AVAST (Vps: current version 071127-0) is reporting the subject trojan on my desktop PC. However, when scanned by AVAST (Vps version 071127-0) on the VIRUSTOTAL web site, along with 29 other AV scan engines, fails to report trojan infection.
Question is, why does AVAST (same vps version) report different infection findings:
Positive infection on desktop.
Negative infection on VIRUSTOTAL website.
By the way, this exe, Windows-Genuine-Advantage-Remover has resided on my PC for many months, and has not been flagged by AVAST previously. I’ve also used the proggie many months ago, and have noticed no ill effects on my desktop.
Appreciate any insight into AVAST and false positives. They sure are annoying.
The virus signatures used on VT are frequently older (not updated in real time) than a user with auto updates, so that probably is the case this time.
Send the sample to virus@avast.com zipped and password protected with the password in email body and false positive/undetected malware in the subject. A reference to this topic would also be useful.
If it is indeed a false positive, add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Interestingly, I have scanned it in the virus chest (same Vps as what put it into there) and AVAST does not report infection (along with other Sys-Vol-Inf restore files, that previously AVAST reported infected).
I would normally say that the detection had been corrected by a VPS update, but that doesn’t seem to be the case as you are saying the same VPS is still present. So I’m afraid it is a bit of a mystery.
How did you scan it in the chest ?
If you simply scanned the chest folder from either the on-demand scanner or ashQuick.exe it won’t find anything as files in the chest are encrypted.
If you opened the chest and right clicked on it and selected scan then that is strange.
Although the VT shows a Last Updated 27/11/2007 it doesn’t confirm by VPS version number and there have been occasions when it didn’t appear to have had the latest version.
You’re beyond me and up in thin air…all I know as a simple user is that I’m getting different results in approx the same time frame, on the same fingerprint file, on 2 different “infected” files. I’ve posted my results, and I can’t offer any more than what I have. The folder was scanned with the usual scanner, not the quick scanner.
I have sent the files to AVAST, as suggested…do you suppose that I will, or the forum will be advised of what AWIL finds?
The first question it crucial to why you might have different results, the avast chest is a protected area and its contents are encrypted, so can’t be scanned from outside the chest. Any scan from outside the chest won’t find any infection.
In order to scan files in the chest you need to open the chest, right click the avast ‘a’ icon, select Start avast! Antivirus, Menu, Virus Chest. Or you can open it directly using windows explorer (C:\Program Files\Alwil Software\Avast4\ashChest.exe), once the chest is open go to the Infected Files section, right click on the removeWGA.exe file and select scan.
G’day DavidR, and thanks for your instructions and explanation.
You’ll note in the clip below, that the removeWGA is still indicated as infected, but a rescan of the other Sys-Vol-Info files that I suspected as a false positive shows that 2 that were indicated originally as infected and moved tot he chest are now not infected. One ( A…79.exe ) Sys-Vol_Info still indicates infection.
So, how do files that are supposedly infected and locked in the chest, change to not infected?
Your welcome.
If a file has been detected incorrectly as infected and sent to the chest, once that detection has been reported as a possible false positive detection and analysed. Once the signature has been corrected on a VPS update then that file will no longer detected not matter where it happens to be.
As Maxx_original said if you have sent copies of the other detections they should also be analysed and corrected if they are considered FPs. Personally I would resubmit them and ensure that you have False Positive in the subject and body of the email.
Thanks much Marc57, DavidR, and other posters for your interest and support in my problem. I learned a little bit more about AVAST, and the support community. Thanks for being there.
Your very welcome, stick around and browse the forums, especially the sticky topics at the top of each of the forums, not to mention the avast file. They provide a wealth of information to help you get the best from avast.
