[5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.

[LorenzoC]

**** FIXED ****
It seems Avast update: 100121-2 date: today time:21.27 fixed the false positive.
-----------------------------------------------------------------------

My system is Windows 2000 SP4.
Since this night I can't use NOTEPAD any more since Avast 5 detects it as Win32:Malware-gen.

Besides notepad.exe in 3 different positions on the disk, c:\winnt, c:\winnt\system32 and c:\system32\dllcache, no other file is detected as threat by Avast.

I submitted the file to "virustotal" to check and only Avast detects it as a virus.
Submitted also to ALWIL for further analysis.

I am almost sure it is a false positive.
I got a false positive on another system file with two beta versions and at some point it was corrected.
Now it is becoming annoying. You can't use an antivirus that moves to the "chest" your operating system one file a time...

[DavidR]

So are you saying it is alerting on all three locations ?

If so are they all identical, e.g. same MD5 hash ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[LorenzoC]

- Yes it is detecting the "threat" in all the three locations.
- I can't check the MD5 for the files
- I've written above about "virus total", I've already submitted the file (the one in "system32") no other findings but Avast. It means no other "engine" detected the "threat" but Avast.

If you want I could extract the original file from the install CDROM but I am sure Avast would detect that the same.
 
I've seen exactly the same behavior with another system file from Windows 2000 with some betas, it was "ieshwiz.exe". Avast kept trying to move it to the chest, I had to option "do nothing" each time until one day Avast stopped detecting it as "threat".

My guess is at some point today or yesterday I got an automatic update that now makes Avast mark "notepad.exe" as "bad". The chances it is actually a virus are very very little.

[DavidR]

OK, missed the virustotal bit completely

I'm using notepad in XP Pro and no detection by avast VPS 100121-0.

If you have a copy in the chest you can submit it as a false positive, see image, complete the form and send it.

- In the meantime, add it to the exclusions lists:
Standard Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[LorenzoC]

I've submitted the file.
The other time it took several updates (read weeks) before the issue would be corrected.

BTW, the file (notepad.exe) version is: 5.00.2140.1

Th reason why I wrote this post is to alert other Win2K users who could get the same issue and to point out that this rate of false positives from Avast is honestly too high. I haven't met a virus in YEARS. There is a chance that Avast is doing more harm than good to me.

[LorenzoC]

Last udate fixed the problem.
See first post.