If viruses are detected by FILE NAME only then I would have to say that Avast has found a FALSE POSITIVE because the file is an executable file of an application program that I have had on my computer for many years.
The name of what I believe to be a possible false positive is AsteriskPassword.exe.
The kind of virus that Avast finds it to be: Win32:Malware-gen
The program path on my computer was: c:\Program Files\Thegrideon Software\Asterisk Password\AsteriskPassword.exe
Scanning with Jotti on-line scanner the following virus programs found the file to be a virus of some kind:
Avast - Win32:Malware-gen
AntiVir - SPR/PassView.N
G Data - Win32:Malware-gen
Quick Heal - Trojan.Agent.ATV
The other Sixteen virus program scans FOUND NOTHING. Thus Avast was one of 20% that considered the file a virus.
Scanning with Virus Total on-line scanner found the following: Result: 5/41 (12.2%) found positive.
What is odd is that I have had this program on my computer for many years and it has never been scanned as a threat of any kind up until now.
I emailed the zipped file to the Alwil Analysts with this same information I’ve posted here.
So again my question about how potential viruses are found by Anti-Virus programs: Are viruses found by FILE NAME or does the Anti-virus program actually check the code inside of files (including executables) and determine whether code within the file is considered to be a possible threat?
I don’t think any good antivirus is detecting malware based on filename. Maybe Mail Shield that checks parameters like file extension and few other parameters, but scan engine itself, i don’t think so. Because this is a very inefficient way of detecting malware if you ask me or anyone else. Besides, you can test it yourself. Rename the file and you’ll see if that evades detection. But i doubt you’ll have any success…
I renamed the file to a program name that scans without any problem and Avast still found the file to have a VIRUS.
So it is NOT the name that is at issue here but the executable file itself.
I re-installed the Asterisk program at another location and scanned the new installed program and Avast scanned that new installed executable file as OK - NO VIRUS found.
What I found as well is that the executable file that Avast found to be infected with a VIRUS had a 2/21/08 6:12AM assigned to it and the file size was 756KB.
The newly installed program that according to Avast file was not infected with a VIRUS had the older date of 4/25/07 4:38AM assigned to it and the file size was smaller at 632KB. (which makes more sense because I had downloaded the install on 10/14/07.)
So it would appear clearly that the executable file had been altered and more code added based on the more recent assigned date and larger file size on the “infected” file.
I HAVE DELETED ALL FILES RELATED TO THE OLD INSTALLED PROGRAM.
So then I have the following questions:
The assigned date on the “infected” file was 2/21/08. I would have to conclude that the change to this program was done as of that date. So it would appear that whatever change occurred that resulted in a VIRUS was way back on 2/21/08.
If the answer to this question is “YES” then my next question would be:
Why had this VIRUS not been detected prior to now? Could it be that this VIRUS was not known until now?
I am certain I have used the “infected” program many times since the new assigned date of 2/21/08 and done so as recently as the past month. I am assuming that the VIRUS does not act unless the program is used. If my assumption is correct then my next question is:
How do I know what damage if any that the VIRUS has done from the date of 2/21/08 until now?
Could the assigned date not necessarily be when the program was altered? From what I know the Operating System will assign the date when the file is altered so I would think that this would be the date that the code was changed. Am I correct on this?
This is interesting stuff. I will say that I’m thankful that something was at least found that certainly looks like a change to an application program on my computer. The issue of course is when did this occur and what has the change done at all.
I HAVE NOTICED THAT MY COMPUTER WILL HANG QUIT OFTEN AND THIS HAS BEEN GOING ON FOR MAYBE THE PAST 1 TO 1 1/2 YEARS.