Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast False Positives?


  • Please log in to reply
18 replies to this topic

#1 Bub12

Bub12

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 12:52 AM

Hi,

I did post this in the Avast forum as well.

First, I keep a very clean system running multiple AV/AS protections, use a hard & soft firewall & am very careful where I go online.

Tonight, Avast picked up the following just after SuperAntiSpyware came up clean.

Infection: A0012663.exe
Location: C:\SystemVolumeInformation\_restore{.........}\RP93
Virus: Win32:Malware-gen

Infection: Inchtour.exe
Location: C:\ProgramFiles\MicrosoftWorks\
Virus: Win32:Malware-gen

I have since scanned with Avast again & MBAM & came up clean. The infections are in the chest.

I did need to download some PDF & Word email attachments today from schools. I scanned the files & they came up clean. I also ran 3 different full scans after I downloaded the docs from one school & all was clean. I then downloaded docs from the 2nd school, which is a college, & ran some scans & came up clean. Not sure if I ran Avast at that time. I did run Avast a few hours later & that's when it picked up the infections.

Any thoughts?

Thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 10:23 AM

Anytime you suspect a file may be a false positive, get a second opinion. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.

If it is a false detection, then you should contact the anti-virus tech support and advise them as you already have done so they can investigate and make corrections. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 11:37 AM

Thanks quietman7!

Two questions for you...

As I am an internet safety freak, I am concerned about uploading my files to such sources as Jotti & VT. Am I being overly concerned in this case?

And, is there any reason that I should not include specific restore/OS numbers in my forum posts?

There were a couple of other people who received similar warnings from Avast. After they updated & scanned again, all was clear. Before I do the same, I would like to hear your response. Thanks!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 11:48 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 01:20 PM

Anyone care to respond to my two questions above? :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 01:40 PM

Am I being overly concerned in this case?

Yes. Both are safe sites or we would not have recommended them.

is there any reason that I should not include specific restore/OS numbers in my forum posts

You will need to clarify what you mean by that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 01:56 PM

Thanks!

You will need to clarify what you mean by that.


Sure...

You said earlier,

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:


My question pertained to my including specific info such as "RP93" & "A0012663.exe"

By including such info, am I in any way making myself more vulnerable? I think not but I thought I would be sure. I hope that makes sense.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 02:12 PM

My question pertained to my including specific info such as "RP93" & "A0012663.exe"

By including such info, am I in any way making myself more vulnerable?

No,
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 02:15 PM

Just 2 more questions....

I don't understand how Jotti's & VT can tell me if a file is considered malware or not when the "inchtour.exe" file actually is a legitimate file, from what I understand anyway.

I also don't understand how to send them the files as they are in the Avast vault.

Thanks in advance :-)

Edited by Bub12, 30 January 2010 - 02:17 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 02:27 PM

Doing so will given you a second opinion as to what the other vendors are going to report and include the file in their databases.

Most of the major anti-virus vendors participate in VirusTotal, Jotti's Virus Scan, and a few other similar sites. Malware uploaded to these sites is distributed to antivirus vendors. This is a list of the companies that participate in VirusTotal with their antivirus engines.

Viruses uploaded to VirusTotal and Jotti are distributed to antivirus vendors.

Collection and use of submit samples and personal information
...When you submit a sample file to VirusTotal for scanning, we may store it and share these with anti-malware and security companies (normally the companies participants in VirusTotal receives the samples cataloged as malware that theirs engines do not detect). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve anti-virus engines...

VirusTotal Privacy Policy

...We (temporarily) store files you send in for scanning and share these with anti-malware companies. We do this for one simple reason: to help anti-malware companies improve detection accuracy in their security products...

Jotti Privacy Policy

...Files uploaded here are shared with anti-virus companies so detection accuracy of their anti-virus products can be improved...

Jotti Malware Scan

RejZoR, avast! Evangelist at the avast forum posted these instructions for suspected FP's.

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:...

avast forum [Mini Sticky] False Positives
avast forum: Tutorial For False detection
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 02:41 PM

Thanks again...I read all of that already but I still don't understand how to upload the files to Jotti, etc as the files are locked in the vault. I also have no idea how to "Pack the "infected" file into ZIP archive and lock it with password"

I tried sending Avast the files via the send email option in the Avast chest but nothing seemed to happen. I have been trying to get an answer from the Avast forum since last night to no avail. I updated Avast, restored the files & scanned again & they are still coming up as infections. I am hoping that they are FP's but...

I will gladly use Jotti & VT once I understand how to get them the files.

#12 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 03:13 PM

Well....Avast just updated so I figured they may have fixed the possible fp problem. I restored the files & they were still detected as infections. Since I restred the files, I was however able to access them to upload them to Jotti & VT. However, after submitting the files, I was told that the files were empty containing 0 bytes of info.

I went into C/:ProgramFile/MSWorks/Inchtour, clicked propereties, looked around & as I closed it by clicking "OK", I was told that I could not make changes s the file was in use or read only so I used "cancel" to escape. When I again went into MSWorks, there was a shortcut icon to "Inchtour" that was created adjacent to the "Inchtour" icon,. I did not create a shortcut so I deleted it.

I again put the "Inchtour" file in the chest. Any other suggestions?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 04:22 PM

If you restored the file, you can go directly to jotti or virustotal and submit it. If you sent avat the file via the email option in the chest, then you need to be patient as they received thousands of files and requests every day. As such you need to be patient.

A ZIP file is an archive file that contains one or more files that have been compressed to reduce file size. For more information on compressed files and how to use them, please refer to:If you need a free third-party utility, download 7zip, ExtractNow or IZArc.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 30 January 2010 - 05:07 PM

Forgive me if I wasn't clear...

Let me explain again...

I tried to submit the files to Jotti & VT but when I did, it was indicated that the files were empty & contained 0 bytes. I received no other results from them.

As far as submitting the files to Avast via the chest "email Avast" option, it's not that I did not get a response but rather that the "email Avast" doesn't appear to actually email Avast.

And finally, I do know what a zip file is & how to use one with the exception of password protection, but again, it seems as though the only way to send a file in the chest, would be to release the file back into my system. Also, the file "Inchtour" is a normal MSWorks file & like I said, it is empty.

I did email Avast explaining the situation. We'll see what happens...

Edited by Bub12, 30 January 2010 - 05:08 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:43 AM

Posted 30 January 2010 - 06:17 PM

When a submit a file to Eset in the fashion you did, I get the same thing..nothing appears to happen afterwards so that's probably normal behavior you are describing.

Generally when a file submitted to virustotal or jotti virusscan comes back with "The file you uploaded is 0 bytes", it is very likely a firewall or a piece of malware prohibiting you from uploading this file.

A zero-byte file is file that does not contain any data and is typically created when a file transfer does not complete successfully. Most files contain a number of bytes or megabytes of information which correspond to its size. A zero-byte file is essentially empty and contains no (zero) bytes.

I do know what a zip file is & how to use one

That's why I provided links with that information in my previous reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users