Question about a game file

[celeste]

I use this program for an online game I play..when i download it avast says it's clean [no virus] but a few days later the same file shows up as a virus. I pay to use this program and the programmer says that it's clean, they say that it shows up as a false positive because the security they use to prevent their code can't be stolen to use for cracked versions. I was wondering if anyone could test the file and see what comes up?

The program is called s-bot and here's the link http://www.bot-cave.net/
There is only one download and it's on the homepage.

Thanks,
Leah

[DavidR]

It may be because of the packing method, etc. used but the info asked for below may point to that.

What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[John2009]

Avast very rarely has FPs so probably not.

[celeste]

On the forum, which u have to have a paid account to access, they say other anti viruses picked this up too cause of the security. Those anti viruses included avg and nod32, they said those were false positives too but i think its weird because at first avast doesnt recognize it as a virus then one day when i try to start it up it does.

Here's the virustotal results:
http://www.virustotal.com/analisis/34497105193125b3637d46bbea8e0d552149d2891ecf633c0c32d59dd1ed8253-1244148927

[.: L' arc :.]

-= Maybe it was run on startup so, avast resident scanner was alerted about its existence..?

[celeste]

I haven't restarted my computer, plus it only detected it when i opened the folder the file was contained in. I've been using this program for around 6 months with no problems until recently, but it is updated at least once a week with new versions.

[.: L' arc :.]

-= The new version must've probably been infected..

[cinchez]

Probably, IMO its the only possible statement that we can get from ur latest statement^^

-AnimeLover^^

[DavidR]

On the forum, which u have to have a paid account to access, they say other anti viruses picked this up too cause of the security. Those anti viruses included avg and nod32, they said those were false positives too but i think its weird because at first avast doesnt recognize it as a virus then one day when i try to start it up it does.

Here's the virustotal results:
http://www.virustotal.com/analisis/34497105193125b3637d46bbea8e0d552149d2891ecf633c0c32d59dd1ed8253-1244148927

New signatures are constantly added as some signatures and the generic signatures are also modified to increase detections, or the inclusion of new unpackers, etc. so it isn't unusual to find something that previously wasn't detected is now detected.

The VT results show 13/39 detections which is high one third of all the scanners. This would normally be conclusive, however many of those detections are generic, some detecting on the encryption or packing methods (some commonly used by malware) and also heuristic detection. So there is no clear signature detection.

I have no problem with an author trying to protect their work, but when that it detected by one third of scanners I feel they should investigate other methods. Perhaps you should show him the VirusTotal results link as that is I would imagine a greater number of detections that he things.

You can submit the detected file to avast for further analysis as a possible false positive, but if avast aren't able to unpack/decrypt it to do any analysis, there will always be an area of suspicion about the file.

[Lisandro]

I think it's conclusive: malware!
At least, the one in your computer, maybe the infection changed the original game file.

[celeste]

update: after avast updated today the same game file that was detected no longer is, dont know what this means..

[.: L' arc :.]

update: after avast updated today the same game file that was detected no longer is, dont know what this means..

-= Huh..? Why not try sending a sample to ALWIL so they could act on it..?

[Lisandro]

update: after avast updated today the same game file that was detected no longer is, dont know what this means..

Well, I can't believe that all other antivirus are just detecting this file as a false positive, but if you said so (that avast is no longer detecting it).

[DavidR]

update: after avast updated today the same game file that was detected no longer is, dont know what this means..

What it means is that you or someone else submitted the file (as suggested above) and it has been further analysed and confirmed as a false positive and a correction made. This is then added to the next VPS Update to correct the detection.

That is why we suggest a) confirmation via virustotal and b) submission to avast if considered a false positive.