I’m using Avast! Home 4.6. Today it found a trojan on my HD and the program asked me what to do. The fact is that I AM 100% SURE that it’s a “false positive”. But the alert window didn’t have the “Do Nothing” Action. I’ve pressed the OK button, and as result, the file is “locked” (it’s an executable, if I try to execute it, Windows says something like: “You haven’t the required privileges to open file”). And now? Is my precious file lost??! I want it back!!! Is there a way to unlock it, I hope…
- What OS are you using?
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)? - What makes you 100% sure it is a false positive?
If you are unsure the best action is first do no harm (e.g. don’t delete) move it to the chest and investigate as you are doing now. Check out this thread - http://forum.avast.com/index.php?topic=14473.msg122170#msg122170 - it may help clear the confusion about the OK button (your file hasn’t been deleted, just avast stopping the file being activated (locked, I believe temporarily) to prevent a virus being run. You may even want to comment on the thread as a user, perhaps a little confused by the OK button!
The do Nothing action is virtually hitting the OK button, but I would say if you hit the cross ‘X’ at the top right of the alert window, it too would do nothing, but you may get the alert again.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Note: The file will have to be outside the chest to have it upload and be scanned by Jotti.
I’m using WinXP Home SP2 (updated); and the virus (actually, it’s a trojan) is “Win32:Trojano-1205 [Trj]”. The “infected” file is named WXPro.exe and has been compiled by me. It’s not a virus, it’s not a trojan. 100%. For my privacy, Id prefer not to send it to anyone. But, at the end, the question is very simple: Can I do absolutely nothing when I find a Virus/Trojan? And… if I’ve already pressedthe ill-famed OK button, what can I do to “restore” my file? Help, please!
put it in the ignored files (standard shiel/personalized/advanced settings)
Did you use any “exotic” packers? That could trigger an alarm.
I’m not sure what you mean by restore, get the file to work as before or restore it back to its original folder? - but I would assume permissions based on your original post.
By pressing the OK button the file should be in the folder it last was. Whilst I’m not sure exactly what avast does with the file to stop the virus (suspected or otherwise) from running, but perhaps ‘Hiding’ it and or changing the ‘Permissions’, which you should be able to restore/change as the ‘administrator’?
You could check in the Chest also to see if it may have been moved? but I wouldn’t have thought it would be there unless you chose that action.
Before you attempt any of the above you should add the file to the standard shield exclusions list otherwise when you try to do anything with the file the alert will pop-up again.
Thanks, CVSA! That’s exactly what I was looking for! Now it’s OK!!!
Another problem: Avast! have found another virus/trojan that is 100% false positive (the file has been compiled by me). After prssing OK at the virus alert dialog, Avast! “locks” the file, as I told (simply, makes it inaccessible). But this time, even if I put it (or the entire folder) in the exclusions list, Avast! keeps finding and locking it. Is there a way to continue my work without stopping the Avast! protection provider for my HD, and having the possibility to open my file?
Thanks…
Instead of clicking OK try simply closing the alert window as I mentioned in my first post. Hopefully that won’t trigger the locking and allow you to add it to the exclusions.
I assume that you are using ntfs, perhaps the file is locked using the security in ntfs (I don’t know I don’t have my HDDs on ntfs), so as the administrator you should be able to unlock it.
How did you get around the lock on the first file? surely that should work for the second.
I know you are reluctant to send the files to avast but there must be something in the way you are compiling them or the program used to compile them to make avast detect something. You still haven’t said what virus avast thinks it is?
This really needs some input from the Alwil team but I would suggest you compile another program (simple not confidential) and see if that too is detected and if so send that to avast as mentioned in my first post.
The trojan found in the second file is the same: “Win32:Trojano-1205 [Trj]” (the file is an executable). But after I put the first file in the Exclusions list, Avast! stopped bugging me… For the second one, this procedure doesn’t work (incredible…). I am not a virus creator, so these files that I compiled can’t be viruses/trojans. They are simple programs I am writing for my university courses (and, yes: I use NTFS). Maybe the heuristic scan thinks that my two files are viruses? Anyway, I don’t want Avast! to continue locking them. Is possible that the best antivirus program hasn’t the fabolous feature “Do ABSOLUTELY nothing when you find a virus”? I only want this! Is the simplest thing in the world! What can I do?
