False positive

The latest update today (or yesterday) causes AVAST to call a file I’ve had for a long time a virus,

It is called “decombobulator” from GRC.com. ???

It is not a virus. Here is what it says in my event viewer:

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 4/3/2005
Time: 1:05:34 PM
User: N/A
Computer: NONE-GVD8D7QO09
Description:
Sign of “Win32:Trojan-gen. {UPX!}” has been found in “E:\My Documents\programs\Various\DCOMbob.exe” file.

Thanks!!!

Ahhh, from the description of this tool on the (in)famous GRC site it’s apparent that it exercises or tries to test some common DCOM vulnerability. We may call it a false positive, but I view it rather as a very effective heuristics. :stuck_out_tongue: But of course the judgment is on our virus gurus…

Lukas.

Well, GRC does not seem infamous to me. It is a site that tests for open ports, and is a great site to test your Firewall.

And DCOM has vulnerabilities. Sure, a person can disable it manually, but DCOMBOB is simpler to use.

I renamed the file from DCOMBOB.exe to DCOMBOB.old, so Avast would stop finding it and removing it.

Thanks!!! :slight_smile:

This seems to be already discussed and solved…
http://forum.avast.com/index.php?topic=12441.0
Am I wrong?

Hmm, depends if you want to call PING a “patented nano-probe technology”, but otherwise it might be an useful site.

Edit: in fact so called nano-probes were not pings, but mere SYN packets, as far as I know, but that does not make a difference for me. No flame is intended and the detection problems seems to be already fixed. (technical: you don’t miss a single thread! thanks)

Well, even with the latest update, it still calls DCOMBOBULTOR a virus.

With VPS 0513-2 from the 1st April 2005?

Well, I don’t know, now. I right-clicked AVAST icon, and chose “Update” or whatever, and the window popped up saying it was up to date.

I switched back to AVG 7 for now. But if AVG doesn’t work out, I’ll go back to AVAST.

I yo-yo between the 2 when one has a problem.

Thanks, and nice forum!!

I’ve just received an IM with this information:

Just downloaded the file on Gibson’s site again, to replace the ones identified by avast. Scanned it, and it passed. Could be the older file was contaminated, or some of that code was causing the identification, which this file does not.

Just because of a false positive? ::slight_smile: ??? :o
Do you have both residents running at the same time?

I only had “Standard Shield” running.

Well, because of a false positive, it kept deleting DCOMBOBULATOR.

I don’t like it when a programs removes files that are safe.

Who knows? I might switch back.

Lets get this right, the program doesn’t remove files that are safe! It alerts you to a virus infection and it gives you a series of options, you chose to delete it not avast!

Had you used a little medical adage, ‘first do no harm’ you could have moved it to the Chest, here you can investigate and found to be a false positive you can restore it from the Chest. If you chose the nuclear option (delete) as your first response you have no further course of action.

False Positives are a fact of life with AV programs, many will try to ignore/deny this, not avast, who when informed investigate it, admit it if true and speedily rectify it.

avast! not to mention having an active Support Forum available to all including the Free version, try getting help from AVG for the free version!

OK, I was not aware, I tried moving it to the chest, but did not know where to access the chest. I tried right clicking both icons, but could not locate the chest.

If the window came up telling me it was a virus, I tried just closin the window by clicking the red X.

Then if I attempted to use DCOMBOB.exe, it said “access denied”

Either access was denied, or any other choice was to delete it.

But either way, it rendered the application unusable.

AND, if I had DCOMBOB on my other hard drive, as soon as I opened the folder it was in, the “Virus” alert came up.

Could you tell me how to use AVAST and DCOMBOB.exe together? If I went ahead and removed AVG, and reinstalled AVAST, and downloaded all the updates, will for sure it work correctly? I’m on dial-up, and updates take awhile.

And this is not the first time it had false positives. But it has been awhile since the last ones. And it wasn’t DCOMBOB. (I don’t remember what it was.

Thanks again.

Right click on the (a) icon, choose About avast, expand the VPS file (virus database) and tell us the version. I have tried it several times on multiple computers but I don’t get any detection with VPS 0513-2 and the current version of DCOMbob.exe available on grc.com.

File version 513-2

Compilation Date: 4/01/05

I used GoBack Deluxe to go back to the time I had Avast installed.

Here is a picture of the alert:

http://home.earthlink.net/~markofkane/falsevirus.jpg

I just tried and also don’t get any warning on the latest versio of DCOMbob.exe.
Do you have an older version maybe?

I downloaded the version on the site, also, and as soon as I went to the folder it was in, I got an alert like was in the picture.

I think I will just let it go for now. Thanks!!!

It’s a real mystery then…
(you put it into a new folder, right?)

If you are asking if I put the new download in the same folder as the old DCOMBOB, no, it was downloaded to a different folder.

I think I might try reinstalling AVAST, and letting it update from the beginning, and seeing if thet fixes the problem.

I might try that later, when I have time for the big download of updates.