Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as a "
Risk Tool", "
Hacking Tool", "
Potentially Unwanted Program", or even "
Malware"
(virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes, malware strings it contains and the type of security engine that was used during the scan.
Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using
heuristic detection because they are resistant to scanning (difficult to read).
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.
It means it has the
potential for being misused by others or that it was simply detected as suspicious due to the security program's
heuristic analysis engine which provides the ability to detect
possible new variants of malware. Anti-virus scanners
cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically
remove them. In these cases the detection is a "
False Positive".
RejZoR, avast! Evangelist at the avast forum posted these instructions for suspected FP's.
If you encounter alert for which you think that it's a false positive, do the following:
Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com
- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:
Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com
You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.
Until then, you can add the "false positive" file into exclusions:...
avast forum [Mini Sticky] False Positivesavast forum: Tutorial For False detection