False Positive? Penumbra Overture

During loading of Windows (Vista Home Premium SP1 Russian) avast! antivirus (4.8.1201 Home English) reports Win32:Trojan-gen in the file …\Новый диск\Пенумбра. Темный Мир\redist\penumbra.exe which belongs to the Russian edition of the game Penumbra Overture published by Новый диск http://www.nd.ru/prod.asp?razd=descr&prod=penumbra. I think it is false positive.

P.S. I love avast! :slight_smile:

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Thanks for reporting.
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

We’re becoming tired of false positives… at least, I am…

Thank you for your replies.

I have submitted the suspicious file penumbra.exe to VirusTotal. The file had already been analysed by that service. The results from 06.30.2008 19:59:00 (CET) are the following 5/33 (15.15%):
AntiVir - - TR/Crypt.XPACK.Gen
F-Secure - - Suspicious:W32/Malware!Gemini
Ikarus - - Trojan.Crypt.XPACK
Prevx1 - - Cloaked Malware
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

I have reanalyzed the file. The results from 07.21.2008 12:42:08 (CET) are even worst 7/34 (20.59%):
AntiVir 7.8.1.11 2008.07.21 TR/Crypt.XPACK.Gen
Avast 4.8.1195.0 2008.07.20 Win32:Trojan-gen {Other}
F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini
GData 2.0.7306.1023 2008.07.21 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.07.21 Trojan.Crypt.XPACK
Prevx1 V2 2008.07.21 Cloaked Malware
Webwasher-Gateway 6.6.2 2008.07.21 Trojan.Crypt.XPACK.Gen
(see http://www.virustotal.com/analisis/5463e1eb09107c035b183782143772b6)

At the same time I still believe that it is a high probability that this is a false positive. I have installed this game a few months ago and haven’t noticed any problems with it. Avast has started to consider penumbra.exe as Win32:Trojan-gen {Other} only a few weeks ago. Новый диск is respected Russian game publisher (http://www.nd.ru/prod.asp?razd=descr&prod=penumbra) and any Russian antivirus (e.g. Kaspersky, DrWeb) don’t consider this file as a suspicious one. But it looks like I cannot report this file as a false positive to virus@avast.com. Can I take any other actions in order to study this file?

Whilst there are enough hits to suggest the detection is good there are a few generic (-gen) and suspicious (heuristic) signatures to at least send the file for further analysis as a possible false positive.

See the link from my first reply:

see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.