Author Topic: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.  (Read 2688 times)

0 Members and 1 Guest are viewing this topic.

LorenzoC

  • Guest
**** FIXED ****
It seems Avast update: 100121-2 date: today time:21.27 fixed the false positive.
-----------------------------------------------------------------------

My system is Windows 2000 SP4.
Since this night I can't use NOTEPAD any more since Avast 5 detects it as Win32:Malware-gen.

Besides notepad.exe in 3 different positions on the disk, c:\winnt, c:\winnt\system32 and c:\system32\dllcache, no other file is detected as threat by Avast.

I submitted the file to "virustotal" to check and only Avast detects it as a virus.
Submitted also to ALWIL for further analysis.

I am almost sure it is a false positive.
I got a false positive on another system file with two beta versions and at some point it was corrected.
Now it is becoming annoying. You can't use an antivirus that moves to the "chest" your operating system one file a time...



« Last Edit: January 21, 2010, 10:20:20 PM by LorenzoC »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87429
  • No support PMs thanks
Re: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.
« Reply #1 on: January 21, 2010, 08:07:14 PM »
So are you saying it is alerting on all three locations ?

If so are they all identical, e.g. same MD5 hash ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
« Last Edit: January 21, 2010, 08:10:10 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.1.6049 (build 23.1.7883.774) UI 1.0.746/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

LorenzoC

  • Guest
Re: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.
« Reply #2 on: January 21, 2010, 08:20:17 PM »
- Yes it is detecting the "threat" in all the three locations.
- I can't check the MD5 for the files
- I've written above about "virus total", I've already submitted the file (the one in "system32") no other findings but Avast. It means no other "engine" detected the "threat" but Avast.

If you want I could extract the original file from the install CDROM but I am sure Avast would detect that the same.
 
I've seen exactly the same behavior with another system file from Windows 2000 with some betas, it was "ieshwiz.exe". Avast kept trying to move it to the chest, I had to option "do nothing" each time until one day Avast stopped detecting it as "threat".

My guess is at some point today or yesterday I got an automatic update that now makes Avast mark "notepad.exe" as "bad". The chances it is actually a virus are very very little.

« Last Edit: January 21, 2010, 08:22:40 PM by LorenzoC »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87429
  • No support PMs thanks
Re: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.
« Reply #3 on: January 21, 2010, 08:30:07 PM »
OK, missed the virustotal bit completely ;D

I'm using notepad in XP Pro and no detection by avast VPS 100121-0.

If you have a copy in the chest you can submit it as a false positive, see image, complete the form and send it.

- In the meantime, add it to the exclusions lists:
Standard Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.1.6049 (build 23.1.7883.774) UI 1.0.746/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

LorenzoC

  • Guest
Re: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.
« Reply #4 on: January 21, 2010, 08:37:00 PM »
I've submitted the file.
The other time it took several updates (read weeks) before the issue would be corrected.

BTW, the file (notepad.exe) version is: 5.00.2140.1

Th reason why I wrote this post is to alert other Win2K users who could get the same issue and to point out that this rate of false positives from Avast is honestly too high. I haven't met a virus in YEARS. There is a chance that Avast is doing more harm than good to me.
« Last Edit: January 21, 2010, 08:53:16 PM by LorenzoC »

LorenzoC

  • Guest
Re: [5.0.377] ANOTHER false positive? Please somebody from ALWIL read this.
« Reply #5 on: January 21, 2010, 10:21:18 PM »
Last udate fixed the problem.
See first post.