When you execute sysclean.com it extracts several files for scanning (temporarily) and sysclean.exe is one of the files that gets extracted and is tagged by avast! as a virus, when in fact it is just a false positve. This has nothing to do with Trend Micro’s signatures either because at this point they have not yet been loaded.
Can this please be corrected?
From Jotti’s:
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found VBS:Redlof
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
You are incorrect. The tool does not use unencrypted signatures. The signatures are encrypted. I ran a scan with avast! on the signature file lpt$vpn.521 and it came up clean. I ran a scan with McAfee Command Line scanner on that same file with the /analyze /mime /unzip options and it came up clean.
It is the 84kb sysclean.exe file that avast! is claiming to be a virus. I run a scan with avast! on that file and it shows as a virus. That is the same file I uploaded to Jotti’s.
If I am wrong, I apologize. But I am 99.9% sure that I am right on this one.
The signatures are clearly visible in the executable (if you know what to look for) - so no, they are not encrypted.
The fact that McAfee, or other antiviruses, doesn’t report anything means only that the signatures don’t collide with theirs for this particular malware and it does collide with avast!'s.
All signatures aside here, it is the executable file of 84kb that is being detected as a virus. This is prior to the loading of any signatures. This has absolutely nothing to do with Trend Micro’s signatures in this case.
If I was to send you just this one simple executable file (84kb) without any of the Trend Micro signatures, you would then understand what I mean. It has nothing to do with the signatures.
I am only pursuing this for the benefit of avast! removing this false positive. I only intend on helping avast! get better and better.
May I send you this one file (84kb) so that you can see?
I have attached a screenshot from VIRUSTOTAL showing only avast! detecting this. As I already said, this executable does not contain any signatures. Please view the attached image.
And you say this in not a false positive?
And you try to pass the blame onto Trend Micro?
I certainly hope you change your mind and admit that it is a false positive.
Yes, that’s exactly what I’m saying, and no, I won’t change my mind.
Sorry, but I know what I’m talking about - the mentioned executable does contain pieces of VLS_Redlof worm. There’s also the name for this worm there - which should be rather easy to find. Don’t know why exactly this one is compiled directly into the executable (and the others are probably in some of the additional files), but that’s how it is.
While I do admit that I find it odd, that avast! is the only anti-virus program in the world that detects this file as a virus.
However, I am certainly not an expert. I admit that I have no knowledge whatsoever at determining if a file is malicious or not.
I respect your explanation and I appreciate you taking your time with me on this. I apologize if it sound as though I was telling you that you didn’t really know what you were talking about, or anything like that.