I just downloaded a zip file from a reputable site and Avast! blocked the download reporting the the Win32:Hupigon-DVG trojan.
The download failed and I reattempted the download (interestingly the 2nd download attempt completed). After unzipping the file I found that there was a program named Dialupass.exe that was causing the message.
I ran this file through Kaspersky Lab’s online file scanner and it too reported a virus. But it was titled “not-a-virus:password tool…”.
Should I be concerned? Is this a false positive? Comments and assistance as to whether or not I should be concerned about this file and how to get around avast! blocking it?
The problem with this is tool it is hard for an AV to determine the intention, good or evil.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thanks for the weblinks for the multi-scanners, very handy tool for this.
I ran the file through both sites and they all either report nothing or indicate the file as a hacker tool, password tool, etc. Only avast! is reporting it as the hupigon trojan.
I think from this and the fact the site I downloaded it from is reputable means that it is definitely being false-positived (sic). Further investigation into the download found that the program also had a help file which even stated that it was likely to be reported as a false-positive.
From this unwarranted scare, there comes 2 points of discussion.
Avast! is reporting it as hupigon, no one else did.
Why are antivirus companies even reporting something that is not actually malware? The program’s designed function is to uncover the dial-up passwords on a system. A utility for recovering passwords. This, in itself, is not bad.
Now, if someone took that program and modified it such that it would, if used, actually do put a backdoor on a system (in addition to its designed function), that should be reported and that is what the antivirus companies should be looking for. Is this too difficult to do? Or, am I not understanding something?
In any event, I will endeavour to make it an exception in avast! If I do, does this mean I have to regularily monitor the file to see if avast! has stopped reporting it? Or does avast!'s software have a mechanism built in for telling me automatically? If not, would that be a good thing to build-in?
unfortunately there is no standardisation in naming malware, though this could do with review. So using the information in the how to report to avast, with some information as outlined here, etc. a link to this topic.
as I explained tools can be used for malicious purposes as well as good and an AV can’t make that determination. So a trojan could run said password retrieval tool and possibly use it for other purposes.
to even consider something like you suggest would require avast or any other AV to have detailed knowledge of not only that tool but the many thousands of others to be able to identify if it had changed. It would also have to maintain that database for updates, etc. and that really isn’t realistic. It would also be likely to have an impact on scanning speed and performance as there would also need to be cross referencing to and database against the tool/file.
I say this as an avast user with an idea of what would be required to do this.
You could simply not bother to check if it has been corrected and leave the exclusion set-up. I do regular system maintenance and that would be the time to check, once a week or month isn’t to onerous. If reported as a false positive and avast agrees then it is usually corrected quickly. There is no automatic notification.
However, I would think it may be more likely that the malware name may change as there are a number that have the suffix [Tool] to indicate it could have been installed for a specific purpose and if you installed it and are aware of the purpose, no problem, exclude it from scans. I personally would rather have that than it got waved through if you were totally unaware of it.
I have a folder on my HDD that I keep any such tools in which is excluded from scans so I don’t have to continually add exclusions for individual files.
It’s not that easy to recognize a ‘riskware’ tool. It could be good, it could be dangerous.
Nobody has a false positive on purpose. Generic signatures or heuristic methods could due to false positives detection. They try to do not make any mistake, but it happens.
I won’t like that my antivirus restores anything automatic to my computer… never… I’ll do it manually, after double checking. I suggest the easiest way to do so, add (or move) the file to Chest and from there, from time to time, test it against the latest virus database version.