False Posatives

[Joe S]

I believe the latest updates to Avast Home have produced false positives. Yesterday's scan was fine but todays shows the following in the log file

11/5/2007 10:27:26 AM   Joe_1   6428   Sign of "Win32:Auprit [trj]" has been found in "H:\My Documents\Backups\Siginet\CreateurAddon.exe" file. 
11/5/2007 10:48:59 AM   Joe_1   6428   Sign of "Win32:Auprit [trj]" has been found in "J:\Backups\Siginet\CreateurAddon.exe" file. 
11/5/2007 11:01:58 AM   Joe_1   408   Sign of "Win32:Auprit [trj]" has been found in "H:\My Documents\Backups\Siginet\CreateurAddon.exe" file. 
11/5/2007 11:02:08 AM   Joe_1   408   Sign of "Win32:Auprit [trj]" has been found in "H:\RECYCLER\S-1-5-21-1935655697-2025429265-839522115-1004\Dh1.exe" file. 
11/5/2007 2:41:21 PM   Joe_1   3452   Sign of "Win32:Auprit [trj]" has been found in "H:\System Volume Information\_restore{BAC570EC-A4E1-41CC-9CF6-BFED2D0AF7D7}\RP246\A0083438.exe" file. 
11/5/2007 3:05:34 PM   Joe_1   3452   Sign of "Win32:Auprit [trj]" has been found in "J:\System Volume Information\_restore{BAC570EC-A4E1-41CC-9CF6-BFED2D0AF7D7}\RP246\A0083436.exe" file. 

attached is a screen shot of the Virus Chest notice the the change date is over a year ago.


Thanks
Joe

[Lisandro]

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

[Joe S]

Thanks for the help. I tried the 2 sites and Avast is the only one showing up positive. I zipped and emailed off the files. I think they are all related. One is an exe program to make addons to slipstream into windows. I used to use AGV but it locked up my system when it encountered The XP SP2 file, even just running the mouse over the row the file was in. So I know these are not files normally encountered! I found Avast and have been very pleased with it.
Joe

[Lisandro]

Thanks for the help. I tried the 2 sites and Avast is the only one showing up positive.
I found Avast and have been very pleased with it.

Indeed seems a false positive. I hope they correct it soon.
Welcome to avast forums.

[Joe S]

Today's scan turned up one more file related to CreateurAddon that were in the files I sent yesterday. Something else I did notice the scan that time has increased noticably since monday's update. From about 42 min to 1 hour 12 min. This is a Dell dimensions 8200 2G Pent 4 and 1G ram. This file also only showed posative for Avast when checked on Jotti's malware scan. This file had a modified date over a year ago.
Joe
 

[Maxx_original]

problem with the misdetection should be solved with next VPS hopefully..

[Maxx_original]

and about the scan time penalty: i don't know what type of data are you scanning (exe, dll, zip, rar, jpeg, pdf) and how big the tested area is..

[Maxx_original]

btw: still can't find any file at virus-avast-com.. did you send them from the same e-mail as the one given to your profile at this forums?

[Joe S]

Max
I believe I did send it from that email address. It didn't bounce back. Would you like me to resend it?
I think the slow down may be caused by Webroot Spysweeper. When I did this morning's Avast sweep the time was back down to normal with Spysweeper shut down.  I'm about sick of it and am ready to ditch it at the end of year when it expires. Got to be a pain with to many problems I went back to version 4.5.9.709.
Joe

[DavidR]

With a resident anti-spyware like spysweeper, it to will be scanning files during boot, when it opens a file to scan it, depending on the file type avast will intercept that and first scan the file before allowing the other application to open it. This can cause duplication of scanning and greatly increase the boot duration.

[Maxx_original]

ooh.. can you resend the files, pls? we can't find them

[Joe S]

Max I resent the files a while ago.
Thanks
Joe

[Maxx_original]

i can't help myself, but i can't see any files sent from your e-mail address.. i recently downloaded the current version of CreateurAddOn and we don't mark it as infected... what is your version of CreateurAddOn? it is some autoit stuff, so there's a possibility pf FP, but we need the file before we can remove the detection...

[Joe S]

Max
I think it maybe Lycos mail and the password protected file. I just did a test from hotmail and there is a popup about that. I'll try sent it from there hsp15_72  hotmail  com
Thanks for the help and interest.
Joe

[Maxx_original]

ook.. i'll tell it to someone from our analysts team