Author Topic: Possible False positive, or actual malware/dangerous file?  (Read 3571 times)

0 Members and 1 Guest are viewing this topic.

Offline Maz3

  • Newbie
  • *
  • Posts: 5
Possible False positive, or actual malware/dangerous file?
« on: July 16, 2023, 12:13:48 AM »
As the title says I boot up my PC and it flags a system32 file with potential danger, I forget if it said malware or not.
The file is in my drivers\iqvw64e.sys and Avast has blocked the driver.

Now being a tech IDIOT I instantly turn to panic mode and run a virus scan, as well as Malwarebytes to find out. However the scan then reveals no viruses or malware found, as well as Malwarebytes also not finding anything.

How likely is it that I have found a false positive, or two, rather than a pair of false negatives?
Just out of curiosity I have done what others may suggest and uploaded the file to Virustotal, and it has a flag on it, by something/one called Elastic, so I have no idea what to do. Should I report it to Avast?

EDIT: Oh and also here is the link tot he virustotal analysis: https://www.virustotal.com/gui/file/4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b?nocache=1
« Last Edit: July 16, 2023, 12:17:10 AM by Maz3 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Possible False positive, or actual malware/dangerous file?
« Reply #1 on: July 16, 2023, 12:29:28 AM »
Quote
Should I report it to Avast?
Yes

According to virustotal it is an old file

Creation Time   
2013-11-14 15:22:43 UTC
First Seen In The Wild   
2013-04-04 20:51:50 UTC
First Submission   
2014-04-01 19:06:08 UTC

Last Submission   
2023-07-15 21:58:43 UTC
Last Analysis   
2023-07-15 22:12:00 UTC

How to report to avast lab see here.  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438




Offline Maz3

  • Newbie
  • *
  • Posts: 5
Re: Possible False positive, or actual malware/dangerous file?
« Reply #2 on: July 16, 2023, 12:32:14 AM »
Quote
Should I report it to Avast?
Yes

According to virustotal it is an old file

Creation Time   
2013-11-14 15:22:43 UTC
First Seen In The Wild   
2013-04-04 20:51:50 UTC
First Submission   
2014-04-01 19:06:08 UTC

Last Submission   
2023-07-15 21:58:43 UTC
Last Analysis   
2023-07-15 22:12:00 UTC

How to report to avast lab see here.  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
Okay I've uploaded it to them via their "report malicious file" section.
What should I do in the meantime, should I quarantine that file or should I let avast keep blocking it automatically?
Will it ever stop doing so/if it does would it be vulnerable again?

EDIT: I ahve also uploaded it to their false positive section, just in case.
« Last Edit: July 16, 2023, 12:36:44 AM by Maz3 »

Offline New_Style_xd

  • Sr. Member
  • ****
  • Posts: 397
Re: Possible False positive, or actual malware/dangerous file?
« Reply #3 on: July 16, 2023, 12:50:50 AM »
Quote
Should I report it to Avast?
Yes

According to virustotal it is an old file

Creation Time   
2013-11-14 15:22:43 UTC
First Seen In The Wild   
2013-04-04 20:51:50 UTC
First Submission   
2014-04-01 19:06:08 UTC

Last Submission   
2023-07-15 21:58:43 UTC
Last Analysis   
2023-07-15 22:12:00 UTC

How to report to avast lab see here.  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
Okay I've uploaded it to them via their "report malicious file" section.
What should I do in the meantime, should I quarantine that file or should I let avast keep blocking it automatically?
Will it ever stop doing so/if it does would it be vulnerable again?

EDIT: I ahve also uploaded it to their false positive section, just in case.
Remember to post the result of what Avast informs you here in the community.
I'm curious about what goes on about it.
OS: Windows 10 PRO / Intel(R) Core(TM) i7-6500U CPU 2.60 GHz.
Real Time: Avast Premium Security: 24.2.6104 (compilação 24.2.8904.819) IU: 1.0.799
Moble: Avast Security: 24.3.0-1004091
VPN: Avast SecureLine VPN: 5.29.9498
On Demand: Malwarebytes: 4.6.9.314

Offline Maz3

  • Newbie
  • *
  • Posts: 5
Re: Possible False positive, or actual malware/dangerous file?
« Reply #4 on: July 16, 2023, 01:04:03 AM »
Remember to post the result of what Avast informs you here in the community.
I'm curious about what goes on about it.
I will do.
I think it's probably because my Win10 got stuck on it's last update and it's just a file that either never got updated, or I am vulnerable to it's lack of protection.

