Can´t exclude a directory

Viruses and worms
1

Hi, I was trying to follow directions to deal with a supposedly false positive file and:
Created a folder in C
Commanded Avast to make it an exclusion
Extracted the file from the Virus Chest
but… avast keep sending it to the virus chest again and again.
Am I doing something wrong?
Thank you.

2

What avast version are you using 4.8 or 5.0 ?

Try following these instructions for avast 5.0, as you appear to be missing a step:

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

3

Avast version 5.0.545
I checked it at http://www.virustotal.com/es/analisis/2d3df754529f339e357bba649f17c5dc538e48f02c79c224e4e24abd03308f46-1276438148
and it informed some findings. But I was using it ok until yesterday with nod32.
When I made the c:A Sospechosos folder I then marked it as an exclusion.
You are talking in your post about a → (File System Shield, Expert Settings, Exclusions, Add) sequence, but I can´t find the Expert Settings anywhere.

4

Left click on the avast icon, select Real-Time Shields, File System Shield and you should be able to find it, see image.

Having said that, the virustotal results are pretty clear that at the very least this file is highly suspect, so this I would say is no false positive, which you wouldn’t want to exclude. But it is your system, your acceptance of any risk and can choose what you do on your system.

What makes you think that it is a false positive ?

5

Hi, thank you very much for your unvaluable support. After I received your last post I definetely restrained mysefl to ignore the files.
I reinstalled the program and now is working fine. So I suspect that the files were infecting at some point and were not recognized by nod32 that was my former antivirus program.
What makes me believe that it was a false positive is the fact that it has worked great under nod32, and only after I installed Avast the problems started. But the problem was reflecting something real.
Thank you again!

6

I suppose you’re not using two antivirus at the same time…
Disable is not enough.

7

You’re welcome.

Always best to confirm rather than just exclude.

Though after reinstalling the program (presumably related to the ftpsync.exe file) and it is working without alerts that would also tend to support that the detection was good (along with those others in the VT results).

Another point is that most of the detections in VT are either generic or heuristic or backdoor, given what ftpsync.exe is meant to do synch ftp connections (?). It may be that many of the detections are based on what it does as that ftpsync.exe could possibly be used for evil as well as good.

Interestingly even Nod detects this ion the VT results as “probably a variant of Win32/Agent.”

8

No I am not. I uninstalled nod previous to the avast installation.
Thanks