I’ve detected a false positive in an old medal of honor patch (Breakthrough_patch_2.40b.exe).
This file hasn’t been modified since 10 years ago (same md5 I repeat SAME MD5 since 10 years ago), never had any issue with it and it was scanned previously by many other AV without issues …
Therefore I’ve raised a ticket to support to flag this as a false positive, and an update of the definition file was eventually released to fix this.
However 2 weeks after the file was marked again as a threat by an update.
So I’ve reopened the ticket and it is going nowhere:
first the support guy tell me the file is infected, then that it is a false positive that will be fixed in an update (there has been at least a couple of update but it is still not fixed).
I’ve asked technical details about why this was flagged as a virus and what actions will be taken to not make this happens but I can get any answers … The only thing I got is that my ticket was moved to the “private” status. Outrageous!
I’m really disappointed with the unprofessional attitude Avast support has in general, this is not the first time I’ve to deal with them and they are completely useless and random, I’m wondering why bother to pay a premium for support when you get this poor treatment
In addition I’m very worried to see how bad Avast team seems to tackle virus identification, looks like a big bullshit with very poor tests.
Looks this has become a standard in the industry unfortunately have a read here http://pid.gamecopyworld.com/
I think that the support ticket route isn’t as effective as it should be for FPs.
It would/should have been much quicker to submit it from avastUI - presumably it was added to the virus chest - in which case it can be submitted directly from there.
If you didn’t allow it to be added to the chest, you can add it manually and then submit (image1).
Open the virus chest - avastUI > Settings > Scan > Scan for Viruses - at the bottom of that page is ‘Quarantine (Virus Chest)’ clicking that opens the chest.
You can make that less long winded by changing the home page of the AvastUI, image2.
Yeah only by this crappy Avast. BTW I would really want to know what makes Avast engine think this is suspicious
As I’ve give the other example of ProtectionID that is flagged as virus this completely FUD, just dissassemble the thing and give me the problematic code this is ridiculous.
Well tried that before and nothing happened at least with the ticket this file was white listed for a couple of weeks …
Frankly this is sad and ridiculous
more info on this detection
Win32:WrongInf-D [Susp] / Wrongly infected file means it may have been infected by a file infector or not properly cleaned and containe remnants of infection
So I’ve received an “answer” from the support: apparently updating my definitions will solve the issue. Unfortunately this is still not true with tonite 150814-6 version (support message was sent in the morning).
Of course I’ve not received any technical answers about the root cause of this false positive neither info about what they will do to prevent this as I requested (this is beyond me if I was treating my customers the same way I will have lost my job long time ago …)
No explanation as well why my ticket was put to private status as well …
Still in this case this is completely ridiculous. I’ve even compared the file from the original EA servers (witch didn’t changed since 2003) and the hash is the same …
The file contains a binary (ikernel.exe) with Parite leftover. It’s not dangerous, but it is not clean. It’s completely ok to detect it at the highest heur level.
Ok so thanks @Pontus and @Maxx_original now I understand the root cause of Avast reporting a problem at highest heuristic lvl, but:
I feel sad that even after many exchanges with support I didn’t get any useful answers, this is fortunate to have Avast guys answering here (many thanks !!)
please consider reporting this class of detection as warnings instead of threats
Now for my education why Virus Total still detect the issue as today, do they run avast in high heuristic sensitivity ?
yes, VT runs avast engine with highest heuristics…
WrongInf (= wrongly infected) [Susp] (= suspicious) says it all, it’s self-describing, so you don’t have to worry about it even though it’s a regular threat warning
Allrite thanks for the info.
But frankly now you say it I understand the output, but without your insight it is not so clear :P.
For instance I find quite frustrating that when there is a threat detected there is no way to have more information about why avast detected it (even in the report file there is no more information).
It is especially important for the generic stuff (where there is a good chance to have false positives …)
BTW is there a place where all the different threat types are described ?
Now the ticket has moved to the [Private] status whatever that means … Oh well
this is ridiculous.