Author Topic: False Alarm - Or just damn Lies!? (Read 4524 times)

Hackbridge · « **on:** September 02, 2007, 02:38:57 AM »

I downloaded some software from someone who was doing everyone a favour. But Avast flagged up a Trojan. I have a video showing how it all unfolded. That's the screencast link. But you see below the owner reckons that my settings are too high. What do you think? The quote is my email to the owner of the said software.

Quote

My AV says there's a trojan in the software. I'll have a video for you to share. You'll hear me mumbling in the background, but it's because it is late.

Here's the link and I'll have to go. Speak to you soon.

http://screencast.com/t/nzBmcoxP8aE > Video of the AV announcing a Trojan each time I tried to open the software.

Brian

Reply
There is no virus. Your AV settings are too high.

I could cause a lot of embarrassment with this but how do I know who's telling the truth?

Brian

DavidR · « **Reply #1 on:** September 02, 2007, 03:37:17 AM »

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hackbridge · « **Reply #2 on:** September 02, 2007, 09:08:25 AM »

I went to Virustotal and got this result - I've created a video to show the owner. http://screencast.com/t/nkrjSZz7c I can't say I want to use it again. Is there a way to stop the trojan operating? I noticed on the interface of Avast it said that saying no, the virus wouldn't be activated.

If the trojan does bypass an AV scanner, how could you root it out?

What is your advice?

Brian

DavidR · « **Reply #3 on:** September 02, 2007, 02:23:51 PM »

I know video might be nice by on dial-up I won't be viewing it, I tried but it take too long, a simple image or copy and paste of the text results would have been fine.

I did see that only 3 (only saw avast and esafe on the initial image before I quit) out of the 32 scanners though it infected, so I would say the jury is still out.

Hackbridge · « **Reply #4 on:** September 02, 2007, 10:06:55 PM »

It's a hard call because the software is really good, and I don't want to point a finger at the man (unnecessarily).

I'll hate myself if the PC goes pear shaped.

Brian

DavidR · « **Reply #5 on:** September 02, 2007, 10:23:55 PM »

No finger pointing is necessary as I said the jury is out because I don't think the VirusTotal result is conclusive (the little bit I saw befor aborting the video). But without publishing the results (which doesn't identify the application if you don't post that) on the forum we can't say for sure.

After all you did come here for that information.

oldman · « **Reply #6 on:** September 02, 2007, 10:49:28 PM »

DavidR

Three scanners detect something. Avast-Win32:Bifrose-AGY, esafe-suspicious trojan/worm and ikarus-virus.win32.bifrose.agy

Like you said, nothing definite.

@Hackbridge

You should submit the sample to avast for further analization Send it in a password protected zipped email to virus at avast.com Include in the body of the email, the vps, password,and a brief discription of the situation. You may also want to include a link to this thread.

mauserme · « **Reply #7 on:** September 03, 2007, 05:19:17 AM »

Saying that "Your AV settings are too high" is really a non-answer, at least with avast.

To me the statement seems predicated on the assumption that heuristics are in use. Setting heuristic sensitivity too high can lead to false positives for AV's that use it, but avast! does not use heuristics in its standard shield. Instead, setting the standard shield sensitivity to "high" in avast! simply means more files will be scanned, not that they will be scanned in a different way.

This neither confirms nor denies the presence of a trojan but I would question such a dismissive answer.

Hackbridge · « **Reply #8 on:** September 03, 2007, 08:48:26 AM »

Quote from: mauserme on September 03, 2007, 05:19:17 AM

Saying that "Your AV settings are too high" is really a non-answer, at least with avast.

To me the statement seems predicated on the assumption that heuristics are in use. Setting heuristic sensitivity too high can lead to false positives for AV's that use it, but avast! does not use heuristics in its standard shield. Instead, setting the standard shield sensitivity to "high" in avast! simply means more files will be scanned, not that they will be scanned in a different way.

This neither confirms nor denies the presence of a trojan but I would question such a dismissive answer.

It does raise eyebrows

Brian

Author Topic: False Alarm - Or just damn Lies!? (Read 4524 times)

Hackbridge

False Alarm - Or just damn Lies!?

DavidR

Re: False Alarm - Or just damn Lies!?

Hackbridge

Re: False Alarm - Or just damn Lies!?

DavidR

Re: False Alarm - Or just damn Lies!?

Hackbridge

Re: False Alarm - Or just damn Lies!?

DavidR

Re: False Alarm - Or just damn Lies!?

oldman

Re: False Alarm - Or just damn Lies!?

mauserme

Re: False Alarm - Or just damn Lies!?

Hackbridge

Re: False Alarm - Or just damn Lies!?