False positives - what to do?

[mkis]

I have carried the questions from another thread across to this new thread. I think the topic relevant considering the FPs issue comes up quite often.

One thing.. if i fiddle around with a possible false positive file, eg. in removing it from vault, posting it on the site you mentioned etc.; is there any chance of it causing infection or is it that only clicking on a file can lead to infection?

I'm still a bit unsure what to do myself.    

For starters the whole idea of moving anything out of a virus chest once it has been there doesn't appeal to me (scared fool   ).  How am I to know if quarantined item has been declared if not says so right in front of me so I know (lazy boffo   ) .  Restoring a once suspect file to my Windows directories may leave leave me riddled with doubt  

I am sure there are more questions. Or perhaps some links to posts in the forum that deal with the FPs issue.

Regards to avast Forum.
Previous thread  http://forum.avast.com/index.php?topic=45663.msg386201#msg386201

[Lisandro]

For starters the whole idea of moving anything out of a virus chest once it has been there doesn't appeal to me (scared fool  ).

For everybody, it's safer to send the file within Chest (right clicking it) and not extracting/sending.

[DavidR]

For starters the whole idea of moving anything out of a virus chest once it has been there doesn't appeal to me (scared fool  ).

For everybody, it's safer to send the file within Chest (right clicking it) and not extracting/sending.

The point in question here (from the other topic) is sending the files to virustotal (not avast) and you can't upload to VT from the chest.

@ mkis
There really is little risk in extracting files from the chest as you place them in a temporary folder (see ### below) so they aren't in the original location so as such they are inert, unless you would be stupid enough to actually execute them (double click).

Don't use the Restore function from within the chest as that sends them back to the 'original' location and as such could become active again as any registry entry to run them or program which might run them would have the link restored because the file is in the original location.

So I hope you can see the difference using extract rather than restore and why I also mentioned moving them to a temp folder (not the original.

###
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

So in this folder they aren't active as effectively the registry entry isn't pointing there or any program doesn't know they are there. All in all relatively safe.

[mkis]

Thanks guys for contribute your knowledge.

@DavidR - That's good policy so I will set and keep that routine in my 'knowhow / cando' list of procedures. 

Now, I guess I can query a file at virustotal or other to have status of the file returned so that I know it to be a false positive and not malware danger. Thats okay. 

However, say file is doing normal job from within virus chest, where it was moved because of the possibility of danger it could have posed, but now has been confirmed as false positive by virustotal. (I know I am likely talking a rare occurrence. Or not? Perhaps only for me so far?). So what if I wanted that file back where it originally was because I was afraid that I might forget it was in there and do something stupid. I guess just Restore, is that correct?
 

[DavidR]

I'm not entirely sure what you mean by this, "However, say file is doing normal job from within virus chest," the file can do nothing within the chest. The chest is a protected area, all files are encrypted and from the outside of the chest the file name is also changed, so nothing can see that file or run it from outside the chest.

Yes when confirmed as an FP clicking the Restore from the chest sends a copy back to the original location, confirm it is there and then delete the copy in the chest and if you had one in the suspect folder.

[cimmind]

Wow, same as mkis, got to learn new things by following this post.
if i may add a question to mkis' poser, suppose virustotal does show that the file is false positive, is there a mechanism of feedback to tell avast about this? So that the file is not flagged as FalseP for other users.

Also, i gather that virustotal is the current holy grail regarding virus status? Their site states "Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file."
But i think by subjecting the file to 39 AV programs, we are increasing the chances of getting nearer true classification of the file as a virus or harmless entity.

[DavidR]

The correct mechanism is to submit the file to avast for analysis as a suspect false positive.

When you right click on a file in the Infected Files section the context menu has lots of options, one is email to Alwil Software - A form will pop-up for you to complete (see image1) and you then click Submit - It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done, see image2.

[mkis]

The point here of course is to provide scope for you to pass on your knowledge about issues that may arise when the random user is running the avast antivirus program and other things relevant to that program. Main thing then is that you may speak your knowhow, no matter what empty head curve ball the newb may have pitched you.

So I say this being a bit cheeky but not intended nasty - so what about kernel32.dll, winsock.dll, and winsock32.dll in the chest, they not doing their job? They can do nothing within the chest?

I said my example would be the rare occurrence - I was talking about situation where an important file for the running of the computer had mistakenly been  marked as risk because, say by chance, some wrong combo of words and numbers had matched too closely some ID and detection prescript in the vpu stamp of the time. Say happened in a boot scan, so I wasn't there at the time. I expect that the file would continue doing its job (this is what I meant) and so computer would still be smooth running. And you answered my question about whether to click Restore with an affirmative. All good.

Rare occurrence true, or perhaps this would not happen at all. Its just that people have posted in about good system files being sent to the chest, and what if you delete them, and so on. So I was just raising a query about a potential random scenario that would in time require for the user to click Restore.

Silly of me, lol.

[DavidR]

The chest is in three sections:

• The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
• The User Files section is where the user can add files they suspect of being malware but not detected by avast.
• The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
• The All Chest Files is a collation of the three sections.

So as you can see kernel32.dll, winsock.dll, and winsock32.dll in the chest (they aren't infected, unless in the Infected Files section), they are doing their job, as intended to provide a back-up copy in case the original copy becomes infected. Only avast can do anything with these, the user can't restore them as Windows would have a whinge when attempting to replace a file in use.

If the user deletes these back-up copies, guess what, avast will replace them

[mkis]

Your advice is always well recieved DavidR.

Did I forget or did I not know that the system files in the chest were actually copies? I am not sure, but good refresher in that respect, and in the other details that you posted.

Oh, and great to hear that avast will replace the back-up copies if the user does somehow manage to delete them.

I guess it does just keep getting better.