False Positive on a file?

Avast Free Antivirus / Premium Security
1

This one seems ‘odd’ to me.

I’ve got a beta test DLL that was installed with a program I am testing. I dl/'ed the ZIP, unzipped it, and AVAST! didn’t complain. ashQuick is set for d/l’s and the install would be covered under the main program I assume.

Another tester asked me for a specific DLL that I got from the author as an update. The author was traveling and asked me to provide it to that person. OK, I’ll attach it to an e-mail as a binary DLL file. I use Thunderbird 3 as my e-mail client. During the send, AVAST tells me the file is infected and it stopped the send. OK, I’ll rename the file… to an extension of TXT, same error. OK, I’ll ZIP it and not have AVAST look at archive files. No error message, but the e-mail never got to the other person? Either the file is truely infected and some ISP stopped it or AVAST just didn’t warn me about the file and stopped the e-mail from ever going out?

I opened PDExplorer, my Explorer substitute, and RMB’ed on both the the DLL and ZIP I made, and had them scanned, NO VIRUS found? I enabled full logging including DEBUG and tried again to scan the specific 2 files. Nothing but 2 lines in debug showing?

So, there are a few questions I have.

  • Is there a way to KNOW which files were actually scanned and the results? Can’t seem to find how to do this?
  • Is there a way to KNOW is I’m getting a FALSE POSITIVE? How could I install it, check it individually and not get a report of a virus, yet sending it be e-mail tells me it is a virus?

Color me confused?

2

I checked the file under the AVAST on-line scanner, no problem…

=============
Tested file Status
UpdateDll.dll/
unknown - [+]
UpdateDll.dll
clear

* VPS version: VPS 080809-0 09.08.2008
* Scaner version: 3.0.1
* Scanned files: 2
* Scanned directories: 0
* Archives count: 1
* Infected files:
* Errors: 0
* File count: 955.0 kB
* Scan time: 0s 110ms
* Scanned speed: 8.4 MB

===============

Interestingly enough, I went to VirusTotal and scanned the file…

===========================
File UpdateDll.dll received on 08.10.2008 17:49:34 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 2/35 (5.72%)
Loading server information…
Your file is queued in position: 3.
Estimated start time is between 54 and 77 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.10 Suspicious File
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 PAK_Generic.001
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.10 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 334848 bytes
MD5…: 98df774bff434aff235fb38dd2631eb3
SHA1…: ae02874c70e35d5ea3d11480a5a440fdf4c71048
SHA256: 6ddffa3ea650d504f2fcc50e0b4e972f80cce407dc21d1a47957b829bfdee5e0
SHA512: 83b55a3f0fe868f4c45889dd98f992e1ddf87b71f8c24ff5a4baf69d4ba7605b
b01a7e87e37ece320bec898c0192e7d5632bd29acf57d4feca8aadb07514c943
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4ac670
timedatestamp…: 0x487c93f7 (Tue Jul 15 12:11:35 2008)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x5b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x5c000 0x51000 0x50800 7.89 8f99ac4d03db24e969b88580a8e74dff
.rsrc 0xad000 0x1000 0x1000 3.48 8b93c75573b1e43fd97e132f742cdfba

( 10 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress
advapi32.dll: RegCloseKey
comctl32.dll: ImageList_Add
gdi32.dll: SaveDC
ole32.dll: CoTaskMemFree
oleaut32.dll: VariantCopy
shell32.dll: ShellExecuteA
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: InternetOpenA

( 1 exports )
CheckAndUpdate
packers (Kaspersky): UPX
packers (F-Prot): UPX

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

So, AVAST itself thinks the file is OK, but the scanner for the mail sender doesn’t seem to?

Confused, but at least 2 other virii AV programs thinks the file is infected as well? Odd?

3

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You can add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions (right click the avast ’ a ’ icon)
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

4

David,

The file IS NOT removed or sent to the chest. Only fails during e-mail send and WILL not allow the file to go out…

See the attached screenshot of what happens when I try to send the file.

5

You need to zip and password protect any attachment or avast can scan it and detect it, this effectively stops the send, resulting in the error you are seeing. At least that is what I believe is happening.

I’m aware it isn’t detected by avast, but you can manually add it to the chest as outlined in the second paragraph of my post. Here it can do no harm (the original would still be in place so you would then have to delete it) and you can send from the chest without having to zip and password protect it.

6

It’s very strange that WebShield is monitoring an outbound connection (seems so)…
But, can you disable WebShield while trying to send the email?
Did you try to send right clicking it within Chest?

7

David, I don’t have it in the chest. It seems the e-mail check doesn’t put it there? I looked at your message again and I’m not trying to send it to AVAST to check.

Anyway, I was able to get it to the other person by ZIP’ing it up. He is a COMCAST ISP user and it seems that COMCAST had deleted my message. He gave me a YAHOO ID to send it to, and it got there OK.

So, it seems the e-mail AV protection will stop the file from going out unless I ZIP it. Even then, when it does get to the Internet mail, some ISP’s must also think it is a virus? Odd to say the least.

Tech, as I’ve said, the file is not in Chest. The AVAST scans of the system do NOT consider the file infected. Only the On-Access Internet Mail protection has caught this file. Since I’ve now discovered that Comcast also will block this message from getting to the recipient, pausing or changing the settings for sending this file isn’t going to help at all.

I guess my only surprise is that the system scan and incoming scan didn’t detect the file as a virus, but the outgoing Internet mail scan does? You’d think they all be using the same set of signatures and detection schemes and all come to the same conclusion?

I did the on-line Avast! scan from the web page and it doesn’t detect a virus, so the file has not be altered after I got it? Odd…

Oh well, I got it to the other person, and I’m not sure this is worth worrying about now.

Thanks for all the help.