If I close the window clicking on the classic “x” on the top right corner, the result is the same. Like when I choose OK, the file is “locked”. The only way I’ve found to get around this is to stop the local scan provider…
What is the full path of the “infected” file, and what exactly did you put into the list of Standard Shield exclusions?
Could/did you send us the file for analysis, please? (so that we could fix the false alarm)
Thanks.
I think you don’t need to fix the false positive, 'cause I’m the only guy in the world that has this EXACT file. It’s a little application written and compiled by me… and, as I told, I’d prefer not to send it to anyone. But the matter is another: why Avast!, even if not deletes or moves the “suspect” file, absolutely wants to prevent acces to it? Why can’t I say to the antivirus: “Don’t touch that file!!!” ?
The full path is D:\Archivio\Compiled\RSH.exe (drive D:\ has NTFS file system, and isn’t the system drive).
I’ve tried to put in the exclusion list the file alone, and the entire folder (string “D:\Archivio\Compiled*”).
But, in any case, when I open the folder from the Windows Explorer, the alert window appears and (doesn’t matter if I press OK or I simply close the Window) the file is locked by Avast!, I suppose for “prevent acces to dangerous file” or something like it.
The only thing I want to do is to configure Avast! to ignore that file.
Sorry, avast! will not let an infected file be started (unless you stop the Standard Shield provider, of course). That would be too dangerous option. If a false alarm appears, we will fix it (if we have the file).
When you set the exclusion and avast! detects the file anyway - what is the exact path displayed in the Virus dialog?
If it’s really impossible to you to send us the file, can you at least give us some more info about? In particular,
- what virus is detected in the file?
- did you use any executable packers to pack the file?
- what compiler did you use to build it?
[b]Sorry, avast! will not let an infected file be started (unless you stop the Standard Shield provider, of course).[/b]
You are right, Igor, but my file is NOT infected, and this is exactly the problem… My little app is a simple command-line program to resolve a mathematical problem (it was created by the standard compiler of Visual Studio 6, and without using other packers). I’m not a virus creator, and the file doesn’t contain viruses/trojans/worms/other dangerous stuff. That’s all. I don’t want to know why Avast! thinks that there is a trojan. I only want it to stop bugging me without a valid reason.
Ok… it doesn’t matter. I give up. When i’ll have finished with my “homework”, I’ll delete the file.
Roccobot, I understand that your file is not infected - but avast! thinks so for some reason. To fix the false positive, we simply need to have the file. (I don’t exactly understand why you feel unfomfortable about submitting the file - we would check it, fix the false positive in our database and delete the file; but of course, that’s up to you).
Putting the folder to the list of avast! exclusions should work, however. What is the virus reported in the file, and what is the exact (full) path reported in the virus dialog?
D:\Archivio\Compiled\RSH.exe
Win32:Trojano-1205 [Trj]
Thanks, I’ll check the corresponding signature.
So, you put
D:\Archivio\Compiled*
into the list of Standard Shield exclusions, but the “Virus found!” dialog still appears, showing
D:\Archivio\Compiled\RSH.exe
as the infected file path?
That’s really strange… could you please check whether you don’t have a typo in the excluded path? It certainly should work this way… Besides, you said it did work for you for one file - was it in the same folder?
Yes, I’ve tried to put the single file in the exclusions list (D:\Archivio\Compiled\RSH.exe), but it doesn’t work. After that, I’ve tried to put the whole folder (D:\Archivio\Compiled*)… but it still doesn’t work.
My english is not so good, so I’m not sure what you mean with “please check whether you don’t have a typo in the excluded path”… if you mean I must check for mistakes in the string, I’ve already checked it, and it is all correct.
In this topic called “Big Fat Trouble”, I’ve mentioned two different files (located in two different paths) considered as infected by Avast! (the trojan is the same, “Win32:Trojano-1205 [Trj]”). I know that the trojan identification is a false positive for both files. After the suggestion given by cvsa, I inserted the FIRST file in the exclusions list, and it was OK. But with the SECOND one, no way.