Author Topic: False positives  (Read 10229 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
False positives
« on: July 30, 2003, 05:16:27 AM »
Not AVG nor NAV ( >:() relate virus for some ZIP files. The zipped files are .ico, .exe, .rtf and so on...
Although, avast log shows them...

By WinZip 9.0 Beta, no problems are dettected (running 'test' option).
Are this a false positive behavior?  :'(
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re:False positives
« Reply #1 on: July 30, 2003, 09:23:19 AM »
Could you be a little more specific?  :)
What exactly does avast! show in logs?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #2 on: July 30, 2003, 05:40:18 PM »
Sorry, here is the avast log:

* avast! Report - This file is generated automatically
* Task 'Simple user interface' used
* Started on Wednesday, July 30, 2003 8:58:52 AM
*
E:\ ... path ... \Fonts.zip\WINDOWS\Fonts\Pala.ttf [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Icons.zip\Arquivos de programas\Iconfilter\Icons\Tools\gun01.ico [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Media.zip\WINDOWS\Media\Download\1\closing.wav [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Notify.zip\Arquivos de programas\Utilitários\Aplicativos\Notify\Family.hlp [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Palm\Hacks\lista de software - palm.zip\PPColl97\Zips\BrainFTr.zip\BrainForest QuickStart.pdb [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Lista de software.zip\PPColl97\Zips\BrainFTr.zip\BrainForest QuickS-tart.pdb [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \NetFilter 2.03W.exe [E] ZIP archive is corrup-ted. (42125)
E:\ ... path ... \Drivers Windows XP.zip\Drivers\Alto-falante do sistema\machine.inf [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \Boot 2\Microsoft Java Virtual Machine 3809.5853.exe [E] ZIP archive is corrupted. (42125)
E:\ ... path ... \07.rtf [E] ZIP archive is corrupted. (42125)

Infected files: 0
Total files: 67616
Total folders: 3736
Total size: 9.8 G

* Task stopped: Wednesday, July 30, 2003 9:40:03 AM
* Run-time was 41 minute(s), 11 second(s)

As we can see, ZIP archive is corrupted but with WinZip 9.0 Beta everything is ok! When I right-click the log file and try to scan it again, the program "cannot found the file". Of course, I can extract (or test) the file in WinZip and everything works.
The best things in life are free.

Offline panfr

  • Newbie
  • *
  • Posts: 8
Re:False positives
« Reply #3 on: July 30, 2003, 08:41:15 PM »
So- i don't see any "false positives" at all...
Any chance those archives being password protected? And finally- do you happen to know which program created those archives?
« Last Edit: July 30, 2003, 08:43:35 PM by panfr »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #4 on: July 31, 2003, 01:33:26 AM »
Any chance those archives being password protected? And finally- do you happen to know which program created those archives?

No chance with password protection... (in avast log, other zip files password protected are ok and listed as protected...).
The program is WinZip (some of files with version 8.0 and others 9.0 Beta, not all of them with Enhanced Deflate, new feature of 9.0 Beta version).
Why avast relate this "errors"?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re:False positives
« Reply #5 on: July 31, 2003, 10:14:38 AM »
Well, that's rather a question for PK.
I must say, however, that I have supplied him with a number of files that were also reported by avast! as "corrupted", in spite of the fact that other programs (WinRAR, Windows Commander) unpacked them without any problems. He always persuaded me that they really are corrupted :) (e.g. the headers are wrong) - just some programs don't care.
I'm just trying to say that the fact that WinZip doesn't report any errors doesn't necessarily mean that the archives are perfect.
Let's see if PK has any comments...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #6 on: July 31, 2003, 02:13:04 PM »
I must say, however, that I have supplied him with a number of files that were also reported by avast! as "corrupted", in spite of the fact that other programs (WinRAR, Windows Commander) unpacked them without any problems. He always persuaded me that they really are corrupted :) (e.g. the headers are wrong) - just some programs don't care.
I'm just trying to say that the fact that WinZip doesn't report any errors doesn't necessarily mean that the archives are perfect.

Not just WinZip but the file - already unziped - run smootly with the associated program: .doc, .rtf, .exe... everything runs and works...  :o
The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:False positives
« Reply #7 on: August 04, 2003, 01:02:05 AM »
I really doubt WinZip would be wrong, I just asked technical to send me some of those ZIP archives - it's probably our fault, I would let you know after deeper analyze.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #8 on: August 04, 2003, 02:45:39 AM »
I really doubt WinZip would be wrong, I just asked technical to send me some of those ZIP archives - it's probably our fault, I would let you know after deeper analyze.

Hi, Petr
Some of the ZIP files are too big, others are confidencial ones, and in this computer I have a dial-up connection...
Is it interesting to send you just the files that - inside of ZIP archive -
are listed as corrupted?
Best Regards.
The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:False positives
« Reply #9 on: August 04, 2003, 03:16:05 AM »
Sure, you can delete all other files from archive except corrupted ones (with WinZip, for instance) - but avast has to detect these files like corrupted in that resulting small ZIP archive.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #10 on: August 04, 2003, 03:24:35 PM »
Sure, you can delete all other files from archive except corrupted ones (with WinZip, for instance) - but avast has to detect these files like corrupted in that resulting small ZIP archive.

I´ll send them with comments... Wait for a while...
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #11 on: August 05, 2003, 04:58:50 AM »
I just send to Peter´s email some of Zip files that avast! cannot handle with.
There is no erros by testing with WinZip 9.0 Beta (not all files were "created" by this version but earliers).
The files continue to be anouced by avast! as "Unable to scan: ZIP archive is corrupted".

Can avast say me anything about it?  >:(
The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:False positives
« Reply #12 on: August 06, 2003, 10:10:20 PM »
Can avast say me anything about it?  >:(

I was little busy so I'm sorry for your waiting. Thanks for your files, technical.

Firstly, I've noticed my laptop WinZip 6.9 version couldn't unpack those files as well :o.

E:\ ... path ... \Lista de software.zip\PPColl97\Zips\BrainFTr.zip\BrainForest QuickS-tart.pdb [E] ZIP archive is corrupted. (42125)

is really corrupted, so called local header is corrupted.

Other files are packed with method 9: "Enhanced Deflating using Deflate64(tm)" 8) but we don't support all variants of this method. Also it's not really easy to say unknown_method error instead of file_is_corrupted in this case.

I will remember this imperfection and i'll try to fix it sometimes in my spare time.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:False positives
« Reply #13 on: August 07, 2003, 04:02:14 AM »
E:\ ... path ... \Lista de software.zip\PPColl97\Zips\BrainFTr.zip\BrainForest QuickS-tart.pdb [E] ZIP archive is corrupted. (42125)
is really corrupted, so called local header is corrupted.

Sorry, I tryed with this file and confirm that is really corrupted:

warning [D:\Transporte\PPColl97\Zips\BrainFTr.zip]:  extra 12802 bytes at beginning or within Zip file (attempting to process anyway)
Error in file #1:  bad Zip file offset (Error local header signature not found):  0
(attempting to re-compensate)
Error:  invalid compressed data to inflate
Error in file #2:  bad Zip file offset (Error local header signature not found):  4054
Severe Error [D:\Transporte\PPColl97\Zips\BrainFTr.zip]:  When testing/extracting WinZip was unable to read file #3 in the Zip file
´
Your suggestion of changing the error message is well comming...  ;)
The best things in life are free.