How to report this False possitive?

[Morro41]

After having updated the drivers for my Nvidia Geforce G100 to 280.26 Avast believes that the file nvlddmkm.sys shows behavior. A manual scan of the file with Avast and MBAM shows that it is clean.

Also Virus Total shows that the file is clean.

http://www.virustotal.com/file-scan/report.html?id=4ad0556df8a833074b723a15fc3e99314fb457157c91238c44e933b13294bb17-1313410147

So i would like to report it as a false positive, but even packed with 7z set to maximum compression the file is still 3.18 mb. This makes it to big to use the standard way of reporting a false positive, so how can i report/send the virus labs this file to examine?

[nmb]

Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.

If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.

[DavidR]

Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.

So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?

[Morro41]

Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.

So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?

Avast updated to 110815-0 just after i hat rebooted after having installed the latest Nvidia drivers, and shortly after that indeed popped up with a warning about the file i mentioned in the first post.

Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.

If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.

That was the method i already tried, it does not seem to allow uploading a packed file of 3.18mb. But for now i will indeed exclude the file. Still this should be reported as a false positive , because it has to be one i guess. So just to be certain they would need to examine that file at the Virus Labs, just the method i tried does not allow to send a file of that size.

[ady4um]

If you have no alternative, you could post here a link to the download location of the drivers, and EXACT information about it.

I can't promise that it would be evaluated using the link here, but it is better than nothing.

In case you post here a link, please replace the http://... of it with hxxp://... so to reduce problems with it.

Anyway, I would tend to agree with DavidR on this one. If Avast is not currently identifying it as a problem with a normal scan, and VT also shows no problems, then maybe it was a "glitch"!? What was the exact message?

[JuninhoSlo]

Well the strange thing is that on the VT results avast doesn't detect anything.
Ensure you have the latest virus definitions update.

So what were the details of this detection, what was being reported, I suspect this was during the avast anti-rootkit scan 8 minutes after boot (otherwise the VT scan would have a hit for avast) ?

Avast updated to 110815-0 just after i hat rebooted after having installed the latest Nvidia drivers, and shortly after that indeed popped up with a warning about the file i mentioned in the first post.

Goto: http://www.avast.com/contact-form.php?loadStyles and fill in the details, select the subject as "report false alert in file" and browse for the file. Send the file after you have filled in all the remaining fields.

If avast blocks the file from being uploaded, you can exclude the file in file system shield settings.

That was the method i already tried, it does not seem to allow uploading a packed file of 3.18mb. But for now i will indeed exclude the file. Still this should be reported as a false positive , because it has to be one i guess. So just to be certain they would need to examine that file at the Virus Labs, just the method i tried does not allow to send a file of that size.

You can send FP file via email(virus@avast.com) also. Try it. As far I know latest Nvida drivers has/had some problems.

Bye

[Morro41]

You can send FP file via email(virus@avast.com) also. Try it. As far I know latest Nvida drivers has/had some problems.

Bye

Thank you very much JuninhoSlo, through that method i was able to send the False Positive archive to them. Now all i have to do is wait for their answer.

[DavidR]

That is why I'm trying to pin down which shield or scan alerted ?
If it is the anti-rootkit scan (image1 example of anti-rootkit detection) there isn't a huge amount that can be done right now, but if it is another shield, like the behavior shield (image2). But the behavior shield example alert only comes up if you have set that shield to Ask and not Auto, the default action.

So which shield, scan is it ?

[Morro41]

That is why I'm trying to pin down which shield or scan alerted ?
If it is the anti-rootkit scan (image1 example of anti-rootkit detection) there isn't a huge amount that can be done right now, but if it is another shield, like the behavior shield (image2). But the behavior shield example alert only comes up if you have set that shield to Ask and not Auto, the default action.

So which shield, scan is it ?

That would be the first one, the one in the anti-rootkit_alert_actions.png. So would that mean that sending the file to the Virus labs will not achieve the result i am hoping for?

[DavidR]

If they don't realise that the detection is from the anti-rootkit scan the normal signatures have no effect, as you found in the VT results.

So when the alert comes up, I take it that is the Suspicious Files found rather than Rootkit found, etc. ?

If so You have two options and the default Ignore is the one you should select, don't check the 'Don't tell me about these files in the future (as you would never know if this is resolved and I don't know if you can reverse this decision). Whilst this will mean it will come up in future boots, telling avast to Ignore should trigger the CommunityIQ to report this back to avast and should get analysed and hopefully corrected soon.

That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.

[Morro41]

If they don't realise that the detection is from the anti-rootkit scan the normal signatures have no effect, as you found in the VT results.

So when the alert comes up, I take it that is the Suspicious Files found rather than Rootkit found, etc. ?

If so You have two options and the default Ignore is the one you should select, don't check the 'Don't tell me about these files in the future (as you would never know if this is resolved and I don't know if you can reverse this decision). Whilst this will mean it will come up in future boots, telling avast to Ignore should trigger the CommunityIQ to report this back to avast and should get analysed and hopefully corrected soon.

That doesn't stop you sending the sample file to avast with as much information as possible about the alert being the anti-rootkit scan 8 minutes after boot, your OS, Graphics card and the driver version, etc. A link to this topic wouldn't hurt.

Well i just rebooted again and Avast warns that a suspicious file(rootkit) is found and that it could point to a malware infection? I have told it to ignore for the moment. Before i installed the new Nvidia drivers today Avast did not warn me with that message, it did so right after i hat installed those new drivers and hat rebooted my computer. Also i downloaded the new drivers from here...

hxxp://www.nvidia.co.uk/page/home.html

which is the Official UK Nvidia website so they should be trustworthy should they not?  

[DavidR]

It isn't saying it isn't trustworthy or infected or the regular avast signatures would be doing the detection. It is just the method of checking is different to the conventional signatures, and I don't know why this graphics driver (if that is what it is) needs to be hidden. Rootkits try to hide from conventional scans, so it is this which is found to be suspicious.

Your image is different Rootkit Found, as that is saying suspicious hidden object (rootkit) found rather than the one I posted.

As The old avast5 one when expanded had an option to, submit the file for further analysis. Does the Advanced Option open up when clicked ?

If it does you should elect to submit it on each time that it is detected.

[Morro41]

It isn't saying it isn't trustworthy or infected or the regular avast signatures would be doing the detection. It is just the method of checking is different to the conventional signatures, and I don't know why this graphics driver (if that is what it is) needs to be hidden. Rootkits try to hide from conventional scans, so it is this which is found to be suspicious.

Your image is different Rootkit Found, as that is saying suspicious hidden object (rootkit) found rather than the one I posted.

As The old avast5 one when expanded had an option to, submit the file for further analysis. Does the Advanced Option open up when clicked ?

If it does you should elect to submit it on each time that it is detected.

That would have been handy if i could, but that option is not present anymore. In the picture in my previous post you can already see the "advanced" mode. Makes me wonder why they took that option out?

[DavidR]

It does me too, so my only reasoning is what I mentioned about the CommunityIQ feature passing anonymous data back about the detection. If you are selecting Ignore, I would say that would by implication mean you feel it is an FP.

[Morro41]

Yeah, have done that 3 times since yesterday plus having send the file and i send them the link to this thread. Now i will just have to wait and see when i get an answer.