Help
Hi,
I'm not sure if this is the right forum but its a bit difficult where this belongs.
While looking through the "am i infected" forums I noticed where a BC Advisor had recomended the use of a program called flash disinfector.exe, and had left a link. I thought it would be useful so I tried to download it but my AV program said it contained a worm so I blocked it.
The problem may be at my end as I am already having problems with my Avira AV as can be seen here, www.bleepingcomputer.com/forums/topic209597.html.
This is the article in which I found the problem, www.bleepingcomputer.com/forums/topic206874.html.
Would someone be able to put a link for flash disinfector here so that I can try to download it and see what happens.
Thanks.
Page 1 of 1
possible infection in bleeping forum
Back to top
#2
- Just Hoping To Help
-
- Group: Members
- Posts: 1,757
- Joined: 30-December 08
- Location:Utah
Posted 10 March 2009 - 04:41 AM
Apparently Avira has a high rate of false positives and according to another forum, Avira is flagging the flash disinfector as bad, They are saying it is a false positive, I cannot say for sure that is the case in your situation but here is a portion of a thread about this on the eldergeek forum.....
Certain embedded files that are part of legitimate programs or specialized fix tools such as FlashDisinfector may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus, it's because the program includes some features or additional files that can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
Here is a link to the thread....
http://www.theeldergeek.com/forum/index.php?showtopic=34512
Btw, I just looked through the thread you posted a link for that you got the link for the flash disinfector from and saw two links posted for it. If you used the link that DaChew posted, I would say what you got from your av program was a false positive, if you used the link posted by someone else, I cannot say for sure. This is nothing personal against the other poster who posted a link for it, just saying that the one DaChew posted can certainly be trusted.
Certain embedded files that are part of legitimate programs or specialized fix tools such as FlashDisinfector may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus, it's because the program includes some features or additional files that can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
Here is a link to the thread....
http://www.theeldergeek.com/forum/index.php?showtopic=34512
Btw, I just looked through the thread you posted a link for that you got the link for the flash disinfector from and saw two links posted for it. If you used the link that DaChew posted, I would say what you got from your av program was a false positive, if you used the link posted by someone else, I cannot say for sure. This is nothing personal against the other poster who posted a link for it, just saying that the one DaChew posted can certainly be trusted.
This post has been edited by Stang777: 10 March 2009 - 04:52 AM
#3
- Member
-
- Group: Members
- Posts: 54
- Joined: 27-July 08
Posted 10 March 2009 - 05:02 AM
Hi,
Yes it was the link from DaChew that I clicked on and Avira said was infected, (just did it again), so I guess that it must be a false positive.
Thanks.
Yes it was the link from DaChew that I clicked on and Avira said was infected, (just did it again), so I guess that it must be a false positive.
Thanks.
#4
- Just Hoping To Help
-
- Group: Members
- Posts: 1,757
- Joined: 30-December 08
- Location:Utah
Posted 10 March 2009 - 05:09 AM
I would think it is a false positive then, especially with what I have been reading about this program and Avira and you are welcome
#5
- Guru at being a Newbie
-
- Group: Malware Response Team
- Posts: 6,019
- Joined: 08-April 04
- Gender:Male
Posted 10 March 2009 - 12:45 PM
Hi silon and garfunkel,
You can rest assured that Flash Disinfector is not a malicious program--it's a false positive by AntiVir. As much as I like AntiVir, it is rather distressing that there are so many false positives and many of those are for security tools.
To prevent this from happening anymore I have downloaded FD and then submitted the file as a sample to Avira as a "possible" false positive. First I can confirm that AntiVir flags this file--wouldn't even let me download it while the guard was active. It calls it WORM/Generic.4084 "Generic" or "heuristic" is always a red flag for me that a detection could be a FP.
I have submitted the file to this page: http://analysis.avira.com/samples/index.php
Anyone could--and should do this as well any time a false positve is suspected, just be sure to indicate that it is a suspected FP.
Usually Avira will take 24 hours or less to notify you of whether the file is a false positive or not. This one must have been submitted already because the results were given as soon as the file upload was complete:
"The file 'Flash_Disinfector.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file contains unencrypted malicious patterns. This is an indicator that a legitimate detection or removal program did not encrypt parts that are used to identify malicious content. Please contact the manufacturer of this file."
I was going to post that, once the file is verified to be a FP that the definitions would be updated shortly and this wouldn't be a problem any longer. But that is contradicted by the last part of the above message. They aren't going to change their definitions.
