Do I have to configure a false positive THREE TIMES?

[VanguardLH]

Windows XP Pro SP-3
Avast 6.0.1289

Got another false positive from Avast (this time for UPHClean utility from Microsoft; see http://www.microsoft.com/download/en/details.aspx?id=6676).  Already submitted the FP report.  The popup doesn't let me choose to trust the program/file, just to block, delete, or move to chest.  The least corruptive action is move to chest where I can then restore the file (but then avast complains again with another false positive until I realize that I have to exclude before I restore).  I added the file to the File Shield's exclusion list but Avast issued another false positive from the Behavior Shield when the program was ran.

So do I have to record an exclusion on the file/program in 3 different places in Avast?

• File Shield: Exclusions list (using the poorly designed browser dialog where I can only select a folder, not a file, so I have to manually enter the filename).
• Behavior Shield: Trusted Program list (much better browser dialog since it uses the one from Windows, not its own).
• General settings: Exclusions list (using their same crappy browser dialog).  Applies only to on-demand scans.

Users of amateurish accounting programs don't like having to do double or triple entries which causes synchronization problems and errors.  They'll get a more professional single-entry accounting program.  Why would Avast users want to have to remember to add an exclusion, especially for a false positive, in 3 different places in Avast?  The don't want to.  Their forced to.  If I'm excluding a file under any one of these places, why wouldn't I also be excluding it in the other two?  It makes no sense to be excluding a program's file in the Behavior Shield if it weren't also excluded in the File Shield and for on-demand scans.  You're either going to trust it or you're not.

Will an exclusion in the Behavior Shield also exclude that program and its file from issuing a false positive by the File Shield and during manual scans?  Can I exclude the [false positive] file in just ONE place in Avast?

[DavidR]

There are already two other topics about this.

Personally I have only set it in the file system shield as the behavior shield didn't get a look in before the FSS alerted and I have no intention of running an on-demand scan before my usual Sunday 00:15am schedule, by which time this should be cleared up. Even then I would just ignore the entry in the scan results window.

[VanguardLH]

I already had added the false positive file to the exclusions list in the File Shield.  When the program loaded, the Behavior Shield threw out another alert/action window.  So I had excluded it under one shield but another shield still alerted on the same file.  I really don't want to have to remember which files flagged in a manual or scheduled scan were the ones that I had to exclude in their shields so I also update the exclusion list in the general settings.

Whether you choose to omit an exclusion in the general settings is your choice but that does not obviate that Avast maintains THREE separate exclusion lists: File, Behavior, general (on-demand).  When might a user want a file excluded under one but not the other two?  If I'm going to trust the program, I don't want the File Shield complaining about the same file.  If I'm excluding the file in the File Shield, obviously I've chosen to trust the file so why wouldn't I want the Behavior Shield to also exclude this same file?  If I'm excluding the file from the on-access (realtime) File Shield scanner, why would I want it not excluded in an on-demand scan?

If it's been discussed before, apparently Avast didn't listen then, either.  We're still still stuck with 3 disjoint exclusion lists.  So it's been discussed before.  The deficiency still exists.  (By the way, considering how the search works here, don't figure that anyone can find those specific prior threads, especially considering the words in the search criteria will match on several contexts resulting in far too many hits than any sane user will bother to read them all.)

[naren17]

I just downloaded the file from the link provided but its not detecting here by Avast latest version.

Win XP SP3
Avast latest & Windows FW
No other realtime security

Thanxx
Naren

[VanguardLH]

Are you testing on the downloaded .msi file or the uphclean.exe that it ends up installing?

I download the .msi file.  Opened it with 7-zip.  It contains no archived file named uphclean.exe.  Instead the executable looks to be listed under its GUID (DBD3F...B35E9).  It's size is significantly smaller so its byte image differs from the uphclean.exe that gets extracted from the .msi file.  So did you test on the uphclean-setup.msi file or the uphclean.exe that it creates?

I installed UPHClean a long time ago, probably soon after it got released.  It's possible the download page is for a new version.  The download page says it is for version 1.6g.  When I right-click on the uphclean.exe file that was installed many months ago (and never flagged by Avast until today), it reports as version 1.6.30.0.  One could be the version for the .msi installer file and the other is the version of the extracted file.  When you checked against uphclean.exe (and not against the .msi file), and when right-clicking on the uphclean.exe file, Properties, Version tab, what version does it report there?  My uphclean.exe is 241,725 bytes (in the Size field in Properties -> General tab).  How big is yours?

