False Positive: Realtek audio driver tagged as Win32:Malware-gen

I ran a full scan on my WinXP machine today and Avast (virus definition 100927-0) tagged the file SOUNDMAN.EXE, which is part of my motherboard’s Realtek AC97 audio driver, as Win32:Malware-gen. This file has been on my machine for years and it wasn’t until today that Avast ID’ed it as a virus, so I think it must be a FP generated by the latest virus def. Hope you can fix it soon.

Confirm and submit as required:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

Interestingly no detections on the soundman.exe files on my system, see image, click to expand.

Submitted the file to VirusTotal. 6 scanners detected it as a threat: Avast 5.0, Avast 4.8, GData, AVG, Antiy-AVL, and Jiangmin. Submitted the file to Avast and reported it as a false positive anyway. Searching this forum showed that this isn’t the first time that Realtek’s soundman.exe has been reported as an FP.

It doesn’t matter if this isn’t the first time what matters is ‘this time’ as neither of the copies I have are detected, so what is different with mine. What was the URL of the results ?

Are yours the same as those in my image, e.g. same size as mine and in the same location ?

Sorry, but I forgot to jot down the url of the virustotal result. However, my copies of soundman.exe is different from yours. Mine are version 5.1.0.29, 66 kb in size, and located at the WINDOWS and WINDOWS\Temp folders. System Restore also seems to recreate a copy of this file automatically on startup even though the originals are already on the virus chest, so Avast keeps giving a Win32:Malware-gen alert when I do a full scan. Hopefully a fix can come soon.

Well I have no idea why a copy would exist in the windows temp folder, for me that would be suspect in any case. Mine are much older than that, original from when I got this system 18 months ago, but the files are even earlier than that (21/7/2006).

You will have to send the sample to avast as I mentioned for them to analyse and correct the signatures if confirmed as an FP.