Author Topic: SOLVED - 1290 False Positive - Root-Kit  (Read 16924 times)

0 Members and 1 Guest are viewing this topic.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: 1290 False Positive - Root-Kit
« Reply #15 on: November 19, 2008, 12:06:30 PM »
Please see the link to the example I posted. 

I regret to say that I believe the advice Tech gave you is ineffective.

You need to edit the avast4.ini file to make this exception as recorded by Tech in the avast4.ini documentation.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #16 on: November 19, 2008, 12:07:02 PM »
passwords.exe and added C:\passwords.exe to

C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini


[AntiRootkit]
Exceptions=C:\passwords.exe
SubmitFiles=0

is this correct?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #17 on: November 19, 2008, 12:10:13 PM »
I have the Files in Standard Shields - Custom - Advanced and in
Program Settings - Exclusions. Are there any other places to add it?
No, you've also used the Antirootkit exception list...
Did you boot after adding them to the exclusion lists?

its name is 8.3 format.
Use passwor~1.exe (it's on 9+3 format).
The best things in life are free.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: 1290 False Positive - Root-Kit
« Reply #18 on: November 19, 2008, 12:15:14 PM »
Tech ....

can you please show us where the avast team has said theses exclusions work for the rootkit?

In the thread I referenced Igor specifically referred to antirootkit exclusions being in the avast4.ini and you have published the information.

Why would there be an antirookit exclusion list if the other exclusions covered it? 

See the title of this thread.
 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #19 on: November 19, 2008, 12:23:08 PM »
can you please show us where the avast team has said theses exclusions work for the rootkit?
Well... I'll need to search the board a lot. Probably Vlk said that... But could be Igor as you've said.

Why would there be an antirookit exclusion list if the other exclusions covered it? 
A specific configuration for this particular scanning? ???
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1290 False Positive - Root-Kit
« Reply #20 on: November 19, 2008, 12:25:48 PM »
I've tried to search, but the search feature of the board is very bad... I can't set specifically the word [Antirootkit] or Exceptions=
So tons of hits come back  :(
The best things in life are free.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: 1290 False Positive - Root-Kit
« Reply #21 on: November 19, 2008, 12:33:34 PM »
It is not logical to have an antirootkit exceptions list if the antirootkit module gave attention to the on access or on demand exclusions.  The avast team do not go to the trouble of building new entries in the avast4.ini file for the sheer fun of it. 

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #22 on: November 19, 2008, 04:42:23 PM »
Sorry can't count and it was 3:30 AM here. Only 7:30 AM now.

ok so NOW I have passwo~1.exe set in both

1. Settings = Exclusions
2. Standard Shield - Customize - Advanced

as well as in

3. C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini

Seems inside the program it would use the long name format as it allows you
to browse to the file. However with both 1., 2. and 3. set with passwords.exe
it did not stop the Root-kit popup.

Tech thanks for help however you leave out just enough specific info to confuse
me. Please tell me where to put what exactly.

While typing this message the popup re-occurred so placing passwo~1.exe in
areas 1., 2., and 3. did NOT work.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #23 on: November 19, 2008, 11:07:17 PM »
Filed a support ticket. Seems strange so many places to put exclusions and none work. Add to
that the IGNORE and DON"T ASK AGAIN choices seems to do nothing. Has to be an issue with 1290
as was never a problem before although I did have RPC error issues with 1282. Avast was steady
and reliable on this system for 16+ months with the file on this system.

Oh yes, everytime I made a change I rebooted as the Rootkit error happens 8 minutes after a
reboot (time is normal I am told).
« Last Edit: November 19, 2008, 11:21:49 PM by Styx »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: 1290 False Positive - Root-Kit
« Reply #24 on: November 19, 2008, 11:47:57 PM »
Yes the time is normal as it runs 8 minutes after boot by default.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #25 on: November 20, 2008, 12:13:17 AM »
Yes the time is normal as it runs 8 minutes after boot by default.

David appreciate the confirmation however any ideas on why the exclusions are not working?
Or the exact way these should be typed in? C:\passwords.exe or C:\passwo~1.exe or?

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: 1290 False Positive - Root-Kit
« Reply #26 on: November 20, 2008, 12:18:32 AM »
Some tests I have just conducted simply using the filenames that appear in the aswar.log and putting them in the avast4.ini [AntiRootkit] exclusions had no effect.  The files concerned were still included as scanned in the next aswar.log. 

I just used the full names as appeared in the aswar.log.

Styx

  • Guest
Re: 1290 False Positive - Root-Kit
« Reply #27 on: November 20, 2008, 12:43:45 AM »
Maybe we have a solution. I changed the Settings - Exclusions to C:\passwords.exe by using the BROWSE to and click method (seems it would not use browse if it needed to be in 8.3 as C:\passwo~1.exe) - Standard Shield - Customize - Advanced also changed to C:\passwords.exe

In Avast4.ini these ; ; were some how added and now it works or does not show the false positive. I did not put the ; ; in.

[AntiRootkit]
Exceptions=C:\passwo~1.exe;;
SubmitFiles=1

There is a space between the semi-colons.

1290 - 081119-0 - no updates during time of last tests. No clue how the ; ; were added or if
they are the reasons there is no Rootkit Alert Notifications for passwords.exe now.

Styx

  • Guest
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #28 on: November 20, 2008, 01:55:11 AM »
I have rebooted several times now and the Rootkit popup does not come up anymore.
So above solution somehow works.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #29 on: November 21, 2008, 02:20:23 AM »
Some tests I have just conducted simply using the filenames that appear in the aswar.log and putting them in the avast4.ini [AntiRootkit] exclusions had no effect.  The files concerned were still included as scanned in the next aswar.log. 

I just used the full names as appeared in the aswar.log.
I want an official confirmation of this behavior.
Alwil team, should the option (exclusion for antirootkit scanning) be kept into avast4.ini file is this is the situation?

Exceptions=C:\passwo~1.exe;;
This make no sense... but against facts there is no arguments...

We need official help here...
The best things in life are free.