False/positive Office 10 (XP) ...help?

[tinto101]

from 2-3 days AVAST 4.8

say to me that a file in a old  OFFICE-10  (office for XP)

is infect !?

later NEVER say this !

false posivite or ?

in how mode i post here the log and the name of this file or files ...here?



help me

[DavidR]

That is possible as if it was a false positive and someone reported and submitted a sample of the file, then it would be analysed and the signatures adjusted if confirmed as a false positive.

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

That is why it is important never to delete, but to send detections to the avast chest.

Then if you think something may be a false positive then you need to confirm that detection:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[tinto101]

hi,,,it come on with the new version of AVAST .... last 2-3 days ago!

the strange is that with VIRUS TOTAL is not possible to upload to scan....why ?

Hi, avast team

with the new update of avast .... in this 2-3 days

avast say this file infect :


* Operazione 'Protezione residente' usata
* Avviato venerdì 27 novembre 2009 18.37.56
* VPS: 091126-1, 26/11/2009
*

C:\Programmi\Microsoft Office\OFFICE10-Silvano\OFFICE 10 -Silvano\SHAREPT\SQL\X86\BINN\DTSWIZ.EXE [L] Win32:Malware-gen (0)

*
* Operazione fermata: sabato 28 novembre 2009 4.34.00
* Utilizzato da 9 ora(e), 56 minuto(i), 4 secondo(i)
*

*
* Rapporto avast!
* Questo file è generato automaticamente
*
* Operazione 'Protezione residente' usata
* Avviato sabato 28 novembre 2009 12.13.30
* VPS: 091127-1, 27/11/2009


is real this file infect or?

OFFICE 10\SHAREPT\SQL\X86\BINN\DTSWIZ.EXE [L] Win32:Malware-gen


i try with VIRUS TOTAL online scanner but it say no
upload !!!!

help me ?

[tinto101]

the correct sintax of the folder in avast shield is:

C: \suspect \

or

C: \suspect \ (and the little star)

?

[tinto101]

i not found in avast the MENU to insert this  "suspect" folder !

where is in avast 4.8 programm ?

[spg SCOTT]

Left click the avast! tray icon --> click 'more detail' if necessary -->scroll to and click on standard shield --> click customise --> click advanced tab --> click add --> type C:\Suspect\*

The * means that all files inside that folder will not be scanned by the standard shield and you can upload the file to virsutotal.

Once you are done with this issue, you can delete the folder and remove the exclusion if you wish.

[tinto101]

shield   and customized

i have avast in italian language....

help ?

[DavidR]

Whilst these images show English the position of the various Shields (avast Providers) and tabs/buttons should be the same.

[majoMo]

It seems to be a False Positive.

File is from MS, Office 2000 CD install.

VirusTotal report.

Please see this topic.

[DavidR]

Yes it looks like it in your case, but that is no guarantee for another user who may have a different version, is MS Office-10 the same as MS Office 2000 ?

You should send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[majoMo]

Yes it looks like it in your case, but that is no guarantee for another user who may have a different version, is MS Office-10 the same as MS Office 2000 ?

Please see VirusTotal report quoted above; at the bottom in "( Microsoft )". You can see there a lot of MS'app. about that file (included MS Office-10/Office XP).

You should send the sample to ( ... )

It was done yet through Avast warning to send False Positive.

[mkis]

Yes it looks like it in your case, but that is no guarantee for another user who may have a different version, is MS Office-10 the same as MS Office 2000 ?

I think the -10 denotes XP Office as in post above. So 2002. And maybe also for some later versions. Unfortunately I dont have an earlier one running any more. But I don't think -10 for the 2000 versions.

[RZPogi]

this is no isolated case. I tried to installed office XP on my friend's netbook, and avast detected dtswiz.exe as malware on the cd.

I had to exempt this file from scanning.

BTW: Office XP is Office 10

[mkis]

on the cd  

I could only test the Office XP 10 that I have (see below)

Could not find dtswiz.exe on the disk


Edit - I scanned disk with current 4.8 definitions and no detection. Only means my disk is okay really. Sorry can't help any more, may run a test by installing on computer running avast if I get the chance.

[Milos]

Hi,
thank you for notice False positive will be fixed in next  (091130-0) VPS update.


Milos