I’m having a problem with what I believe is a false positive being found in Counterspy files. I’ve had this problem before and posted here about it, and sent the file to Avast Support, who solved the problem with an update.
I’ve sent the index of the found files to Support twice now (the actual files are 96MB even after zipping them, and OE failed to send them), and have received no reply (which I did get before), and despite numerous updates since the Trojan (Win32:QQPass-FV) was found, it’s still being found.
How long does it usually take until Avast put out an update for an FP, and would they tell me, if it isn’t an FP?
What is the file name and location, I’m concerned on the size, I would find it strange if the complete counterspy program folder came close to 96MB much less 96MB after being zipped ?
avast is usually very quick in correcting any false positive once identified, as you mention at this kind of size they may not have got it.
The original file name is SBTEDef.idx. That’s what the index says.
The Counterspy program file is112MB, so the amount that is being removed to the chest is a big percentage of that. I have to restore the files in the chest to get Counterspy to work.
Well looking at the file name I would hazard a guess that it is a definition file and that is absolutely huge for signature definitions.
A google search for sbtedef.idx, confirms this is a definitions file http://www.google.com/search?q=SBTEDef.idx, so I would suggest you include this in the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
So to the problem in hand, I hope you are able to get the file to avast, but what they are likely to do with it I haven’t a clue as signatures really should be encrypted to avoid other security software detecting some signature that it too detects. Perhaps a word to the counterspy or their forum about unencrypted signatures being detected by other security software.
When I tried to send the file to Support, I did as instructed, and zipped it, and then encrypted it so that Avast Mailscanner wouldn’t stop it. This produced the 96MB zip file. I’ve just checked the size of the file in the Avast Data/Chest file in C, and the size of the chest is under 2MB. Would encrypting it do this, and if so should I turn the mailscanner off temporarily before sending this 2MB file, or will it cause problems at the Avast end? I clicked on the link you gave in your first reply, about sending large files by the way, but IE wouldn’t display the page.
Incidentally, Counterspy V2 has just been released (it uses the same definitions, and the Trojan was found with the old and new versions, so it’s not the new version causing the problem) which updates incrementally, if that’s the right word, so is far faster than the old version. It also uses very little resources, compared to the old version. I have contacted them about this issue, and they said there was nothing they could do, passing the buck back to Avast!!
I would say if you managed to get the infected file into the chest if it were 96MB it should have given an error as the chest is restricted in both file and over all size (Program Settings, Chest) and you would have to have adjusted the defaults, but you didn’t mention that.
It isn’t so much the avast mail server that might stop it but other email servers in the route that may stop it. I wouldn’t think that encryption would reduce the size by that much at all.
You can email the file from the chest without having to zip it as the attachments sent from the chest are encrypted by avast. Right click on the file and select Email to Alwil Software.
You can use wildcards ? single character or * anything, *\sbtedef.idx should do it (no need for the “” if you wanted you could enter the full path, tedious though.
The Chest shows 256MB. I haven’t altered it - I have never had a reason to. My previous message is boll***s, I’m afraid. I’ve scanned again, having removed everything from the Chest first. It obviously found the offending item again, and it is 98.2MB in the Program Files\Avast..\Chest file. Christ knows why it said 2MB before. Once encrypted and zipped, it comes down to 96.1MB.
The first thing I did was to send the file using the link in Avast, and I detailed the fact that I suspected it was an FP. Because nothing happened, I’ve since sent the index of the chest twice to support@avast.com. That was really the reason I came on here asking how long it usually took, since it was very fast when I had an FP with Counterspy a while ago. I also received quite a number of replies from someone at Avast, asking for HijackThis files, more details, etc.
I’ll try sending it again now, using the link in the program. Thank you.
Talk about thick!! I don’t know how I did it before. I had to increase the size of the file that can be sent by Avast, which I did last time, in the same window where it tells you the size of the chest, and it sent it. This time I’ve increased the allowed size, but it’s obviously sending it at the same rate as OE would send it, which is SLOW! And it’s being sent by OE, so it would be, wouldn’t it. I don’t know how I did it before.
Please could you elaborate on how to send a large file, mentioned in your earlier reply. While I have tried to convey the impression that I know what I’m doing, please bear in mind that I don’t, and so the more words of one syllable, the better!
By way of an update, OE wouldn’t send the whole thing - exceeded server limit. I’ve sent the index to support@avast.com and to virus@avast.com again in the hope that they can do something. The lack of any response always makes me unsure as to whether they’ve got it though.
If you do have time to elaborate on how to send a larger file to them, I’d be very grateful.
Well I couldn’t get the link to work in firefox as the forum mangles the link if it is wrapped up in a url tag.
But copy and past into IE or Maxthon (IE Clone) and establish a connection, once established drag the file into the right side window and drop it, this should upload the file. You have no read permissions in the incoming folder.
Ignore the file name in the image that was just a test to confirm.
I’ve had a reply from virus@avast.com, and it is indeed an FP. There’s nothing they can do, since, as you inferred in an earlier reply, the problem is with unencrypted signatures. They referred me to:
Your welcome, I thought that was the likely outcome, but at least they contacted you.
Perhaps it is now time to contact CounterSpy about the unencrypted signature file being detected by other security software. I can’t understand why it isn’t encrypted is strange, I guess they don’t want to make what is a really unwieldy 100MB+ possibly more unwieldy by encrypting it.
Sunbelt Software (Counterspy) said the problem would be sent to their technical department. What they’ve done, I don’t know, but Avast is no longer finding the FP, so I guess they’ve done something!
Many thanks again, DavidR, for all of the help and advice.
I know I said that I don’t know what I’m doing, but… ;D
No, I’ve just undertaken a complete format and reinstall, and did a thorough scan, and nothing was found. When I did this a week ago, Avast was still finding the ‘Trojan’. The only conclusion I can come to is that Sunbelt have done something in their recent updates.