Avast scan found two false positives.

[Bosco123456]

Avast's scan found two false positives on its initial bootscan -

1) I have a "Downloads" file on my Desktop.
On Download is "Sysclean", which is a Trend Micro scanner process which I had downloaded in 2005.
Neither AVG, which I've used the last few years since stopping use of Trend Micro's PC-cillin, nor Ad-Aware, nor Spybot ever found this to be a virus after numerous scans the last 3 1/2 years.

Avast states that "Sysclean.exe is infected by VBS.Redlof".

 I'm sure it is simply seeing a mention of this virus in the Sysclean.exe file, but not the virus itself.
I'm sure this is a false positive, both because of the numerous scans by those other 3 scanners, and because common sense says that Trend Micro has not constructed a virus scanner which contains a virus.

2) In "My Documents", I had saved a webpage from a computer help forum. In this thread the poster had run "Hijack this" or a similar program and listed everything on his computer.

Avast listed this as a virus, stating "(the name I put on the file" is infected by JS.ADODB-BM.

As with #1 above, neither AVG, which I've used the last few years since stopping use of Trend Micro's PC-cillin, nor Ad-Aware, nor Spybot ever found this to be a virus after numerous scans the last few years.
Also, common sense says that a computer anit-virus help forum is not allowing a virus on its webpages.

I'm sure this is a false positive also.

Since the avast scan had stopped for both "infections", and I had no further need of the download, and I copied the info I had wanted to save from the saved webpage, I then deleted both of these so the avast scans wouldn't stop on these in the future.

I just ran a "Thorough" scan, and now avast has found the saved webpage in one of my "System Restore" files (but for some reason NOT in each of my "System Restore" files I've created, although if it's in one it must be in all of them).

My question is:

What can I do to prevent the avast scan from stopping when it encounters this file?
I had set avast to do the thorough scan while I slept, but when I checked it in the morning, the scan had only completed 15% and then was paused on this "Virus Alert" warning.

Also, I hope that the above info will be helpful in developing future versions of Avast's scanner so that it doesn't find these false positives in the future.

[igor]

1)On Download is "Sysclean", which is a Trend Micro scanner process which I had downloaded in 2005.
Neither AVG, which I've used the last few years since stopping use of Trend Micro's PC-cillin, nor Ad-Aware, nor Spybot ever found this to be a virus after numerous scans the last 3 1/2 years.

Avast states that "Sysclean.exe is infected by VBS.Redlof".

I'm quite sure the detection is due to uncrypted virus signatures in the tool.

2) In "My Documents", I had saved a webpage from a computer help forum. In this thread the poster had run "Hijack this" or a similar program and listed everything on his computer.

Avast listed this as a virus, stating "(the name I put on the file" is infected by JS.ADODB-BM.

I'd say somebody posted an example of the exploit on the forum.

In both cases, they are "kind of" false positives, but not the true false positives... i.e. I don't think the virus guys will do anything about them.
If you wish to keep the files on your disk (and prevent the warnings), I'd suggest to to put their paths into the list of avast! exclusions.

[Bosco123456]

Thanks for the prompt response, Igor.

Igor - "If you wish to keep the files on your disk (and prevent the warnings), I'd suggest to to put their paths into the list of avast! exclusions."

. How do I do that?
(This is my second day using Avast).

[Bluesman]

Thanks for the prompt response, Igor.

Igor - "If you wish to keep the files on your disk (and prevent the warnings), I'd suggest to to put their paths into the list of avast! exclusions."

. How do I do that?
(This is my second day using Avast).

See this post from Tech:

http://forum.avast.com/index.php?topic=41858.msg351012#msg351012

[Bosco123456]

Thanks, Bluesman.

This is from the file report:

1/17/2009 11:59:15 AM   Owner   2684   Sign of "VBS:Redlof" has been found in "C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe" file.

Tech's post you linked to states:

"For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button..."


This is what I put in the Exclusions/Add -

"C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe"

Is this correct? I included the quote marks.

