Author Topic: Win32:Malware-gen...False Positives?  (Read 39931 times)

0 Members and 1 Guest are viewing this topic.

Bub12

  • Guest
Win32:Malware-gen...False Positives?
« on: January 30, 2010, 06:18:31 AM »
Hi,

First, I keep a very clean system running multiple AV/AS protections, use a hard & soft firewall & am very careful where I go online.

Tonight, Avast picked up the following after SuperAntiSpyware was clean.

Infection: A0012663.exe
Location: C:\SystemVolumeInformation\_restore{.........}\RP93
Virus: Win32:Malware-gen

Infection: Inchtour.exe
Location: C:\ProgramFiles\MicrosoftWorks\
Virus: Win32:Malware-gen

I have since scanned with Avast again & MBAM & came up clean. The infections are in the chest.

I did need to download some PDF & Word email attachments today from schools. I scanned the files & they came up clean. I also ran 3 different full scans after I downloaded the docs from one school & all was clean. I then downloaded docs from the 2nd school, which is a college, & ran some scans & came up clean. Not sure if I ran Avast at that time. I did run Avast a few hours later & that's when it picked up the infections.
 
Any thoughts?

Thanks!

« Last Edit: January 30, 2010, 06:45:48 AM by Bub12 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Malware-gen...False Positives?
« Reply #1 on: January 30, 2010, 07:36:20 AM »
Hi,

Please follow the advice on this thread regarding possible false positives.

http://forum.avast.com/index.php?board=2;action=display;threadid=7779
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #2 on: January 30, 2010, 07:52:47 AM »
Thanks Frank but I am not a big fan of using such online scans & uploading my files to such services. Like I said, I am extremely cautious online :-)

I was hoping that avast could tell me if it was an fp.

Also, I have in the past sent Avast potential FP's & never received a response. This happened more than once if memory serves me :-(

I am a bit unclear on how such a service would work as well. For example, I believe that inchtour is a normal MS Works file so how would uploading it to an online scanning service let me know if it was infected?

 
« Last Edit: January 30, 2010, 07:56:53 AM by Bub12 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Malware-gen...False Positives?
« Reply #3 on: January 30, 2010, 07:57:36 AM »
If it's clear in the email that it's a false positive, I believe the sample is given priority and definitions updated if it is confirmed.

But if you want a response, other AV companies are miles better.  ;)

http://analysis.avira.com/samples/index.php
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #4 on: January 30, 2010, 08:08:11 AM »
A nice, easy to use form from Avira. But hey, beggers can't be choosers. I use Avast free version.

I hope someone from Avast will let me know in this forum if these are fp's.

I will try to email them as well. The method of sending Avast detections is not clear to me. There is an easy way directly from the logs, I think.

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #5 on: January 30, 2010, 08:11:09 AM »
For example ...

"Pack the "infected" file into ZIP archive and lock it with password "virus" "

I have no idea how to lock a zip file or how to safely get potentially infected files into a zip.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Malware-gen...False Positives?
« Reply #6 on: January 30, 2010, 09:29:33 AM »
Even if you manage it, many ISP's won't send .exe's, even zipped.

I think there is a way to send suspected false positives from the chest. That's probably the best way.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jason67

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #7 on: January 30, 2010, 09:59:24 AM »
I'm gertting this as well.

inchtour.exe. win32:malware-gen

for some reason avast wont let me send an email when i rightclick on the file in the chest. its unresponsive

jason67

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #8 on: January 30, 2010, 10:09:32 AM »
FWIW I downloaded FFDShow from free-codecs.com today just before Avast picked it up, however it was also right after a virus definition update, and during a MBAM scan

the file was found in C:\ProgramFiles\MicrosoftWorks

spokes

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #9 on: January 30, 2010, 11:22:03 AM »
I got a similar virus alert yesterday regarding Microsoft audioconverter.exe, put the file in the Virus Chest and did a boot scan to make sure everything was clean. This morning after the Avast update I scanned the file again and all is clear, so I've restored the file on the assumption it was a false positive yesterday (especially judging from all similar reports on hers in past 24 hours).

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #10 on: January 30, 2010, 05:39:06 PM »
Anybody else experiencing this?

petek

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #11 on: January 30, 2010, 06:16:35 PM »
A win32:malware-gen in msworks.exe was flagged on my PC today. The only thing I've installed recently is Microsoft's converter pack to allow me to open new MS Word .docx documents with an older version of Word. I've moved msworks.exe, which I have never used anyway, to the chest. This does sound like a false positive. Any ideas ?

Pete


Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #12 on: January 30, 2010, 08:05:17 PM »
Well, I tried emailing the infections via the "email Avast" option from the chest & nothing appeared to happen, any suggestions?

I have restored the files & am rescanning but I believe I already had the most current version of Avast when it detected the infections. We'll see what happens...

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #13 on: January 30, 2010, 08:12:31 PM »
Bad News!

Like I said, I restored the files & the infection still being detected.

Anyone from Avast here that can help?

Bub12

  • Guest
Re: Win32:Malware-gen...False Positives?
« Reply #14 on: January 30, 2010, 09:13:49 PM »
Well....Avast just updated so I figured they may have fixed the possible fp problem. I restored the files & they were still detected as infections. Since I restored the files, I was however able to access them to upload them to Jotti & VT. However, after submitting the files, I was told that the files were empty containing 0 bytes of info.

I went into C/:ProgramFile/MSWorks/Inchtour, clicked propereties, looked around & as I closed it by clicking "OK", I was told that I could not make changes s the file was in use or read only so I used "cancel" to escape. When I again went into MSWorks, there was a shortcut icon to "Inchtour" that was created adjacent to the "Inchtour" icon,. I did not create a shortcut so I deleted it.

I again put the "Inchtour" file in the chest. Any other suggestions?