Excessive false positives

I have been using Avast for over 7 years and have found it to be pretty good compared to other anti-virus solutions out there. I use it on multiple systems daily and even used to pay for it before all the useful stuff became completely free. One thing I have noticed lately that is different from the past 7 years is that the number of false positives seems to be through the roof. It seems that Avast has a fear of just about every zip or self extracting exe, or even just exe files in general. It’s starting to get tedious and I fear that it will foster complacency because it is getting to the point that I cannot go a full day without Avast blocking me from doing something legitimate. I wonder if this is where the software is heading (excessive paranoia), or a temporary blip on the radar of smooth sailing.

In the meantime I’ll keep filling out the false positive reports and hope that Avast pay attention to them.

Well whatever programs you are using are obviously out of the ordinary. I have AL of Avast’s shields set to high and still have never received once false positive. As in matter of fact Avast has recently scored very well in AV Comparatives false positive test.

http://chart.av-comparatives.org/chart1.php

Yeah obviously… :o ???

My last Avast virus warning was September 2011, but I have had almost 20 since the start of April this year. So I guess I just started using weird applications 2 months ago… Uh I think not. I’m doing the same stuff I have always been doing.

I’ll add that most (if not all) of the false positives seem to be reported as “Win32:Evo-gen [Susp]” virus.

So exactly what type of software are you using that generates these false positives? Do you have a Virustotal link to show that these files are not malicious?

http://forum.avast.com/index.php?topic=121661.0

http://www.im-infected.com/virus/win32evo-gen-susp.html

Doesn’t seem like a false positive to me. Sounds like your infected.

I’m not sure what a “Virustotal link” is, but I know that in all the cases of recent Avast intervention that the applications/files are safe.

Some of the files flagged recently on my system are nothing more than self-extracting executables. Others are small executable files (either old or new). Most have existed on my machine for years and others are newer.

Here’s a mainstream one though. The Java 7 installer.
avast! [ASUSP9X79]: File “C:\Users<UserName>\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe|>[UPX]” is infected by “Win32:Evo-gen [Susp]” virus.
“File System Shield” task used
Version of current VPS file is 130404-0, 04/04/2013

This was the first false positive in the current series.

As an aside, I work for a software company and the Avast auto-sandbox totally annihilates our installation process (that requires several small executable to run elevated for licensing and other administrative steps), but I usually don’t run the auto-sandbox, so that is not what I am writing about here; it’s just the same kind of paranoid behavior from the heuristic detection.

I did some googling and am seeing a pattern; it seems that something changed in the last few month to increase the incidence of these false positives (typically all Win32:Evo-gen [Susp]) . Now if using one’s computer to do more than surf the web, send e-mail and play games is considered different to the mainstream, then I guess I fall into that category (although I do those other three things too).

So you work for a business using Avast Free? You cannot do that. Avast Free is for home users only. Virustotal is a website to verify if a file is malicious or not.
Java 13 is also out of date. Java 13 is back from February. The current version of Java is 21. There has been HUGE problems and vulnerabilities found in Java. Update to Java 21 and your false positive will cease. Clean out your temp files also.

https://www.virustotal.com/en/

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

So you work for a business using Avast Free? You cannot do that. Avast Free is for home users only.

Is it possible to talk about the current topic without being preached at? I always feel like when I come on to a forum like this to discuss something it ends up being a pissing match between the forum self proclaimed uber-nerds and real users with real issues. That said, yes I have a job, and yes my work computers have paid A/V software. My home computers, however, run Avast free. Like I said before I used to pay for it when the stuff I needed had a price tag attached, but I’m not inclined to pay for fluff and that is all Avast currently seem to charge for.

Virustotal is a website to verify if a file is malicious or not. <<
OK, thanks. In my case I am certain the files are fine; they are either published by well known publishers or they are published by official organizations (US govt) or my own company (the one I work for, not the one I own).

Java 13 is also out of date. Java 13 is back from February. The current version of Java is 21. <<
Pretty sure it’s Java v7, unless you are talking about the update number. In any case that was the message back in April and it was current at that time since I remember hitting the Avast message at the time I was downloading it directly.