I've updated Avast.  I can't update it again because it reports there are no new updates.  It still alerts (false positive) on this file on my host.  Sorry, but it's my host on which I have to address the false positive that Avast is generating so I still have to deal with it.  Can't tell you why Avast doesn't alert on uphclean.exe that you installed on your host.  Do you have the same version of uphclean.exe on your host as on mine?  Is the byte count for your copy the same as mine?  Are you fully up to date in Avast?  It could be the latest signature database now alerts on uphclean.exe whereas an old signature database would not.

My instance of Avast reports its current version of its signature database as:
  current version: 110915-0
  date updated: 9/15/2011 @ 4:36:47AM

The date may be when my Avast got the update and not a timestamp on the signature database itself.  Does you signatures version match mine?

[ady4um]

JFYI,

Latest database info:
http://www.avast.com/virus-update-history

[naren17]

I downloaded from the link you have mentioned & now I have installed it & also went into the rograms folder UPHC.exe but its not detecting here.

Avast Database - 110915-0
UPHC version - 1.6.36.0

Thanxx
Naren

[VanguardLH]

JFYI,

Latest database info:
http://www.avast.com/virus-update-history

Which shows that I have the latest update, plus I tried updating Avast after the false positive but it reported that I had the latest version.  It wasn't until today's update that the false alert appeared.  UPHClean was installed a long time ago.  The signatures database that I had yesterday didn't alert.  The signatures that I got today resulted in the alert.  So the new update contains a signature that falsely triggers on the uphclean.exe file.  False positives don't just get weaned out of the signatures database.  They can also get introduced in a new signatures database. 

I don't know exactly how the "signatures" are computed or how they get tested against the files.  If the signatures are merely a hash code, those are NOT unique across all possible combination of bytes in all possible files.  The hash code cannot be the size of the file; else, the signatures would be huge (as larger as each file).  That means it is possible for two different files to end up with the same hash code.  Anyone that has programmed using hash codes to identify an oject knows that hashes to not absolutely guarantee uniqueness.  So Avast might've added a new signature for some known malware but that signature also happens to match against uphclean.exe from Microsoft and which *many* Windows users have installed.

Sometime after a future signatures update, and assuming that I remember to do this, I'll have to remove the exclusion from all 3 lists in Avast and retest to see if they got around to eradicating the new false positive.  I've already sent in the FP report.

[VanguardLH]

I downloaded from the link you have mentioned & now I have installed it & also went into the rograms folder UPHC.exe but its not detecting here.

Avast Database - 110915-0
UPHC version - 1.6.36.0

Thanxx
Naren

My version for uphclean.exe: 1.6.30.0

So the download page has a newer version.   Newer doesn't mean better and I refrain from fiddling with an otherwise stable system.  If I update, it'll be when I have time to save a partition image and then update lots of programs, including this one.  Also, this is a sub-minor version change which means little was change and probably nothing to do with functionality but more likely with bug fixes (and probably when employed on later hardware platforms than I have).  From reading the readme.txt file that lists the changes in each version, there are some bug fixes that have not yet occurred in my setup but are probably good to have. 

Yet Avast should not be alerting that the old version is malware.  That is a false positive caused by their latest signature update.  False positives are for both old and new versions of non-malware files.  1.6.36.0 was released a year ago.  UPHclean was introduce a lot longer back.  Avast should not be generating a false positive on any of the old versions.

Apparently there is an even newer version 2 (http://blogs.technet.com/b/uphclean/archive/2008/02/28/uphclean-v2-0.aspx).  Yet that still means that Avast should not alert on the older 1.6 versions (and thier sub-minor versions).  Alas, the article doesn't provide a download page and a search at microsoft.com/downloads on "uphclean" finds only the 1.6g (1.6.36.0) version.  Maybe it's still beta so it hasn't been released yet.  However, I don't update because something new showed up.  I update when it benefits me.  I'm still using the ATI Catalyst 9.6 video drivers because they provide better compatibility for my old apps and games than does the latest version.  Fixing something something that ain't broke (in your setup) too often results in breaking it.

So I'll have to remember to update to the latest version of UPHclean just to eliminate the false positive in Avast's latest signature update on the old version of UPHclean, or leave alone my currently stable setup and wait until Avast updates their signatures to remove the FP against the old version of UHPclean.

