Author Topic: False Positive Fix?  (Read 6325 times)

0 Members and 1 Guest are viewing this topic.

lexluthor

  • Guest
False Positive Fix?
« on: July 29, 2009, 12:29:48 AM »
How do I get a false positive fixed?  Over the past 2 weeks, I've used the program interface to report a false positive and I haven't heard anything back and the latest definitions are still flagging the file as a virus.

spg SCOTT

  • Guest
Re: False Positive Fix?
« Reply #1 on: July 29, 2009, 01:15:39 AM »
Hi lexluthor,

What is the infected filename and path?
Can you upload it to www.virustotal.com and report the detections/link to see if it is a FP?

-Scott-

lexluthor

  • Guest
Re: False Positive Fix?
« Reply #2 on: July 29, 2009, 01:34:25 AM »
It's an old program called Startbarfader, version 3.31

I've been using it for years and only a couple of weeks ago did Avast start flagging it and now I can't use it.

Here are the virustotal results.

I don't think the file is actually infected.  The results mostly indicate it's a "generic" virus or Heuristics caught it.

How can I have someone look at this closer and let me know what's really going on?

Antivirus   Version   Last Update   Result
a-squared   4.5.0.24   2009.07.28   Trojan.Generic!IK
AhnLab-V3   5.0.0.2   2009.07.28   Win-Trojan/Xema.variant
AntiVir   7.9.0.234   2009.07.28   TR/Spy.46106
Antiy-AVL   2.0.3.7   2009.07.28   -
Authentium   5.1.2.4   2009.07.28   W32/Heuristic-210!Eldorado
Avast   4.8.1335.0   2009.07.28   Win32:Spyware-gen
AVG   8.5.0.387   2009.07.28   -
BitDefender   7.2   2009.07.29   Trojan.Generic.1777147
CAT-QuickHeal   10.00   2009.07.28   (Suspicious) - DNAScan
ClamAV   0.94.1   2009.07.28   Worm.Mytob.BP
Comodo   1798   2009.07.29   UnclassifiedMalware
DrWeb   5.0.0.12182   2009.07.29   -
eSafe   7.0.17.0   2009.07.28   Suspicious File
eTrust-Vet   31.6.6643   2009.07.28   -
F-Prot   4.4.4.56   2009.07.28   W32/Heuristic-210!Eldorado
F-Secure   8.0.14470.0   2009.07.28   -
Fortinet   3.120.0.0   2009.07.28   -
GData   19   2009.07.29   Trojan.Generic.1777147
Ikarus   T3.1.1.64.0   2009.07.28   Trojan.Generic
Jiangmin   11.0.800   2009.07.28   -
K7AntiVirus   7.10.804   2009.07.28   Trojan.Win32.Malware.1
Kaspersky   7.0.0.125   2009.07.29   -
McAfee   5691   2009.07.28   Generic.dx
McAfee+Artemis   5691   2009.07.28   Generic.dx
McAfee-GW-Edition   6.8.5   2009.07.29   Heuristic.LooksLike.Win32.Suspicious.H!92
Microsoft   1.4903   2009.07.28   -
NOD32   4286   2009.07.28   -
Norman   6.01.09   2009.07.28   W32/Packed_PeDim.A
nProtect   2009.1.8.0   2009.07.28   -
Panda   10.0.0.14   2009.07.28   Malicious Packer
PCTools   4.4.2.0   2009.07.28   Packed/PE-Dim
Prevx   3.0   2009.07.29   -
Rising   21.40.14.00   2009.07.28   -
Sophos   4.44.0   2009.07.29   Mal/Packer
Sunbelt   3.2.1858.2   2009.07.28   -
Symantec   1.4.4.12   2009.07.29   -
TheHacker   6.3.4.3.376   2009.07.28   -
TrendMicro   8.950.0.1094   2009.07.28   -
VBA32   3.12.10.9   2009.07.28   -
ViRobot   2009.7.28.1857   2009.07.28   -
VirusBuster   4.6.5.0   2009.07.28   Packed/PE-Dim
Additional information
File size: 46106 bytes
MD5...: 8fc035dd51cf3da67258dd087c6d64c7
SHA1..: e315ad7ec2ad6874a295b31ecc1db35ce2c15d19
SHA256: 433bdb037c9cb3b245e1562fdcf8773416fca846aba8718c42dd3094578794a6
ssdeep: 768:jEdyNF4qIA6Dxcqygg7pUZuUQOy252lRzVyrXgHCNLI1x:jEd26DGog1guFO<br>z5eRzg0i27<br>
PEiD..: PE Diminisher v0.1 -&gt; Teraphy
TrID..: File type identification<br>PE Diminisher v0.1 compressed Win32 Executable (77.1%)<br>Win32 Executable Generic (9.6%)<br>Win32 Dynamic Link Library (generic) (8.5%)<br>Generic Win/DOS Executable (2.2%)<br>DOS Executable Generic (2.2%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x16000<br>timedatestamp.....: 0x3d608e8d (Mon Aug 19 06:22:05 2002)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x10f50 0x6031 7.98 c6e8262dc2584e5166319fe1882f30fb<br>.data 0x12000 0x19b8 0x8 3.00 49b75a9959d6d15ae063aba0c3e099e7<br>.rsrc 0x14000 0x10c0 0x2000 1.21 9aa4829cee79b2ea01cffc5ac64e9597<br>.teraphy 0x16000 0x1000 0x41a 5.69 d69b2b094d9b59caf8b9f6cd271cbfcf<br><br>( 1 imports ) <br>&gt; KERNEL32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
packers (Kaspersky): PE-Diminisher
packers (F-Prot): PE-Diminisher
packers (Authentium): PE-Diminisher