Also - from Tech's post you linked to -

"For the Standard Shield provider (on-access scanning):.."

Is that referring to the real time web scanning? In that case I don't need to do anything there, as the file it is stating is infected is in my System Restore file.




 

[Bosco123456]

Thanks, Bluesman.

This is from the file report:

1/17/2009 11:59:15 AM   Owner   2684   Sign of "VBS:Redlof" has been found in "C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe" file.

Tech's post you linked to states:

"For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button..."


This is what I put in the Exclusions/Add -

"C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe"

Is this correct? I included the quote marks.

Also - from Tech's post you linked to -

"For the Standard Shield provider (on-access scanning):.."

Is that referring to the real time web scanning? In that case I don't need to do anything there, as the file it is stating is infected is in my System Restore file.

(I'm using Avast version 4.8 Home Edition).




 

[Lisandro]

This is what I put in the Exclusions/Add -
"C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe"

I wouldn't exclude a file on system restore folder... this restore point will be deleted in the future. You can do it now, disabling and then enabling again the system restore.

"For the Standard Shield provider (on-access scanning):.."

Is that referring to the real time web scanning?

No, real time file scanning.

[Bosco123456]

This is what I put in the Exclusions/Add -
"C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe"

I wouldn't exclude a file on system restore folder... this restore point will be deleted in the future. You can do it now, disabling and then enabling again the system restore.

I would prefer not to lose all of my saved  System Restores - I may need them in the future.

1) What is the problem with excluding it? My first post in this thread explains the problem, and why I am excluding it in order to solve the problem.

2) Regardless if it's right or wrong ultimately to exclude it - Did I write the information correctly in "Exclusions/Add"?
As mentioned above, I included quotation marks before and after the file path/name. Is this correct? Will Avast exclude it, given the way I entered the info?

[Bosco123456]

Since my post directly above this one is all in a quote box and it may be difficult to interpret, I'll repost:

Bosco - "This is what I put in the Exclusions/Add -
"C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP785\A0391046.exe"

Tech - "I wouldn't exclude a file on system restore folder... this restore point will be deleted in the future. You can do it now, disabling and then enabling again the system restore."


I would prefer not to lose all of my saved  System Restores - I may need them in the future.

1) What is the problem with excluding it? My first post in this thread explains the problem, and why I am excluding it in order to solve the problem.

2) Regardless if it's right or wrong ultimately to exclude it - Did I write the information correctly in "Exclusions/Add"?

As mentioned above, I included quotation marks before and after the file path/name.
Is this correct?
Will Avast exclude it, given the way I entered the info?

[DavidR]

Just let avast send the infected restore point to the chest, only that would be moved.

1. There is little worth in excluding a single file in the system volume information folder and it has little to do with actual exclusions as such. If there is any doubt about a restore point then it is best out of the system volume information folder so it doesn't bite you in the rear some time in the future if you use system restore possibly reinfecting your computer.

That I believe is the point Tech was trying to make rather than saying simply don't use exclusions, there is a purpose for them, yes, but not I feel for suspect restore points.

2. Personally I don't know if the " quotes " are needed or not, but one way to check if the exclusion worked would br to scan the system volume information folder and see if avast detects the infected restore point. If it does detect it then the exclusion didn't work, that could either mean you entered it in the wrong exclusion list or the path is wrong or the quotes aren't required, etc.

But as I said I wouldn't go to that much trouble send the suspect restore point to the chest.

[Lisandro]

I would prefer not to lose all of my saved  System Restores - I may need them in the future.

They're infected, you won't be able to use them. Delete it and make a new clean one.
If you don't want to get rid from it, so, just wait, Windows will do it automatically in the future...

1) What is the problem with excluding it? My first post in this thread explains the problem, and why I am excluding it in order to solve the problem.

You can use the exclusion, but when restore point get deleted, the exclusion won't help you.
Until there, you can't restore (and use) the file in the original place, as you're not adding the original place to the exclusion list (only the system restore one) and because the file is infected.