This is really hacking me off!

I’m writing a program in Visual Studio 2012 in VB.Net, nearly every time I compile the program as a release version Avast tells me a suspicious item (Win32:Evo-gen[Susp]) has been detected!

Now there’s an option ‘Add the file to the scan exclusion list’, this does absolutely nothing!

So I go into the virus chest (when I eventually managed to find it!) and restore and add to the exclusion list. Again this doesn’t seem to stick.

Now I’ve got my file back, if I right click and scan with Avast it informs me ‘No threat found’, so I run the program, you’ve guessed it Avast tells me it’s a suspicious item!

As a programmer I can tell you that this lousy behaviour, one Avast simply says on one hand it’s suspicious, and on the other it’s says no threat found, so which is it?

So I scanned the file at VirusTotal, 47 different antivirus engines (including Avast) say it’s clean!

Guess at this rate I will be changing to one of them, I simply don’t have the time to waste on Avast!

OH, and if anyone is interested I’ve attached the file renamed as a TXT file, it’s actually an exe.

PS. This is not the first time Avast has done this, a few weeks back it keep doing it, then it seemed to go away, guess as I’ve added more to my program Avast takes a dislike!

Running version 2014.9.0.2006, and have noticed there is an update available, so will give that a try.

PPS. Fortunately none of my users have had this problem yet.

Edit. Nope, upgrading to the latest version still doesn’t solve the problem. I’m now going to have to disable Avast every time I wish to run my own program!

Calm down.

Avast! is probably detecting it. What does the program do? Also, just for the safety of the users please take that attachement down. Send the file to Avast! via the chest and say it’s a FP. Depending on the work load it should be fixed inside of a couple days. I will have a look at the file but without FP and new Engine updates Avast! and all other AV’s would be literally pointless.

THank-You

Upload the VT results and test the Malware here: malwr.com. That can give me an insight into what’s happening given my Host and VM won’t cooperate today.

Also, can you upload the file here: www.wikisend.com. Then Steven can also have a look…

If I can get the machine to start working I’ll check the file out

I know Avast is detecting, but only when I access the file, not when I scan it.

I have reported it to Avast as a false positive, several weeks ago, when I spent an hour trying to work out why I couldn’t cut and paste out of my virtual machine. I finally realised Avast was intercepting it and moving the file to the chest with no warning whatsoever.

I appreciate we are going to get false positives, what’s so frustrating is that Avast clearly not adding it to the exception list.

It’s probably easier if I point you to this forum thread rather than explain what it does, it’s late and I need to go to bed.

Oh, how long do I need to put up with the captcha, I have to refresh it about 6 times before I get one I can actually read?

If anybody want’s to look at the file then it’s in the first post of the thread linked to above.

Now not only have I got captcha to contend with, the forum software keeps telling me I’ve already submitted this post, but it doesn’t show when I look, good job I copied the text!

Yeah, the forums are having some issues from what I’ve seen the last while. I’d report it http://www.avast.com/contact-form.php?subject=VIRUS-FILE

Say it’s a False Positive and attach them the file. Just in case they didn’t get it

Thanks for the reply, I have submitted it via the link you supplied. Hopefully they can permanently fix the issue (& bugs), I don’t wish to go through this every time I develop my application, or Avast will get un-installed, which would be a shame as I have been a long term user.

Very basically the program checks over the internet for any available program updates, it also monitors a local modem log file, and when the log file is updated it will update the displayed values. It also configures an INI file for the logging program and sets up a scheduled task. It will also download a ping monitoring image from a website.

Avast! is probably detecting the connection to the modem and Internet… Moreso since it isn’t really known so the world. if it’s proven to be good then Avast! should put it in a Global Exclusion list in the next VPS update

Yes I can agree with that, but then last night another program I’m working on is now continually moved to the chest.

All this one does does is make a backup of a file, delete the original and rename another file to replace the original with an updated version. I made some very minor changes last night, and now Avast has taken a dislike to it.

I am seriously considering removing Avast, not because it moves my files, but because it is getting so complicated to find anything, and when I do find the settings Avast takes no notice of those settings!

I’ve tried setting Avast now to ask what to do when it detects suspicious files, but alas it doesn’t ask, it just does it’s own thing, ignoring everything I’ve told it to do!

What I have to do now when I’m working on my programs is disable Avast, which is not good!

Avast is not even consistent, sometimes it leaves my application alone after I’ve restored it from the chest, sometimes it will just snatch it away again.

Edit:

It seems I’m not the only programmer having these problems, there are two other threads complaining of exactly the same issues!

http://forum.avast.com/index.php?topic=140561.0
http://forum.avast.com/index.php?topic=140551.0

I’m sure if I took the time to look I will find others.

Actually looking in the virus chest, this has been happening since December 2012, it’s littered with my programs and nothing much else.

I don’t believe that it has anything to do with detecting internet access. It would be an odd reaction, unless it was acting as a firewall.

I have three programs that are now useless because users are reporting that Avast has declared “suspicious” a program they’ve been running for several months. The only solution is to exclude the folder, or turn Avast off - both are unacceptable solutions.

In all three cases the programs are actually fairly simple. They just provide an interface to MS databases and have no external access at all.

But in all three cases I can prevent the quarantining by removing some global variable assigments. If I allow 8 assignments they all work fine (well, they run without Avast having problems, but obviously then don’t work properly as several globals are not defined.

But if I add one more, Avast baulks when I run the executable. I can then take out one or more (and it doesn’t matter which) and it runs again.

Clearly there is nothing wrong with the executable, and sending it to Avast is going to be pointless without including the entire software package (which I’m not allowed to do anyway, so it’s academic for me).

I think that Avast needs to look at what they’ve done recently to detect this “virus” and see why it might be causing so many issues with programs when they run.

VB6 and other compilers are known to generate buffer overruns (as shown with Procmon) and I wonder if Avast is overly sensitive to these.

I believe it is deepscreen that is detecting the newly compiled programmes. So whilst you are creating and compiling the programmes I would suggest that you disable deepscreen

Thanks for the suggestion essexboy, but I turn deepscreen off sometime ago, can’t remember why but it was being a PIA.

Just checked and it is still off, found some more settings though and have changed them to ask, so perhaps it will now ask when it takes a dislike to my program.

Hi all,
This is a very delicate issue. Evogen technology is based on similarity of files, and the detections are released automatically. The technology has its very strong point, as it can detect files that have not yet been spotted by any antivirus, and therefore can predict “maliciousness” of new samples. While this technology is VERY successful, it also has rather more false positives. This is, however, not due to the detections being worse, but due to the fact that there are many more of them. We recognize the issue we are currently hearing from our users, and trying by every means to improve the situation. The technology is so advanced, though, that having fewer false positives can now be achieved only by having fewer detections, which is not the path we want to explore. I am sure, however, that Evogens will gradually get even better, as our cleanset is populated with samples that users believe are cleaned.
In the meantime, there are two options:

1. Submit every false positive sample to our viruslab (by the “report a false positive” button in the warning), or
2. Turn off Evogen detections completely. (You can do this by setting “DisableEvogen=1” in “[Scanner]” section of avast’s .ini file.) Keep in mind that this action should be taken as a last resort, as you would be effectively cutting some of avast’s means of fighting with malware, and only in situations where you are hindered at work.
   That’s it, I hope I explained myself a bit:-)!
   Honza