, but that has dropped from the list some time ago, why I don't know.
I guess sending it back (Restore) to its original or Extract to a location would trigger a rescan.

5)  You could also send it to Avast for Analysis from the Virus Chest.

Ugh, the lack of rescan within the vault is frustrating.

I did submit it, but from within the vault itself. (Not via the web form)

Offline Ferrara

  • Jr. Member
  • **
  • Posts: 45
Re: IDP.ARES.Generic - How to find out if false positive?
« Reply #14 on: July 18, 2020, 06:22:43 PM »
I started another thread on this problem but I want to move the discussion over here so I will copy paste what I wrote there:

This morning I started my Windows 10 PC and all was normal. Then an authorized Dell Service technician paid a visit to replace the power button LED light which he successfully installed. After that, every time I start or restart my PC I get the same warning, even after removing it to virus chest. So I got on the phone with a Dell support tech for forty minutes and we deleted all the temp files and did a SupportAssist scan, basically cleaning everything up. This was AFTER I did a boot scan with Avast after seeing the first popup. So the Dell tech said it is safe to create an exception for this virus after researching it, and we did that. The boot drive revealed zero threats and yet I got the same popup. I get the same popup after creating the exception. What is going on here?? The Dell rep concluded it is a bug in Avast and was safe to make an exception.