Either that or I just got "lucky" and I was the one who got flagged first.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88997
  • No support PMs thanks
Re: Possible False positive, or actual malware/dangerous file?
« Reply #5 on: July 16, 2023, 01:58:56 AM »
Quote from: Maz3
I boot up my PC and it flags a system32 file with potential danger, I forget if it said malware or not.

When the dark brown stuff hits the fan it is hard to be rational.  So whilst Avast has alerted, it is also preventing it being run.

So taking a screenshot of the Avast Alert window with the Details option enabled gives us valuable information.  Notably the exact wording of the alert 'potential danger' sounds a little iffy for an alert :)

There have been some drivers recently being flagged as at risk of exploit, so given the limited information and this may be something like that.
A google search on this file returns a lot of hits - https://www.google.co.uk/search?q=iQVW64.SYS

This is just one of those hits - saying it could be a vulnerable Intel Driver - https://www.reddit.com/r/sysadmin/comments/xx3oya/22h2_vulnerable_intel_nic_driver_iqvw64esys/

See attached image on how to attach an image to a post click to expand.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maz3

  • Newbie
  • *
  • Posts: 5
Re: Possible False positive, or actual malware/dangerous file?
« Reply #6 on: July 16, 2023, 08:41:03 AM »
Quote from: Maz3
I boot up my PC and it flags a system32 file with potential danger, I forget if it said malware or not.

When the dark brown stuff hits the fan it is hard to be rational.  So whilst Avast has alerted, it is also preventing it being run.

So taking a screenshot of the Avast Alert window with the Details option enabled gives us valuable information.  Notably the exact wording of the alert 'potential danger' sounds a little iffy for an alert :)

There have been some drivers recently being flagged as at risk of exploit, so given the limited information and this may be something like that.
A google search on this file returns a lot of hits - https://www.google.co.uk/search?q=iQVW64.SYS

This is just one of those hits - saying it could be a vulnerable Intel Driver - https://www.reddit.com/r/sysadmin/comments/xx3oya/22h2_vulnerable_intel_nic_driver_iqvw64esys/

See attached image on how to attach an image to a post click to expand.
So it seems to be detecting a vulnerable driver.
So this all might have something to do with my windows 10 having been unable to actually get to the 22H2 update.
In the meantime I'll try finding a way to do that which doesn't nuke my PC and see if that fixes the issue.

EDIT: So, after updating windows it's definitely not solved the issue.
EDIT 2: Okay so I have also updated my Intel Network Connections Drivers to see if that is what it is. Only time, and waiting for Avast to get back to me, will tell.
« Last Edit: July 16, 2023, 10:09:51 AM by Maz3 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88997
  • No support PMs thanks
Re: Possible False positive, or actual malware/dangerous file?
« Reply #7 on: July 16, 2023, 10:41:28 AM »
That looks to be the case.

It isn't only Avast that would be involved in this as the Operating System is also checking for vulnerable drivers also.

Hopefully updating the vulnerable Intel driver does the trick.

I'm not sure given the results found about this driver being vulnerable, I wouldn't think it is a false positive as such.  Also it isn't a virus/malware as such, but a vulnerability that could be exploited by malware giving privileges it wouldn't ordinarily be able to use.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maz3

  • Newbie
  • *
  • Posts: 5
Re: Possible False positive, or actual malware/dangerous file?
« Reply #8 on: July 16, 2023, 10:53:11 AM »
That looks to be the case.

It isn't only Avast that would be involved in this as the Operating System is also checking for vulnerable drivers also.

Hopefully updating the vulnerable Intel driver does the trick.

I'm not sure given the results found about this driver being vulnerable, I wouldn't think it is a false positive as such.  Also it isn't a virus/malware as such, but a vulnerability that could be exploited by malware giving privileges it wouldn't ordinarily be able to use.
Well, after a quick reboot to find out if that has fixed it, Avast hasn't opened/alerted on start-up like it has been doing before.
So I can tentatively say that the solution may have been found and applied.
So i can only imagine that this specific driver is no longer vulnerable. Either that or Avast isn't telling me, lol.

Thank you for pointing me in the right direction, and thank you to everyone else who have helped me along the way!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88997
  • No support PMs thanks
Re: Possible False positive, or actual malware/dangerous file?
« Reply #9 on: July 16, 2023, 01:16:16 PM »
You're welcome.

Yes, it looks like updating the vulnerable driver has done the trick.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security