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: False Positive Fix?
« Reply #3 on: July 29, 2009, 02:32:53 AM »
Seems pretty conclusive to me it isn't a false positive with 22 scanners considering there is something wrong with it, surely they can't all be wrong. That may well be why although you have consistently reported it as a false positive detection, avast thinks not.

Now the detections, many are reporting generic/heuristic/suspicious detections which may be more prone to false positive but in these numbers it is doubtful they could all be wrong.

The Win32:Spyware-gen detection of avast is also a generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

lexluthor

  • Guest
Re: False Positive Fix?
« Reply #4 on: July 29, 2009, 02:40:06 AM »
Yes, as you said, most of these are borderline detections.  There's a decent chance there's some sort of code in the file that's throwing up a red flag to all these scanners?

Is there any way that someone at Avast could look into this a little closer?

I'm really be surprised if it's infected.  I've been using it for years and I do know what I'm doing around a computer and haven't ever seen anything suspicious on this computer.

I'm sure it's possible, but I don't think so.

Either way, I do have a little older version of the program that works fine, so I can use that, but now I'm more curious and a slightly worried.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: False Positive Fix?
« Reply #5 on: July 29, 2009, 03:02:27 AM »
It has to be the way it acts for so many to consider it worthy of detection.

I didn't say borderline, when 22 out of 40/41 detect it, I just can't see how they can all be wrong.

The nature of anti-virus applications is they are constantly having new signatures added or generic signatures tweaked. Considering this one (for avast at least) is a generic spyware signature not generic virus signature so this could be nothing more than it gathers marketing data, considered spying/spyware.

Why it doesn't pick up an older version, I don't know and I would have to ask what did they change in the versions for it to be detected. I simply don't know what this program does or how this program works, so I could speculate all day, which doesn't achieve much.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

lexluthor

  • Guest
Re: False Positive Fix?
« Reply #6 on: July 29, 2009, 02:39:05 PM »
Ok.  I guess the result here is that the file must be doing something like looks malicious, but I'm fairly confident that based on my use over years and the fact that most of these AV programs are just catching it with something rather generic, that it's not doing anything too bad.

Still, I'm just going to delete it and use the older version.

Thanks!

spg SCOTT

  • Guest
Re: False Positive Fix?
« Reply #7 on: July 29, 2009, 02:45:54 PM »
You could always contact the developer and try to find out what they have changed, how that affects you (and most likely many others) and let them know of the problem, they may be able to resolve the issue.

lexluthor

  • Guest
Re: False Positive Fix?
« Reply #8 on: July 29, 2009, 03:22:51 PM »
This has long since been abandonware, so there's really no one to ask about that.
 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: False Positive Fix?
« Reply #9 on: July 29, 2009, 03:25:37 PM »
It would be interesting to see what the results of a VT scan are on the old version you are using, I suspect some of the other scanners will still detect something.

It is your choice and risk if you wish to exclude the file from avast scans so that you may use the latest version, though I wouldn't for what is an aesthetic application.

Add it to the exclusions lists (full path and file name):
Standard Shield, Customize, Advanced, Add
and
Program Settings, Exclusions (right click the avast ' a ' icon)
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

lexluthor

  • Guest
Re: False Positive Fix?
« Reply #10 on: July 29, 2009, 04:22:57 PM »
Didn't know I could exclude a file, but, no I won't do that here.  The older version I have suffices.

The old version comes up with a similar result.  Though Avast tags that one as clean, 18/41 flag that file.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: False Positive Fix?
« Reply #11 on: July 29, 2009, 04:28:46 PM »
Yes that indicates that something in the later version makes avast jumpy.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security