I’ve had the files for a drawing program on my computer for months. Years, even. I’ve never, ever had a problem with this program. I had it open earlier today, in fact. (The program, for anyone curious, is Paint Tool Sai) However, now, when I try to open it and work on some drawings, Avast starts freaking out and moves the file to the virus chest. I open the chest and it says it’s infected with FileRepMalware. So I scan the file and it says there’s no virus. Thinking that’s the end of it, I try and run my files again and Avast has another freakout and shoves them back into the virus chest. Can someone tell me how to get Avast off my back? I’m not at all worried about viruses, because I know my program isn’t infected, I just want Avast to let me run it! I refuse to reinstall the program, because I’ve got a lot of really particular settings on my brushes and I’ll lose those if I have to download it again.
You can report a possible FP here: https://www.avast.com/contact-us.php?subject=VIRUS-FILE
I’m afraid your only option–unreasonable as it is–is to exclude that folder from Avast.
Everybody has this problem of (not very much older) software being pinged by Avast, which seems to have two separate detection engines.
I’ve had to exclude my ancient IconEdit32 because Avast has taken a dislike to its presence. I’ve had to exclude my FujiXerox 32-bit Document Monitor suite because Avast thinks it’s got Evo-gen [Susp]. I’ve reported both fiiles as False Positives but nobody is going to tell us “OK, thanks for that, we’ve made sure it doesn’t happen again.”
What Avast needs is to have ONLY ONE scanning engine; and–pending the deletion of the #2 engine–an automatic False Positive upload and test if the current #2 engine has any funny ideas, with no action being taken until (IF) the test comes back positive.
I’m not going to make silly comments about looking for a better AV because I think you’ll find they all work the same way. They’re all as bad as each other. I do feel that just maybe if the various AV vendors can’t get a better act into gear then perhaps I won’t see the need for any AV.
Security by its very nature must be intrusive, we can’t get away from that. But if my human/canine security keeps making bad judgements, I always have to option of deleting them.
Gordon.
I've reported both fiiles as False Positives but nobody is going to tell us "OK, thanks for that, we've made sure it doesn't happen again."depends where/how you reported it ..... and a Zero FP garanty is not possible to give
report it here https://support.avast.com > avast virus lab
What Avast needs is to have ONLY ONE scanning engine; and--pending the deletion of the #2 engine--an automatic False Positive upload and test if the current #2 engine has any funny ideas, with no action being taken until (IF) the test comes back positive.hmmm, that is new to me. What is the other engine and where did you find that info
Good question. I can’t see the second engine, but I must infer its presence when I see the visible main scanner giving a clean bill of health to a file the second (invisible) engine has thrown in the slammer (Vault).
...and a Zero FP garanty is not possible to give
So that’s what happens to all the files we upload :o
Seriously, I’ve done what I can to limit Avast to its only meaningful task, detecting malware. But how do I stop Avast from rounding up innocent exe’s and dll’s? So I “rope off” certain parts of the city: and decrease the security.
And FWIW, whenever I get a report of possible infection I use the Avast-provided “Report as False Positive”. But somehow, the fix doesn’t seem to arrive…
Gordon.
avast only have one engine…
Win:32Evo-gen [Susp] = Suspicious is not one specific signature. It is several technics used to detecte new malware before any signature is made, and that will give some FP
so avast could remove all these technics used for catching new malware to lower FP but then you also lower detection rate
this is what they try to save you from https://www.av-test.org/en/statistics/malware/
and to do that without using some automatic tech is not possible, and yes it will also give some FP
So the one engine won’t see an infection on a user-scan, but does see the infection on a routine patrol? So when we spring the innocent file from the slammer, the one engine immediately rounds it up again on the next routine patrol? I don’t think so.
Gordon.
Win:32Evo-gen [Susp] used to be a on access detection only, it would not happen during a scan, and not seen on Virustotal if you checked a file, but this has been changed
New Toy in the Avast Research Lab https://blog.avast.com/2012/12/03/new-toy-research-lab/
“…used to be…”, “…not…during a scan…”, “…but this has been changed”. And now? That blog is nearly 3 years old: it’s obsolete. The problem is, when automation is allowed search and destroy privileges it can cause massive “collateral damage”, AKA “friendly fire”. Which is why when something beginning to look like AI is put into production, its powers must be limited to verification only. That is, upload the suspect file and associated documentation to a lab where humans can suss it out.
I’m waiting for the devs to buy into this, because destroying good software on suspicion alone is world’s worst practice.
Gordon.
if you want a AV with low FP then Windefender is the one for you
the downside is that it is weeks after the others when it comes to detecting new malware
Look at the bright side: an AV that gives two diametrically opposed results depending on the way the engine was initialised is probably totally unreliable. There really is no way anyone can trust Avast if the one engine bangs up a file on a routine patrol, but can’t see the problem on a targeted scan. Youse may as well have two different engines… I was prepared to accept the bloat-ware in Avast, but given it cannot dependably perform its primary mission, I begin to wonder. Windefender may well prove to be superior so long as it refrains from false alarms.
Gordon.
When Avast does an on-demand scan of an executable, it is comparing the contents of the file to what is in the VPS (and streaming updates) signatures. OTOH, when the executable is executed, Avast resident scanner is looking at the actions that the program is taking. If this is suspicious, then Avast alerts on that.
I suppose that Avast could run all executables scanned via an on-demand scan in a sandbox. In that way, the results would be consistent with each other but that would make an on-demand scan longer.
A-a-a-ahhh, I can understand that. However, when IconEdit32 (c)2000, Ziff-Davis, was pinged, it was not in use, just sitting. When C:\Program Files (x86)\Fuji Xerox\DocumentMonitor\DocMon\CDSDPC2255APPlugin.dll was pinged, it was not during a print, the dll was just sitting there.
Avast seems to have what I call “routine patrols” and “Special Ops” which we can call on-demand scans. And these give different results, but according to many it is the same engine doing the interrogation. Just one engine, rather than the two separate engines which is what I believe. But the argument is not important: the results and the sometimes catastrophic effects speak loudly for themselves.
If two different scans give two opposite results, then there is a problem. The only question is when will people admit the problem exists? In the wise judgement of AA, until that first question is dealt with, no progress can be made.
One way we can test the existence of a problem is a diagnostics mode in Avast, possibly on the lines of the PS3 Media Server which has a debug log built in, which is destroyed after each instance is quitted, so avoids taking up too much space on disk.
Gordon.
The only question is when will people admit the problem exists?of course it does ... [b]NO[/b] security program have 100% detection or zero false positives
i told you above how you can report it so that they can fix it if you still have the problem
here it comes again https://support.avast.com → avast virus lab
Pondus, the problem is not the percent detection or the number of false positives. The problem is how one engine can detect a suspected infection used one way, and give a clean bill of health used another way. The problem is that a file is either clean, or it shoud be banged up. We note that when these Evo-gen[Susp] files are pinged, we are given the choice of having them “cleaned”, which would result in the removal of just 8 bytes. Of course, removing those 8 bytes may well remove all functionality from an otherwise healthy file.
We also note there is no way of controlling the behaviour of the “routine patrol”. There is no way to set the sensitivity, no way of explicitly telling the engine what to do with the file, for example, telling it to simply log the occurrence but take no other action. The problem is that there appears to be two different separate engines, each with a separate agenda.
Gordon.
If you report it they will adjust the Evo-gen code to avoid it. It is all we users can do, report and leave it to avas lab