The current version of Java is 21. There has been HUGE problems and vulnerabilities found in Java. Update to Java 21 and your false positive will cease. <<
I try to keep the systems that are running Java up to date; this was just a relic from a download a couple of months ago. I pulled that Avast message from e-mail archive. The Avast message/interaction has ceased for that file since it’s not on my system anymore. I’m not surprised that Java has huge problems; personally I think it’s a mess, but I needed it for a game that my kids run.

Thanks for taking the time to respond to my post. I noticed that Avast responded to one of my false positive reports today saying that it will be fixed, but I have submitted more than one.

Whilst I have your attention do you know anything about how the heuristics work in Avast? i.e., for a false positive do they just add the specific binary signature/hash/whatever to a white-list or do they review/modify the heuristic algorithm? It would be nice to know that if the Java heuristic trigger and the one I just reported help the overall robustness of the heuristic rather than just building upon a white-list of known safe files. The latter approach will of course be a never ending exercise.

Guys,send the false positive files to virus@avast.com via e-mail with subject false positive.

I have been using http://www.avast.com/contact-form.php or the software itself.

Java 7 Version 21. A link is provided. The version being detected is Java 7 version 13 from your statement. If that’s the case then update to Java 7 version 21.

I have also been using free Avast for many years, always been the perfect answer for me! I’ve used it on w9x, wXP, and w7, absolutely no problems!

Then recently it’s beginning to become a complete pain in the ass! Popping false positives on anything and everything. Even the simplest of known good programs! I suggest that Avast consider looking into their recent revisions/updates because they are going to lose paying customers else!

It seems that Avast has a fear of just about every zip or self extracting exe, or even just exe files in general. It's starting to get tedious and I fear that it will foster complacency because it is getting to the point that I cannot go a full day without Avast blocking me from doing something legitimate. I wonder if this is where the software is heading (excessive paranoia), or a temporary blip on the radar of smooth sailing.

I agree totally! I’ve been programming for years in vb, devC MSVC, MSVC++, Delphi, and ASM, and only once can remember a false positive triggered by one of my programs! But lately I can’t hardly compile or execute a couple of lines (in various languages) without avast coming up with false positives, and not allowing the exe file to run…

Yes Win32:Evo-gen is the most common warning, and the exe files are clean, I can guarantee it!

Didn’t come here to start a war, Either avast gets mended or I’ll stop using it, and stop recommending it…

Oh yes, it’s NOT the java responsible! Already have the latest installed:
Your Java configuration is as follows:
Vendor: Oracle Corporation
Version: Java SE 7 Update 21
Operating System: Windows 7
6.1 Java Architecture: 32-bit

Thanks, but that Avast message about Java is an old one from the start of April. I was just using it to illustrate the type of false positive I have been seeing.

That’s pretty much my experience too. Great for years, now all of a sudden (early this year) getting a number of false positives. The most recent one I had prior to this current batch was in 2011 when Avast pegged kernel32.dll in syswow64 as a virus! That one caused all sorts of problems I am sure people will remember.

avast! [WHAR-XPS420]: File “c:\windows\syswow64\kernel32.dll|>[Emul]” is infected by “Win32:Cycbot-KI [Trj]” virus.
“Full system scan” task used
Version of current VPS file is 110924-1, 09/25/2011

Then after that not a single virus alert until April this year for me, and now almost 20 since then.

we need that file

You can send the file via email to avast lab
virus@avast.com
put “false positive” to email subject

All my software is currently up to date. My shields are set to high in Avast. Still ZERO false positives.

check update 130527-1 fixes the problem

New victim using avast professional (paid). Had set or not set (default) shields or behavior to delete suspicious files. Had 2 .exe files that were deleted on full scheduled weekend scans. One was qbw32.exe (Quickbooks). The other exe was a shop software which ran the whole shop. Massive problems for me as I maintain their systems. Avast reported win32:tenga was the virus. ran several removal tools and then replaced the files from a clean system or setup cd. Bingo all good on scan and hitman pro and scheduled weekend scan dumped them again. Okay that’s enough. Switched to Microsoft Security essentials and scanned affected areas. All came back clean. Honestly don’t know what to think other than some update to avast that got me. Reasoning based on fact that all was good for 6 months with same setup. Last 2 months problem occurred. We will see what happens from this point on with security essentials.

Tenga is a nasty fileinfector

http://www.f-secure.com/v-descs/tenga_a.shtml
http://www.eset.com/us/threat-center/encyclopedia/threats/win32tengaa/

I do that and continue to get the same false positive later.