Avast false positive for Truecrypt.exe (v5.1a) as Win32:Swizzor-N [Trj]

Hi,
New avast update detects C:\Program Files\TrueCrypt\TrueCrypt.exe as a Trojan.

Avast v4.8 Home Edition
Avast VPS file: date 11/25/2008
file ver 081125-1

Avast team, please urgently update your database. It brakes the system (WinXP SP3).

I’ve already submitted the file to you as a false positive.

The original TrueCrypt v5.1a for Windows available at http://www.truecrypt.org/pastversions.php
Download it, run, select extract files and Avast says Win32:Swizzor-N [trj] detected.

Thanks.

I too had the same problem. I installed the latest version of TrueCrypt 6.1 and do not have any problems now.

http://www.truecrypt.org/downloads.php

I had the same problem as well. I had to let Avast rename the file (TrueCrypt.exe) so that I could install ver 6.

Same Problem after having Avast bugging me to renew a lot because of a soon expiring license, I’m sort of suspicious. I’m using TrueCrypt 6.0. I disabled AVAST, installed other AV which found nothing, checked the old truecrypt.exe file with an online scanner (http://virusscan.jotti.org/). Only Avast and Gdata reporting. So most likely a false alarm. Finally installed TrueCrypt 6.1 anyway, but I’m not sure if I will continue using AVAST.

It a false positive. There is no need to further verify that. The fix will be out in 30 minutes. Truly it is really unfortunate, however it does happen with every AV from time to time.

Just exclude the truecrypt directory from scanning and wait until a fix from avast is available. You don’t need to stop avast.
Happens now and then to every virus scanner…

Sorry, had to investigate and proceed with my work. Avast did not let me even copy it for alternate AV testing. So I switched it off. I agree too, no action should mean no action at all or else it should be notified, that the file is locked by Avast.


Avast VPS file: date 11/26/2008
file ver 081126-0

Problem is fixed.
That was fast, well done.

Thanks to Avast team.

Thanks for the false positive correction.

No action in this case means none of the actions listed in the alert, but it won’t let you run what it considers an infected file on the single click of a button.
It would be too easy for accidental running of a truly infected file, that is why the exclusions processes are there so you can run it if you are sure it isn’t infected and accept the risk of running it.

How to add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add (on-access exclusion) and
Program Settings, Exclusions (right click the avast ’ a ’ icon)

When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions. This would also allow you to send it to somewhere like virustotal a multi-engine scanner.

I’ve got the same problem with DESLOCK+ 3.2.7 in the c:\windows\system32\dpalsrv.exe file. Definitely a false positive.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.