Thanks for the heads up on the new version.

[DavidR]

The UPHClean v2.0 is a beta build and has been abandoned, so I guess that is why there is no download link.

I actually tried the newer build 1.6g and the uphclean-setup.msi installation failed with error can't find uphcleanhlp.sys file. This was after lots of fun trying to uninstall the existing uphclean installation, system freeze during uninstall.

So guys, I would advise exclusion and wait until resolved, which going on past performance shouldn't be too long. I don't know if any others might have the installation problem on the updated 1.6.36.0 version

I have been using this for more years than I care to remember, I reported this as a false positive. Only avast (and GData, uses avast as one of its two scanners) detect it, http://www.virustotal.com/file-scan/report.html?id=ed2a0acb135f85606d22035ba324c95de58c9564ed7b4340d2acb1f4f57abfb3-1316088422.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.

[DavidR]

As I said they are normally quick to resolve and VPS 110915-1 resolves this false positive on uphclean.exe.

[VanguardLH]

As I said they are normally quick to resolve and VPS 110915-1 resolves this false positive on uphclean.exe.

Yep, that was thankfully quick.  I got the 110915-0 update today (this morning) and that's when the false positive started.  I just did a manually instigated update (rather than wait for the scheduled one) and now I have the 110915-1 update.

I removed all 3 entries for uphclean.exe: File Shield exclusions, Behavior Shield exclusions, and general settings (on-demand scan) exclusions.  When I copy the file, no more alert.  When the program runs, no more alert.  So this particular false positive got resolved very quickly.  Thanks for the heads up on the very recent and fast update that eliminated this particular false positive.

However, there still remains the issue regarding the topic of this thread (not the particular example) of having to exclude a file in 3 different lists inside of Avast.  I gave an example (using uphclean.exe) because that's what instigated me on finding out that the exclusion had to get entered in 3 disjoint exclusion lists.  There should only be one exclusion list that gets referenced during on-demand scans or by any shield currently installed and enabled within Avast.

Can you think of a reason why you would exclude a file from one shield but not also exclude it from other shields?  Why would I trust a file under the File Shield but not under the Behavior Shield or visa versa?  I'm missing what is the rationale in having to maintain and keep in sync 3 different exclusion lists versus them all referencing one exclusion list.  Maybe it was easier to code that way (by keeping each list compartmentalized within each module) but that doesn't necessarily lead to coherent behavior, contravenes ease-of-use precepts, and doesn't  help to eliminate errors due to lack of sync between the disjoint lists.

When I hit this (as a consequence of a particular false positive), I couldn't figure why Avast would maintain 3 disjoint lists that are all about defining exclusions.  If it's excluded here then it should be excluded everywhere.

[ady4um]

SUGGESTION FOR FUTURE AVAST 7.

A possibility, for the future Avast 7, that would leave available the multiple configuration options and at the same time would make building exclusion / exception lists much more comfortable for the user would be to make en exclusion list with additional columns to check.

Currently, you add the exclusion to a certain list, according to the shield or function the user needs to take care about.

For Avast 7, "simply" change the list to be instead a table with columns. Each entry would be, as now, an exclusion. The last column would be the path, and additional columns would be each shield or area where the exclusion would be selectable by a checkbox, just as the Read / Write / eXecute of current shields exclusions.

You could even try to make 3 checkboxes (R/W/X) for *each* shield column on this list, so to give maximum configurability, while still maintaining a one-place-altogether for exclusions.

Moreover, the same exclusion data could be accessed by more than one "form" table. One concentrated table as I just described, and the data could be accessed also by an additional "form" inside each "expert settings" of each shield and also by the general settings, as it is now. I wouldn't care to find the complete table (for all shields and areas altogether) in each "form" in each shield, so to minimize possible conflicts about the real data being corrupted if each "form" were to be different.

A general example, using only 2 shields:

SS

-

BS

-

PATH

R	W	X	-	R	W	X
1	0	0	-	1	1	1		C:\example.exe

[YoKenny]

There are already two other topics about this.

Personally I have only set it in the file system shield as the behavior shield didn't get a look in before the FSS alerted and I have no intention of running an on-demand scan before my usual Sunday 00:15am schedule, by which time this should be cleared up. Even then I would just ignore the entry in the scan results window.

It was reported by me and solved:
http://forum.avast.com/index.php?topic=84742.0