Probably the easiest way to work around this is to go offline--if you are on Broadband physically disconnect--and just before you run Flash_Disinfector, disable AntiVir guard (you can also disable the guard while online just long enough to download the file). Then insert any Flash drive or other removable drives and run Flash_Disinfector. You can then delete Flash_Disinfector--it shouldn't be needed again because it "innoculates" each drive by creating an autorun.inf file/folder in the drive's root folder--don't delete those.
Alternatively, you can tell AntiVir to not scan the file. The only problem with this is that the guard can make exceptions for the processes too for when you run it, but I am not sure which process should be excluded--there may be more than one.
To exclude a file from future detections, do the following:
1. Open AntiVir.
2. Click the Extras menu (top) and choose Configuration.
3. Click in the box next to Expert mode to put a checkmark there--this is important since the Exclusion option won't show up unless Expert mode is checked.
4. If there is a plus sign to the left of Scanner, click it to expand and if one is next to Scan do the same.
5. Click Exception.
6. Click the box with the three periods and browse to the file you want to exclude.
7. Click the Add>> button. The filepath should now appear in the text field to the right of the Add>> button.
To do the same for the Guard the instructions are the same, except at step 4 substitute Guard for Scan. The instructions are the same for excluding files. For the process, try entering Flash_Disinfector.exe. Strike that--I just tried to enter the file name and see it is limited to 15 characters. So you can't exclude this process. I would still exclude the file in the scanner and guard, but when you run the file you are going to have to disable AntiVir Guard first.
You can rest assured that Flash Disinfector is not a malicious program--it's a false positive by AntiVir. As much as I like AntiVir, it is rather distressing that there are so many false positives and many of those are for security tools.
To prevent this from happening anymore I have downloaded FD and then submitted the file as a sample to Avira as a "possible" false positive. First I can confirm that AntiVir flags this file--wouldn't even let me download it while the guard was active. It calls it WORM/Generic.4084 "Generic" or "heuristic" is always a red flag for me that a detection could be a FP.
I have submitted the file to this page: http://analysis.avira.com/samples/index.php
Anyone could--and should do this as well any time a false positve is suspected, just be sure to indicate that it is a suspected FP.
Usually Avira will take 24 hours or less to notify you of whether the file is a false positive or not. This one must have been submitted already because the results were given as soon as the file upload was complete:
"The file 'Flash_Disinfector.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file contains unencrypted malicious patterns. This is an indicator that a legitimate detection or removal program did not encrypt parts that are used to identify malicious content. Please contact the manufacturer of this file."
I was going to post that, once the file is verified to be a FP that the definitions would be updated shortly and this wouldn't be a problem any longer. But that is contradicted by the last part of the above message. They aren't going to change their definitions.
Probably the easiest way to work around this is to go offline--if you are on Broadband physically disconnect--and just before you run Flash_Disinfector, disable AntiVir guard (you can also disable the guard while online just long enough to download the file). Then insert any Flash drive or other removable drives and run Flash_Disinfector. You can then delete Flash_Disinfector--it shouldn't be needed again because it "innoculates" each drive by creating an autorun.inf file/folder in the drive's root folder--don't delete those.
Alternatively, you can tell AntiVir to not scan the file. The only problem with this is that the guard can make exceptions for the processes too for when you run it, but I am not sure which process should be excluded--there may be more than one.
To exclude a file from future detections, do the following:
1. Open AntiVir.
2. Click the Extras menu (top) and choose Configuration.
3. Click in the box next to Expert mode to put a checkmark there--this is important since the Exclusion option won't show up unless Expert mode is checked.
4. If there is a plus sign to the left of Scanner, click it to expand and if one is next to Scan do the same.
5. Click Exception.
6. Click the box with the three periods and browse to the file you want to exclude.
7. Click the Add>> button. The filepath should now appear in the text field to the right of the Add>> button.
To do the same for the Guard the instructions are the same, except at step 4 substitute Guard for Scan. The instructions are the same for excluding files. For the process, try entering Flash_Disinfector.exe. Strike that--I just tried to enter the file name and see it is limited to 15 characters. So you can't exclude this process. I would still exclude the file in the scanner and guard, but when you run the file you are going to have to disable AntiVir Guard first.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon
#6
- Member
-
- Group: Members
- Posts: 54
- Joined: 27-July 08
Posted 11 March 2009 - 01:51 AM
Hi Papakid,
Thanks for the help, that pretty much clears it up. I'll give it a try and see what happens.
Thanks for the help, that pretty much clears it up. I'll give it a try and see what happens.
Share this topic:
Page 1 of 1