DISreboot.exe found to be adware - false positive?

[lakrsrool]

What would appear to be "false positive" - DISreboot.exe is found to be considered "Adware" by Avast on my last on demand scan.

Found Adware by Avast: c:\Program Files\Symantec\LiveUpdate\DISreboot.exe

VirusTotal.com results:
File DISreboot.exe received on 08.28.2008 00:21:04 (CET)
Current status: finished

Result: 7/36 (19.44%)

Jotti's maleware scan results:
Two out of twenty scans found the file to be malware. The two scanning programs that found the file were Avast and VBA32.

Result: 2/20 (10.00%)

I did what was recommended and moved the file to the "chest" but in order to run a test on the file using VirusTotal & Jotti I had to restore the file back from the chest.

It would look to me like a "false positive" based on the results and where the file is located.

I am inclined to leave the file alone and ignore the Avast recommendation now that I have restored the file.

Please advise... thank you. 

[lakrsrool]

At this point I have restored the file from the virus chest and added the file to the exclusions list for scans and emailed the the zipped file w/ password to Alwil for verification.

Please advise if I have done anything wrong or should do anything in addition or differently than I have done.

thank you.

[wyrmrider]

what makes you think that this is a false positive?

Panda active scan taggs it
Virus:W32/Parite.B Disinfected C:\Program Files\Symantec\LiveUpdate\DISreboot.exe

kaspersky tags it
C:\Program Files\Symantec\LiveUpdate\DISreboot.exe Infected: not-a-virus:AdWare.Win32.Alibabar.t 1

combo fix deletes
C:\Program Files\Symantec\LiveUpdate\DISreboot.exe

perhaps submit it to Avast
virus at avast.com

did we not just have another thread with this one?

worm W32/Rbot-AQA also attempts to copy the virus W32/Parite-B into memory so that it can infect files

[lakrsrool]

Okay I'll take it out of the exclusions list and move to chest again.

[Lisandro]

Do you have Symantec products in your computer?
Parite virus is not common into the false positives... nowadays, avast detection rates are higher than the 'big' ones in many times...

[DavidR]

If you do a forum search for the file name I'm sure this has been covered recently in another topic.

[lakrsrool]

Do you have Symantec products in your computer?
Parite virus is not common into the false positives... nowadays, avast detection rates are higher than the 'big' ones in many times...

Yes... thanks

I might as well address the other posts on this topic...

what makes you think that this is a false positive?

for the following reasons:

1. VirusTotal scan had 80.66% of the virus scans consider the file to NOT be adware.

2. Jotti scan had 90% of the virus scans consider the file to NOT be adware.

3. I do have Symantec Live Update which is where the file is located.

4. The file that Avast considered Adware had a creation date of 6/16/04 which would make me think that the file has been on my system for some time and is a date that would make sense when I installed the Symantec program.

5. I have had Avast protection prior to the 6/16/04 creation date of the file. If the file is really "adware" how did it get there past Avast in the first place? 

6. Avast has not found this file to be "adware" in the past even though it would appear to have been on my system for years.

7. Historically for me Avast has had a 75% rate of finding "false positives".

8. I have had other program files that have been "false positives" that were functions of software I have on my computer i.e. Balloontip.pyd was a function of Clamwin and also had a PDF file that was considered a "virus" both of which I had been excluding on scans and then later removed from the exclusions file which Avast then no longer found them to be malware or viruses.

9. Assuming this file has been on my system prior to this it has never been found to be adware up until now and I make very few changes or updates or new installs because my computer is so old and has such limited resources.

10. Adware is "spyware" which is relatively new to Avast scanning.

But just to be safe as you suggest I have moved the file back to the chest as a precaution.

perhaps submit it to Avast
virus at avast.com

Thanks... I did... as I had posted (see below).

At this point I have restored the file from the virus chest and added the file to the exclusions list for scans and emailed the the zipped file w/ password to Alwil for verification....

If you do a forum search for the file name I'm sure this has been covered recently in another topic.

Thanks David... I did not find it on recent pages but have now done a search including the name of the adware file and found nothing other than my post.

[lakrsrool]

In the past on other "false positive" i.e. Balloontip.pyd which I had email to Alwil like I did with this file I never did get a reply...

Does Alwil reply to emails sent about possible "false positives"...

As it is it was just a matter of taking the Ballontip.pyd out of the exclusions and then putting it back in until eventually it was not considered a virus or malware on scans.

In this case I have moved the file to the virus chest where it will remain.

I really need to know if this file is really "malware" because it is in the chest.

Is there any way to find out when Alwil will change and take "false positives" out of the virus signature file so that it can be removed from the exclusions list or in this case restored from the chest?

[DavidR]

Well strangely enough I did a search in the 'viruses and worms' forum and found two hits.

This being the most recent http://forum.avast.com/index.php?topic=38324.0.

You don't normally get a reply unless they need more information. Periodically scan the copy in the chest (won't work in original location if you have excluded it) and when it is no longer detected you can remove the exclusion.

[lakrsrool]

Well strangely enough I did a search in the 'viruses and worms' forum and found two hits.

This being the most recent http://forum.avast.com/index.php?topic=38324.0.

You don't normally get a reply unless they need more information. Periodically scan the copy in the chest (won't work in original location if you have excluded it) and when it is no longer detected you can remove the exclusion.

I guess my search problem was because I was searching in "Avast! support forums"... I assumed it would search the tree structure of files.

As far as scanning the chest is concerned how do you scan the chest?... the files are renamed to numbers?

Do you use the context menu scan? (right click on each file in the chest)?

Thanks for the link, I'll check it out. 

[PapaSmurf]

This topic also seems to be discussed here: http://forum.avast.com/index.php?topic=38324.0

and here: http://forum.avast.com/index.php?topic=38365.0

Just trying to help lakrsrool, but it looks as thou you have a bit more experience in this realm than me. 

[tuttle]

Does Alwil reply to emails sent about possible "false positives"...

No. I sent in details of a false positive, as suggested by a long-time forum member. I did not receive a reply.

[DavidR]

<snip>
As far as scanning the chest is concerned how do you scan the chest?... the files are renamed to numbers?

Do you use the context menu scan? (right click on each file in the chest)?

Because it is a protected location you can't scan from outside, as you have found in explorer all you will see are file names generated by avast and the files are also encrypted. So you have to first open the chest, locate the file (it will be in the Infected Files section if detected by avast or User Files if you added it manually) and right click on it and select scan.

Or highlight the file and use the menu at the top of the window, File, then Scan, this is much slower as having selected the file, right click is very quick.