Author Topic: SOLVED - 1290 False Positive - Root-Kit  (Read 16923 times)

0 Members and 1 Guest are viewing this topic.

Styx

  • Guest
SOLVED - 1290 False Positive - Root-Kit
« on: November 19, 2008, 10:50:40 AM »
This was not an issue prior to 1282 and I could not run 1282 anyway. With 1290 every time I
reboot Avast finds (after a few minutes) a root-kit which is really a file in C:\ which is part of
an anti-theft system I need to keep. I select IGNORE and DO NOT SHOW AGAIN yet it finds
it every time. I have added the file in Avast to IGNORE in every place I could find with no luck.

Vista Home Premium x86 (32 bit) SP1

Any way to make Avast actually ignore this file?
« Last Edit: November 20, 2008, 01:52:05 AM by Styx »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: 1290 False Positive - Root-Kit
« Reply #1 on: November 19, 2008, 11:05:19 AM »
Normally the file needs to be added to the "exclusions" list (R.Click tray icon>Program settings>Exclusions.)
I'm really not sure if adding it to the exclusions list will also exclude it from the antirootkit module (which runs its scan some minutes-8, I think- after computer start), but it says it affects all parts of Avast, except for the resident protection.
Be interesting to confirm this.
Windows 10,Windows Firewall,Firefox w/Adblock.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #2 on: November 19, 2008, 11:07:21 AM »
I already had it there to no avail. Any other places?

Where is the IGNORE - DON"T SHOW ME THIS AGAIN setting kept. It either is not
being set or is ignored.
« Last Edit: November 19, 2008, 11:08:57 AM by Styx »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: 1290 False Positive - Root-Kit
« Reply #3 on: November 19, 2008, 11:26:27 AM »
The only other way I know of that might work - and maybe you've already tried it - is to ring up the "provider settings" by left clicking the tray icon, select Standard Shield> Customise, Advanced, and add the folder the file is in to the list of areas that won't be scanned.
[EDIT] PS, another way would be to actually disable the rootkit scan. Program settings > Troubleshooting.
« Last Edit: November 19, 2008, 11:28:55 AM by Tarq57 »
Windows 10,Windows Firewall,Firefox w/Adblock.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #4 on: November 19, 2008, 11:28:36 AM »
Yep its already there too?  :-[

Oh it is actually in C:\  root so I have it as C:\filename.exe
« Last Edit: November 19, 2008, 11:31:44 AM by Styx »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: 1290 False Positive - Root-Kit
« Reply #5 on: November 19, 2008, 11:29:42 AM »
See edit above. Not the most desirable state of affairs, however.
Windows 10,Windows Firewall,Firefox w/Adblock.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #6 on: November 19, 2008, 11:35:59 AM »
Yes was hoping to be able to avoid the Disable of the Root Scan.

Any ideas where the Ignore - Don't show this again check is kept?
Since it asks when notification pops up it has to be or is supposed
to be kept as an entry somewhere?

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: 1290 False Positive - Root-Kit
« Reply #7 on: November 19, 2008, 11:46:04 AM »
No, I don't know. Not sure if it even exists for some types of detection.  :-[
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: 1290 False Positive - Root-Kit
« Reply #8 on: November 19, 2008, 11:55:24 AM »
Please see this thread - the standard exclusion lists do not work with the anti-rootkit function.

Please see Tech's notes on the avast4.ini file for the way to exclude a file from the antirootkit scan

Also see an example here.
« Last Edit: November 19, 2008, 11:58:10 AM by alanrf »

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #9 on: November 19, 2008, 11:56:37 AM »
Well I figure the setting is supposed to be kept somewhere. If not why does it have an
IGNORE and DON'T ASK ME THIS AGAIN box?

Thanks for your help, maybe someone else knows.

I will check the other thread too.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #10 on: November 19, 2008, 11:59:21 AM »
Rootkit scan is performed 8 minutes after boot.
If you add the file to the both avast exclusion lists, it shouldn't warn you again: Standard Shield and on-demand scanning.
Does the file has 8+3 characters in its name?
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #11 on: November 19, 2008, 12:00:19 PM »
Oh, I've forgot...
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).
The best things in life are free.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #12 on: November 19, 2008, 12:00:55 PM »
I put the C:\filename.exe in the ini file and will test it now.

Many thanks!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #13 on: November 19, 2008, 12:04:43 PM »
I put the C:\filename.exe in the ini file and will test it now.
Where? Which session and value?

Which is the filename?
The best things in life are free.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #14 on: November 19, 2008, 12:05:01 PM »
I have the Files in Standard Shields - Custom - Advanced and in
Program Settings - Exclusions. Are there any other places to add it?

its name is 8.3 format.