Author Topic: Reprise of false positive from 2004 WinRAR/Default.SFX  (Read 4769 times)

0 Members and 1 Guest are viewing this topic.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Reprise of false positive from 2004 WinRAR/Default.SFX
« on: May 10, 2008, 07:16:01 AM »
Back in 2004 avast incorrectly detected Default.SFX of WinRAR as infected.

In my scan tonight avast reported Default.SFX of WinRAR as infected. Win32: Trojan-gen (Other)) with VPS 080509-0.   

My version of this file precedes the 2004 date and was not detected as an error in my last scan a week ago. I just extracted the file from last months backup and avast is now reporting that copy infected as well.  Looks like the same false positive has come back.

In the online scanners only eSafe reports the file as "Suspicious".  Everything else reports it clean. 

Do you need the file?       

Offline psw

  • Sr. Member
  • ****
  • Posts: 286
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #1 on: May 10, 2008, 12:31:51 PM »
What is your RAR version? I checked with the same VPS 080509 WinRar 3.71 - no problems, no FP.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #2 on: May 10, 2008, 12:34:49 PM »
I think I know what's the problem... I'll let some people know to do something about it.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #3 on: May 12, 2008, 04:26:51 AM »
Fixed with VPS 080511-0.

Thanks Igor.

Offline DaveParsons

  • Newbie
  • *
  • Posts: 3
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #4 on: June 05, 2008, 03:54:12 PM »
Just started getting this today on my PC creating SFX Winrar files. I double checked with 2 other virus checkers and did not get a result from them. VPS is 0806-5-0.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #5 on: June 05, 2008, 04:27:00 PM »
What build of avast! (not VPS) do you have?
Can you please pack one of those files into a password-protected ZIP or RAR and send it to virus@avast.com?
Thanks!

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9343
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #6 on: June 05, 2008, 05:46:12 PM »
Erm, considering all the FP issues with WinRAR, shouldn't you guys include these (and update/add them regulary) in the clean set so they're tested before VPS release? This is happening way too often now...
Visit my webpage Angry Sheep Blog

Offline Chads

  • Newbie
  • *
  • Posts: 1
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #7 on: June 05, 2008, 06:12:02 PM »
I had Two false positives yesterday for the first time ;  Poker setup.exe and one for a c application i had linked ?! no idea what caused the second one it was only some opengl code ... may be the Dll link had a common signature ..... Maybe one day every signature will say everything is a virus there will be no filtering?! :-\

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #8 on: June 05, 2008, 06:30:20 PM »
Erm, considering all the FP issues with WinRAR, shouldn't you guys include these (and update/add them regulary) in the clean set so they're tested before VPS release? This is happening way too often now...

Now? It hasn't happened for quite a long time already, except for the one for alanrf, which was actually caused by changes in UPX unpacker.
And yes, there's a huge amount of WinRARs on our clean set - all we could find. Of course, we'd be interested in any other...


DaveParsons: What WinRAR version exactly is that?
Also, what malware was reported there?

Chads: as I said previously - can you please pack the files into a password-protected ZIP or RAR and send them to virus@avast.com, with "False alarm" in subject and the password mentioned in the e-mail body?
Thanks.
(What malware was reported in your files?)
« Last Edit: June 05, 2008, 06:32:56 PM by igor »

Offline DaveParsons

  • Newbie
  • *
  • Posts: 3
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #9 on: June 06, 2008, 03:04:30 PM »
Hi

I'm not at my machine right now to give you details. Will be later today or tomorrow. Sorry for delay away on business.

Dave

Offline DaveParsons

  • Newbie
  • *
  • Posts: 3
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #10 on: June 06, 2008, 05:54:54 PM »
Build of Avast is 4.8.1201.
Build of Winrar is 3.70
Detection is Win32:Trojan-gen {other}

I have sent a copy of a test executable to the email address.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #11 on: June 06, 2008, 09:47:24 PM »
I have sent a copy of a test executable to the email address.
Thanks for helping correcting this false detection.
The best things in life are free.

Offline misak

  • Avast team
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: Reprise of false positive from 2004 WinRAR/Default.SFX
« Reply #12 on: June 07, 2008, 12:46:17 AM »
Thank you for cooperate. False positive will be solved in few hours in next VPS update 080607-0