False positive with avast! v5 ?

[fredbloggs]

Hello all, first post from a long time happy user who just upgraded to V5 free edition.  V5 has disabled my WLAN USB adapter by deleting WLTRYSVC.EXE reporting it as malware.  I cannot believe this is a genuine positive, but avast! v5 insists it is dangerous.  I have had to dsisable avast! in order to make this post.  Can anyone help with this problem please?  Thank you.

Regards.

Fred.

[PhilR]

A temporary workaround would be to add an exclusion in the File System Shield.

Open the Avast console, select the REAL-TIME SHIELDS, click on File System Shield, then on that page go to Advanced Settings.

There's an Exclusions setting which will let you add that file name as a file to be excluded from scanning.

[fredbloggs]

Thanks PhilR, I'll try that.

[DavidR]

Before exclusion you should confirm an FP.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

- avast5 - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

[Rednose]

- avast5 - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

Good tip my friend

Greetz, Red.

[Gourbish]

Hi everybody from France !

Firstly I want to congratulate all the persons who worked very hard to give us this great antivirus which is Avast. Thank you so much !

I answer to this subject because I think I found another FP. I sent a report yesterday using the function in Avast.
The problem is on the Windows Audio Converter executable file (AudioConverter.exe) in "C:\Program Files\Windows Plus\Audio Converter".
Version 5.1.2600.2180.
It's a tool of Windows XP Media Center Edition 2005.
I've just formated my PC 1 week ago, and didn't do dangerous things since this time.
Avast finds the same virus (Win32:Malware-gen) in another file too... AudioConverter.exe from one of the .cab archives of Media Center ! Coincidence ?...

So I tested the file with the Kaspersky online file scanner which said "no problem".
I tested it, like DavidR said, at VirusTotal.
Result : http://www.virustotal.com/fr/reanalisis.html?fa10563e5ba132a2484e45b0ea858703ad7c3c0b6fb761036ac8e64b7458d1aa-1264809129
Details : http://www.virustotal.com/fr/analisis/fa10563e5ba132a2484e45b0ea858703ad7c3c0b6fb761036ac8e64b7458d1aa-1264807420

It seems that the problem is not new with this version as the test at VT.com is done on Avast 4.8.1351.0 and it gives the same result only with Avast and GData. I know that with the version of Avast in 2007 there was no probem on that file. But I don't know with recent versions as I've just reinstalled XP MCE2005 last week.

I hope it will help you finding a solution. Thank's.

If necessary, I can upload the file.

Best regards.

[DavidR]

GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the limited risk to regain functionality), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[Gourbish]

Thank you for the answer DavidR.

Like I tried to say, I submited it to virus lab yesterday using the context menu in avast's quaratine report but without Virus Total results.
So do I have to re-send a new FP including the VT results ?

[DavidR]

It depends on how much information you gave, normally when I submit a file (normally as a result of checking out something in the forums) I give a link to the topic and a link to the VT results page (the one that works).

Though this isn't necessary I feel it might make their job easier to filter submissions into those that appear to know what they are doing and have investigated before submitting. So technically if you have sent it that should be enough.

[fredbloggs]

Thanks all for the help.

[spokes]

I had audioconverter.exe flagged yesterday, too, and placed it in the Virus Chest. But Virus Total report said it was clean (apart from Avast and Gdata) and following this morning's Avast update it scanned as clear, suggesting that most - if not all - of the Win32:Malware-gen reports of the past 24 hours are/were false positives. I have restored the file.

[Gourbish]

Same results for me too. The problem is solved.

[fredbloggs]

Thanks for the comments and help, folks.

[Shiw Liang]

I have a question
If avast has a more powerful detection rate does that means that there will be more False Positve Detections?

[DavidR]

Thanks for the comments and help, folks.

You're welcome.