Author Topic: Win32:Swizzor [Trj] possible FP  (Read 6193 times)

0 Members and 1 Guest are viewing this topic.

cubie

  • Guest
Win32:Swizzor [Trj] possible FP
« on: August 25, 2009, 09:32:29 PM »
When performing a screensaver activated scan this Trojan was detected;  Win32:Swizzor [Trj]
The strange part about this is it is in a cleaner program for EA.com [Electronic Arts] gaming website and the program has been in program files since December of 2000. The file has been moved to the Chest where it has been scanned again and detected again. I also check this file named [eanse] at VirusTotal and only two AV programs out of the group detect it; Avast and Gdata. Is it possibly a False Positive?  :-\

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89228
  • No support PMs thanks
Re: Win32:Swizzor [Trj] possible FP
« Reply #1 on: August 25, 2009, 09:40:22 PM »
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

If you have the URL to the VT Results page, you could post that.

If it is indeed a false positive (and it seems so), send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
 
- Or you can send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Swizzor [Trj] possible FP
« Reply #2 on: August 25, 2009, 09:43:57 PM »
Most probably. The GData detection is due to the avast engine/definitions of GData.
Can you send the file to virus (at) avast (dot) com and post a link to this thread, alerting the false positive?

Oopss... David was faster.
The best things in life are free.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Swizzor [Trj] possible FP
« Reply #3 on: August 25, 2009, 10:09:24 PM »
the best way (in this case) will be a sending directly from the warning dialog... i'll take care of it tomorrow and the regular VPS update will fix this issue (there's not enough time to include the update to the VPS, which will be released in few minutes)..

cubie

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #4 on: August 25, 2009, 10:28:04 PM »
That was a quick response  :)
The filename is [eanse.exe] and it resided in C:\Program Files\EACom\eanse\bin\eanse
It apparently means CL eanse at EA.com
The VirusTotal report is: https://www.virustotal.com/analisis/34396380d35c84a828a0d1078833f6716140a8f08d93825c498d56b20a152884-1251217499

Thank-you,  ;)  and I will try to send it to you all via the upload technique described above.

cubie

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #5 on: August 28, 2009, 08:29:32 PM »
Hi all,
It has been a few days since I uploaded the suspect file [eanse.exe] from Electronic Arts. I ran another scan from the Chest and this file is still activating the alarm. Is this a FP or not?  ???

micky77

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #6 on: August 28, 2009, 08:42:31 PM »
Is this a FP or not?  ???
Obviously it is

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Swizzor [Trj] possible FP
« Reply #7 on: August 30, 2009, 09:25:39 PM »
i'll check it.. i thought, that it was already processed.. maybe it was a different version...

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Swizzor [Trj] possible FP
« Reply #8 on: August 30, 2009, 10:46:28 PM »
the sample did not arrive to our system, that's strange.. can you send it once again?

cubie

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #9 on: August 31, 2009, 05:25:15 PM »
okay.  ::)

Sorry about that error, I did not have the email feature enabled in Avast. It is now enabled.  :)

cubie

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #10 on: September 02, 2009, 05:07:57 AM »
The file is no longer triggering the alarm.  :)
I was fairly certain that Electronic Arts was a legitimate website and the file was clean. Did you find what was the cause of the FP alert?  ::)
The file was dated December 2000, so it had been in the program files for sometime and had been scanned by Avast 4.8 before this FP alert several times without triggering the alarm. ???
Thank-you,  8)
« Last Edit: September 02, 2009, 05:09:34 AM by cubie »

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Swizzor [Trj] possible FP
« Reply #11 on: September 02, 2009, 09:25:21 AM »
the detection for Swizzor is a bit heuristic, false positives are possible in these cases...

cubie

  • Guest
Re: Win32:Swizzor [Trj] possible FP
« Reply #12 on: September 04, 2009, 04:57:05 PM »
Thank-you Maxx for clarifying that detection issue. :)