False Positive Win32:Trojan-gen {Other}

Hello first of all
I´m new here I hope my Post is in the right Place…

I sometimes get a false positive alert on DT-Pro cryptapi.dll, I wonder why doesn`t it come up every time I start my Computer…

How can I stop Avast from scanning this single file… and giving a false positive ???
If someone could answer in German this would be great… if not english is ok …
thx for your help

OK, found the way to avoid scanning… now I will try the other online scan…

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

Don’t exclude a file that you’re not sure is clean…

Ok, here is the answer:


Datei cryptapi.dll empfangen 2008.10.05 03:49:18 (CET)
Status: Beendet
Ergebnis: 8/36 (22.22%)
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Antivirus 	Version 	letzte aktualisierung 	Ergebnis
AhnLab-V3 	2008.10.3.2 	2008.10.03 	-
AntiVir 	7.8.1.34 	2008.10.04 	-
Authentium 	5.1.0.4 	2008.10.04 	-
Avast 	4.8.1248.0 	2008.10.04 	Win32:Trojan-gen {Other}
AVG 	8.0.0.161 	2008.10.04 	Win32/PEPatch.AR
BitDefender 	7.2 	2008.10.05 	-
CAT-QuickHeal 	9.50 	2008.10.04 	-
ClamAV 	0.93.1 	2008.10.04 	-
DrWeb 	4.44.0.09170 	2008.10.05 	-
eSafe 	7.0.17.0 	2008.10.02 	-
eTrust-Vet 	31.6.6129 	2008.10.04 	-
Ewido 	4.0 	2008.10.04 	-
F-Prot 	4.4.4.56 	2008.10.04 	-
F-Secure 	8.0.14332.0 	2008.10.05 	-
Fortinet 	3.113.0.0 	2008.10.04 	-
GData 	19 	2008.10.05 	Win32:Trojan-gen {Other}
Ikarus 	T3.1.1.34.0 	2008.10.05 	Virus.Win32.Trojan
K7AntiVirus 	7.10.484 	2008.10.04 	Trojan.Win32.Malware.1
Kaspersky 	7.0.0.125 	2008.10.05 	-
McAfee 	5398 	2008.10.04 	-
Microsoft 	1.4005 	2008.10.05 	-
NOD32 	3495 	2008.10.04 	-
Norman 	5.80.02 	2008.10.03 	-
Panda 	9.0.0.4 	2008.10.04 	-
PCTools 	4.4.2.0 	2008.10.04 	-
Prevx1 	V2 	2008.10.05 	-
Rising 	20.63.62.00 	2008.09.28 	-
SecureWeb-Gateway 	6.7.6 	2008.10.04 	Virus.Win32.FileInfector.gen!88 (suspicious)
Sophos 	4.34.0 	2008.10.04 	Mal/EncPk-CR
Sunbelt 	3.1.1675.1 	2008.09.27 	-
Symantec 	10 	2008.10.05 	-
TheHacker 	6.3.1.0.101 	2008.10.04 	-
TrendMicro 	8.700.0.1004 	2008.10.03 	-
VBA32 	3.12.8.6 	2008.10.04 	suspected of Malware-Cryptor.Win32.General.3
ViRobot 	2008.10.4.1406 	2008.10.04 	-
VirusBuster 	4.5.11.0 	2008.10.04 	-
weitere Informationen
File size: 94208 bytes
MD5...: f93b1ff147d967f6ccf15e13488bcd20
SHA1..: 148831d0a9f2650396c2432886ec93d703916bf1
SHA256: a62735ffc8ef0d555e4b3737d47441fa23a4b621c00faed667097a20b63bc269
SHA512: 5518906330c44eb59739cb508dd619f438480eea3f1203f73e658ab246f9b69e
2ca27dcdff33d90e7b90a8466e4106a90dd3407bac38c76661c93703f3b2f41e
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

so what now positive or FP ???
I mean 22% of detection on this data is really not funny…, and why does it only come up once a while???
If it is a thread why isnt it detected on every scan ???

The file could be a replicant or using rootkit (hidden malware) techniques…

Maybe avast can only detect some variants of it? ???
I’m not sure, but can you send the file DT-Pro cryptapi.dll for analysis to virus(at)avast(dot)com ? Maybe they could check.

I would say there is a possibility it is an FP as the majority of those detections are by generic (-gen or .gen) or heuristic detection (suspicious) and are more prone to FP.

So send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Also see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

As to why it only happens once in a while and not detected every time, I really don’t know, it might be that it doesn’t run all the time.

All of my computers, 2 Vista Ultimate SP1 (one 32 and 1 64 bit) , and 2 XP home SP3 detected this Win32LTrojan:gen this morning. This is following a virus database update last night. I think that with the update some heuristic changes are either undone or modfied in a way that creates false positive. That might explain with it sometimes detect them and others not.

Today the FP was in a a World of Warcraft directory. The file was reported as clean by some on-line single file scanner.

You need to take the actions suggested above, e.g. virustotal multi-scanner to confirm if the detection is good or bad and if bad report it.