Author Topic: Infuriating false positives (Read 4777 times)

privateofcourse · « **on:** October 14, 2008, 01:24:26 PM »

I have a number of legitimate tools on my system for home admin password recovery etc. ... Nirsoft and Sysinternals are just a few respectable names. And every if I stupidly move them from one location to another Avast annoys the heck out of me by flagging up an infection as there is no sensible whitelisting feature. Is there any way to permanently flag the file as safe based on say a checksum or something like it? That way it won't matter where the tools are located on my PC and Avast can ignore them.

Thanks

--oops

Forgot to mention: Using Avast 4.8.1229 HE

DavidR · « **Reply #1 on:** October 14, 2008, 02:34:03 PM »

The problem with such tools is avast doesn't know if they are used for good or evil.

As for no sensible way of white listing, what have you tried ?

The use of the * wildcard should get round your movement to a different folder, e.g. c:\*\suspect_file_name.exe, etc. so that is good for any folder on the c:\ drive for whatever the tool's file name is.

That would need to be entered in the standard shield and program settings, exclusions to cover on-access and on-demand scans.

You could go through the process of confirming at virustotal that it is a false detection (but I suspect others may also flag the tool/s) and reporting it to avast so the signature can be updated assuming they accept it isn't malicious, etc.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Lisandro · « **Reply #2 on:** October 14, 2008, 03:26:21 PM »

Quote from: privateofcourse on October 14, 2008, 01:24:26 PM

There is no sensible whitelisting feature. Is there any way to permanently flag the file as safe based on say a checksum or something like it?

They should correct the detection into the virus signature database. If you submit the files to virus (at) avast (dot com you'll help improve detection and accuracy.

You can use the Exclusion lists but there isn't a MD5/CRC check (or white list). It will take much more resources (to acquire and compare) then the scanning itself.

privateofcourse · « **Reply #3 on:** October 14, 2008, 03:31:30 PM »

Hi,

Thanks for your reply. Yes, I am aware of the current system of whitelisting, which requires a double entry process. I think a configurable whitelist for all would be much better than the current system.

Also, as far as I can see, you cannot flag a file as safe when it is detected as a threat by Avast.. So when all the sirens and lights go off to warn you that you have a possibly dodgy file, you cannot click a button "Whitelist this file" or "Known Safe File" for example. This of course means that when you click on 'do nothing' the file is locked and you cannot move it anywhere until it is whitelisted under both on-access and on-demand scans. And I find that this is annoying.

BTW: I'm definitely not moaning about the Avast product overall, not at all. I think it is fantastic product with very useful features that many other AV softwares haven't even thought of let alone give away generously in their free versions. No, I rate the product very highly, it's just this particular feature that bugs me.

Also, let's assume that I'm using the * wildcard and use it like in your example:

Quote

e.g. c:\*\suspect_file_name.exe, etc. so that is good for any folder on the c:\ drive for whatever the tool's file name is.

Does avast then recognise the file by it's filename or some other means? Does avast tag that file at all? What I mean is, if a file of the same name was someone to appear in another folder on my box and that particular file WAS infected would avast ignore it because it whitelists the name and not the file?

Thanks,

privateofcourse · « **Reply #4 on:** October 14, 2008, 03:33:02 PM »

Quote from: Tech on October 14, 2008, 03:26:21 PM

Quote from: privateofcourse on October 14, 2008, 01:24:26 PM
There is no sensible whitelisting feature. Is there any way to permanently flag the file as safe based on say a checksum or something like it?
They should correct the detection into the virus signature database. If you submit the files to virus (at) avast (dot com you'll help improve detection and accuracy.

You can use the Exclusion lists but there isn't a MD5/CRC check (or white list). It will take much more resources (to acquire and compare) then the scanning itself.

That's what I thought. Thanks.

Lisandro · « **Reply #5 on:** October 14, 2008, 03:56:22 PM »

Quote from: privateofcourse on October 14, 2008, 03:31:30 PM

You cannot flag a file as safe when it is detected as a threat by Avast. So when all the sirens and lights go off to warn you that you have a possibly dodgy file, you cannot click a button "Whitelist this file" or "Known Safe File" for example.

Maybe in next version. There will be a beta phase probably starting next week.
I'm not sure you will be able to manage the exclusion list from there (could be dangerous for common users allowing what they shouldn't) or it will be just a submission process dedicated to false positives.

Quote from: privateofcourse on October 14, 2008, 03:31:30 PM

Does avast then recognise the file by it's filename or some other means?

File name and path (short 8.3 and full paths).

Quote from: privateofcourse on October 14, 2008, 03:31:30 PM

Does avast tag that file at all? What I mean is, if a file of the same name was someone to appear in another folder on my box and that particular file WAS infected would avast ignore it because it whitelists the name and not the file?

If you use the file name, wherever it's located it will be excluded from scanning.

privateofcourse · « **Reply #6 on:** October 14, 2008, 04:18:10 PM »

Quote from: Tech on October 14, 2008, 03:56:22 PM

Quote from: privateofcourse on October 14, 2008, 03:31:30 PM
Does avast tag that file at all? What I mean is, if a file of the same name was someone to appear in another folder on my box and that particular file WAS infected would avast ignore it because it whitelists the name and not the file?
If you use the file name, wherever it's located it will be excluded from scanning.

Somehow I thought that would be the case. So then, it might not be a very good idea to whitelist/exclude file based only on its filename only (using a wildcard IOW) rather than specifically filename and location. Okay, not a massive vulnerability, but it could nonetheless mean that a file of the same name could exist anywhere on the PC and get ignored even if it happened to be infected.

Thanks for your help

Lisandro · « **Reply #7 on:** October 15, 2008, 04:28:19 AM »

Quote from: privateofcourse on October 14, 2008, 04:18:10 PM

Thanks for your help,

You're welcome. Feel free to come back any time you need help or just to change experiences

Author Topic: Infuriating false positives (Read 4777 times)

privateofcourse

Infuriating false positives

DavidR

Re: Infuriating false positives

Lisandro

Re: Infuriating false positives

privateofcourse

Re: Infuriating false positives

privateofcourse

Re: Infuriating false positives

Lisandro

Re: Infuriating false positives

privateofcourse

Re: Infuriating false positives

Lisandro

Re: Infuriating false positives