Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives in antivirus-programs


  • Please log in to reply
98 replies to this topic

#31 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 PM

Posted 06 December 2011 - 07:25 AM

avast detecting sfloppy.sys as hidden rootkit.

There have been numerous reports of this detection since early this morning.

As reported in this topic: Rootkit hidden filefloppy sys, the detection appears to be a false positive as of the last database update. Since many of our members use avast, I wanted to post the information so everyone is aware.

I received the same notification after booting up an hour ago and the database was updated. I submitted the file to virustotal and it came back clean so I choose to ignore it. No official confirmation from avast yet but users should monitor the topic for further replies.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#32 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 PM

Posted 07 December 2011 - 08:49 AM

Reply #67 from Milos: Yesterday at 02:58:10 PM

Hello,
the issue (causing false positive) was resolved. VPS will be released asap.

Milos


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#33 archer12

archer12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 13 January 2012 - 09:06 AM

Had a problem with Avast this morning:

Version: 6.0.1367 FREE
Virus Definition: 12112-1

Downloading Combofix...

From Web Log:
1/13/2012 7:54:59 AM
http://download.bleepingcomputer.com/sUBs/ComboFix.exe|>$0\pev.3XE|>[PECompact]
[L] Win32:Rootkit-gen [Rtk] (0)

FYI

Archer12

#34 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 PM

Posted 13 January 2012 - 09:30 AM

avast! has been reporting it as Win32:Rootkit-gen for the past three days now. See here .

Read my reply to another user as to why.

The problem is really with the anti-vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database but avast is taking longer this time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#35 archer12

archer12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 13 January 2012 - 09:37 AM

The problem has been rectified:

Avast Update

Definition update: 120113-0

Thanks

archer12

#36 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:29 PM

Posted 11 March 2012 - 08:32 AM

Antivirus: Avast
Version: 7.0.1426 Free
Virus Definition: 120310-2

Scan Log:
11/03/2012 12:00:00

Infected files: 1

Process 888 [rapportmgmtservice.exe], memoryblock 0x0000000000400000, block size 937984 (RapportMgmtService.exe)
Severity: High
Threat: Win32:MalOb-JN[Cryp]

Screenshot of avast log

dev0070

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#37 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:29 PM

Posted 29 April 2012 - 06:34 AM

Antivirus: Avast
Version: 7.0.1426 Free
Virus Definition: 120429-0

Web Shield Log:
29/04/2012

URL: http//oldtimer.geekstogo.com/OTL.exe
Severity: High
Threat: Win32:Rootkit-gen [Rtk]
Action: Blocked

Screenshot of popup

edit: typo

Edited by dev00790, 29 April 2012 - 06:35 AM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#38 candigram

candigram

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 07 February 2013 - 07:45 PM

is AVG popping false positives of Trojan downloaders?  i hope so otherwise i am seriously infected even though malware bytes and ESET show nothing  poster_oops.gif



#39 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,299 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 13 February 2013 - 03:58 AM

Candigram, there is no way to e sure without knowing what it detects (filenames). However just because other scanners don't see it, doesn't mean automatically it is a false-positive.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#40 Gedeonmateo

Gedeonmateo

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 14 February 2013 - 06:09 PM

is AVG popping false positives of Trojan downloaders?  i hope so otherwise i am seriously infected even though malware bytes and ESET show nothing  poster_oops.gif

I think so, I know i used avg to remove a "virus" and got the blue screen of death.

given the nature, Superone click and zerge are showing up as trojan horses.

supposedly avg is the, best free antivirsus id just suggest if you find something questionable type is "filename.etc.." legit into google and see what folks have to say.


Edited by Gedeonmateo, 14 February 2013 - 06:10 PM.


#41 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,299 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 15 February 2013 - 03:05 AM

Detection-wise AVG is definitely not the best free AV in my opinion. As far as free goes you're much better of with MS Security Essentials. It makes no sense to speculate on whether or not AVG's detections are FPs without having a copy of the file or seeing the location.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#42 Winterland

Winterland

  • Members
  • 971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:10:29 AM

Posted 15 February 2013 - 06:09 AM

Greetings everyone.
 
Just wanted to let you know that I recieved two (!) possible False Postives this morning (5 AM here on the Eastern Seaboard, U.S.A) when I fired up my computer.
 
Both Trojans were Quarantined by my Malwarebytes (Pro version) upon start up.
 
I wasn't real concerned about it as I downloaded one of these programs from here at BC and these exe files have been on my computer for a couple of weeks now.
 
Both programs (the exe. files were for PC decrapifier and the other was the exe. file for ImgBurn) were/are being reported as Trojan.Backdoor.MRX files.
 
 
A quick look over at the Malwarebytes Forum seems to indicate that this known FP  and is being adressed but wanted to let everyone here know as well.
 
Will let you know if/when a resolve is reached/discovered and pushed out.
 
onward,
 
Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#43 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,299 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 15 February 2013 - 06:18 AM

Only MBAM can tell you when the FP will be fixed. :)

 

Generally speaking though, every security vendor will have FPs now and then, with the amount of detections that is added each day that is almost unavoidable. Usually such FPs are fixed pretty fast when reported (though this may differ from vendor to vendor).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#44 Winterland

Winterland

  • Members
  • 971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:10:29 AM

Posted 15 February 2013 - 06:18 AM

Also, just as an aside...this Forum showed/shows that it's Pinned, so I wasn't even sure I could post here.

 

Part of the bugs with the new roll out perhaps?

 

Thought you should know.

 

onward,

 

Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#45 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,299 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 15 February 2013 - 06:20 AM

This topic has always been pinned, see the first post (which is quite some years ago :)). Its not used very often though, which it may have confused you.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users