Author Topic: False Positive Behavioral Quarantine | Detailed Info Provided  (Read 817 times)

0 Members and 1 Guest are viewing this topic.

Offline JGram

  • Newbie
  • *
  • Posts: 9
False Positive Behavioral Quarantine | Detailed Info Provided
« on: February 23, 2024, 09:13:19 AM »
Reporting a false positive:
2f76cd496950/2024-02-23T07:59:45.453Z
Avast Action Info:
Threat Name: IDP. Generic
File/Process Name: NWXClient-Win64-Shipping.exe
Detected By: Behavior Shield
Status: Moved to Quarantine

Further Information:
This file is related to the newly released game Nightingale. Storage path (for Steam versions) will be in (x86)\Steam\steamapps\common\Nightingale\NWX\Binaries\Win64\
I have had the Steam platform run hash verification on the provided file to ensure this is a legitimate file and matches the file they provide from their repositories.

I have run SHA-256 on my version of the file for your convenience:
Name: NWXClient-Win64-Shipping.exe
Size: 168402432 bytes (160 MiB)
SHA256: 579b5e9796a6d5026c1a921a965c9e1da29aea8a995f52101915678c96f3d566

Regards,
JG

P.S. This is with an installation of Avast Premium Security.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user

Offline JGram

  • Newbie
  • *
  • Posts: 9
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #2 on: February 24, 2024, 12:25:50 AM »
https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
Attempted to report the false positive via the report portal from the link; got this response:
Quote
Internal Server Error - Write
The server encountered an internal error or misconfiguration and was unable to complete your request.

Reference #4.492b3417.1708730641.769fdace

So... yeah. I guess do whatever ya'll want, that'll teach me to be helpful.
« Last Edit: February 24, 2024, 12:30:54 AM by jgramzinski »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #3 on: February 24, 2024, 01:16:54 AM »
Pondus is not even an Avast User, less that, not an Avast Team member, just someone trying to help you.
Second, I'm an Avast user and not an Avast Team member either.

Presumably this is the link you tried:
Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

I have just tried that link and it was working for me.
See attached screenshot
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JGram

  • Newbie
  • *
  • Posts: 9
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #4 on: February 24, 2024, 02:05:09 AM »
Pondus is not even an Avast User, less that, not an Avast Team member, just someone trying to help you.
Second, I'm an Avast user and not an Avast Team member either.

Presumably this is the link you tried:
Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

I have just tried that link and it was working for me.
See attached screenshot

EDIT: Yes, I found my dumb. The file is over 50MB, so it cannot be submitted. Still, leaves no path forward. Thanks for the unofficial help.  :)


Yep, that's the link I used. The error I received was after hitting the submit button and going through lots of CAPTCHA (successfully). The page loaded to that error message after submission.

I did appreciate the link, just frustrated that I'm getting errors from the submission portal with no other venues. One would hope that Avast would have some sort of reporting method; by that I mean the flags that say "hey, here's an event ID, send it to our team to help!".

I apologize for coming off as antagonistic. Still, while the form for submission loads, the actual submit errors out.

V/R,
JG
« Last Edit: February 24, 2024, 02:17:54 AM by jgramzinski »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #5 on: February 24, 2024, 03:29:46 AM »
I wasn't aware of an upper limit for submission, though I guess there would be one.  I don't know if it is possible to zip the file to reduce the size or not.  A very long time ago we used to do this to zip the file and also password protect the archive, typically this password was virus.

You could try a submission to https://www.virustotal.com/ this is a multi antivirus scan, I don't know if they too would have a size limit.



Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JGram

  • Newbie
  • *
  • Posts: 9
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #6 on: February 24, 2024, 03:58:55 AM »
I wasn't aware of an upper limit for submission, though I guess there would be one.  I don't know if it is possible to zip the file to reduce the size or not.  A very long time ago we used to do this to zip the file and also password protect the archive, typically this password was virus.

You could try a submission to https://www.virustotal.com/ this is a multi antivirus scan, I don't know if they too would have a size limit.

Excellent advice, thank you! I'll see if I can pack it down into something smaller, don't know why I didn't think of that.

As stated in the initial post, I'm 99.5% sure this a false-positive and is not a malicious file as I've verified the file integrity/hash through Steam (a very popular game distribution platform). Not that it's impossible for it to be bad-actor, but with a known quantity dev that is hosting the live servers (read: money trail / known responsible parties), a few open beta test events, and well clear of 250k sales over a few days on the Steam platform, I'm comfortable in my assumption that it's not malicious.

Edit: I guess my point is I was just trying to pass the info up to the Avast operations team. I've already resolved the issue on my end. Was just trying to pass the info up for their awareness. Anyway, thanks for the help Pondus & DavidR
« Last Edit: February 24, 2024, 04:04:51 AM by jgramzinski »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: False Positive Behavioral Quarantine | Detailed Info Provided
« Reply #7 on: February 24, 2024, 01:27:09 PM »
You're welcome.

Thanks for doing your bit in trying to pass it up the chain.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security