Fixing a false positive

[Mad_Hat]

I have Avast Pro and it keeps getting a false positive when I try to run my program even though I've added it to the exclusion list. I've started just leaving the active protection turned off :\

My question is, is there any way to remove a virus definition with the database so that it won't be detected any more?

[Vlk]

Yes please submit the file to our virus lab.
Instructions are in our knowledge base: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=199


Thanks
Vlk

[DavidR]

What is the file name and location ?
Have you tested it at other on-line scans, etc. ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

You probably haven't added it to the exclusions in the resident scanner Standard Shield, you have to add it to both areas.
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

[Mad_Hat]

E:\Program Files\Internet\MIRCs\iroffer1.4.b03-lamm.b01
iroffer.exe
convertxdccfile.exe

they were detected as Win32.Iroffer-011[Trj] and Win32.Iroffer-049[Trj]

I think I figured it out the exclusion. I only had one of the added to the exclusion list, but it's working now.
Still I know they are working proper as when I downloaded them and I don't seem to have any type of extraneous outgoing connections.
So why are they listed as trojans?

I think AVG detected it too, but since I bought and have been using avast I thought I'd ask here.

[Lisandro]

I don't seem to have any type of extraneous outgoing connections.
So why are they listed as trojans?

There are more kinds of malware behavior besides extraneous outgoing connections...
Some trojans use rootkit to became hidden to antivirus.
Why the error (if it is an error)? Well, false positive are due to incorrect signature files, treating the clean files as being infected.

[Mad_Hat]

hmm I see, so the only way to bypass it is to add it to the exclusions list?
I downloaded iroffer from http://iroffer.org/ just now and got this result

Antivirus   Version   Last Update   Result
AhnLab-V3   2007.9.11.0   2007.09.10   Win-AppCare/Iroffer.250600
AntiVir   7.6.0.5   2007.09.10   BDS/Iroffer.AB.14
Authentium   4.93.8   2007.09.09   W32/Backdoor.QHH
Avast   4.7.1043.0   2007.09.10   Win32:Iroffer-072
AVG   7.5.0.485   2007.09.10   BackDoor.Generic2.CUF
BitDefender   7.2   2007.09.10   Backdoor.Iroffer.AB
CAT-QuickHeal   9.00   2007.09.10   Backdoor.Iroffer.ab
ClamAV   0.91.2   2007.09.10   Trojan.Ioffer
DrWeb   4.33   2007.09.10   BackDoor.Iroffer.1235
eSafe   7.0.15.0   2007.09.04   Win32.Iroffer.ab
eTrust-Vet   31.1.5124   2007.09.10   -
Ewido   4.0   2007.09.10   Backdoor.Iroffer.ab
FileAdvisor   1   2007.09.10   High threat detected
Fortinet   3.11.0.0   2007.09.10   Iroffer
F-Prot   4.3.2.48   2007.09.09   W32/Backdoor.QHH
F-Secure   6.70.13030.0   2007.09.10   Backdoor.Win32.Iroffer.ab
Ikarus   T3.1.1.12   2007.09.10   Backdoor.Win32.Iroffer.AB
Kaspersky   4.0.2.24   2007.09.10   Backdoor.Win32.Iroffer.ab
McAfee   5116   2007.09.10   potentially unwanted program Iroffer
Microsoft   1.2803   2007.09.10   -
NOD32v2   2519   2007.09.10   a variant of Win32/Iroffer
Norman   5.80.02   2007.09.10   W32/Iroffer.PP
Panda   9.0.0.4   2007.09.09   Application/Iroffer.BQ
Prevx1   V2   2007.09.10   -
Rising   19.40.02.00   2007.09.10   Backdoor.Iroffer.ab
Sophos   4.21.0   2007.09.10   Iroffer
Sunbelt   2.2.907.0   2007.09.07   Backdoor.Win32.Iroffer.ab
Symantec   10   2007.09.10   -
TheHacker   6.1.10.183   2007.09.10   Backdoor/Iroffer.ab
VBA32   3.12.2.4   2007.09.09   Backdoor.Win32.Iroffer.ab
VirusBuster   4.3.26:9   2007.09.10   Backdoor.Iroffer.BA
Webwasher-Gateway   6.0.1   2007.09.10   Trojan.Iroffer.AB.14

They say it's a virus, but it's a fresh file.

[polonus]

Hi Mad_Hat,

Strange thing about this is that the DrWeb hyperlink av scanner scans the link as you posted it as CLEAN.File size: 9773 bytes

iroffer.org - archive HTML
>iroffer.org/Script.0 - OK
>iroffer.org/Script.1 - OK
iroffer.org - OK

polonus

[Mad_Hat]

http://iroffer.org/ is just the main page of the website for the program...
the actual download link is on the download page h**p://iroffer.org/archive/v1.3/iroffer_win32bin_1.3.b11.zip
I downloaded that, unzipped the iroffer.exe and submitted just the exe

[DavidR]

The problem is what it does could be used for good or evil and most AVs can't determine the intention.

http://www.liutilities.com/products/wintaskspro/processlibrary/iroffer/

I would be concerned with any of the malware names listing it as a backdoor which may be able to bypass your firewall. With so many hits I wouldn't care about its origin I would be looking for another application that doesn't rate this kind of attention by AV scanners.

A google search for iroffer, iroffer.exe and convertxdccfile.exe return many hits relating to malware.
http://www.google.com/search?q=iroffe
http://www.google.com/search?q=iroffer.exe
http://www.google.com/search?q=convertxdccfile.exe

[DavidR]

http://iroffer.org/ is just the main page of the website for the program...
the actual download link is on the download page h**p: // iroffer.org/archive/v1.3/iroffer_win32bin_1.3.b11.zip
I downloaded that, unzipped the iroffer.exe and submitted just the exe

Please modify your post and break the link (as I have done in the quoted text) so it isn't active to avoid accidental exposure to suspect files.