Fixing a false positive

system · September 10, 2007, 8:08pm

I have Avast Pro and it keeps getting a false positive when I try to run my program even though I’ve added it to the exclusion list. I’ve started just leaving the active protection turned off :\

My question is, is there any way to remove a virus definition with the database so that it won’t be detected any more?

Vlk · September 10, 2007, 8:10pm

Yes please submit the file to our virus lab.
Instructions are in our knowledge base: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=199

Thanks
Vlk

DavidR · September 10, 2007, 8:12pm

What is the file name and location ?
Have you tested it at other on-line scans, etc. ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

You probably haven’t added it to the exclusions in the resident scanner Standard Shield, you have to add it to both areas.
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

system · September 10, 2007, 8:31pm

E:\Program Files\Internet\MIRCs\iroffer1.4.b03-lamm.b01
iroffer.exe
convertxdccfile.exe

they were detected as Win32.Iroffer-011[Trj] and Win32.Iroffer-049[Trj]

I think I figured it out the exclusion. I only had one of the added to the exclusion list, but it’s working now.
Still I know they are working proper as when I downloaded them and I don’t seem to have any type of extraneous outgoing connections.
So why are they listed as trojans?

I think AVG detected it too, but since I bought and have been using avast I thought I’d ask here.

Lisandro · September 10, 2007, 8:46pm

There are more kinds of malware behavior besides extraneous outgoing connections…
Some trojans use rootkit to became hidden to antivirus.
Why the error (if it is an error)? Well, false positive are due to incorrect signature files, treating the clean files as being infected.

system · September 10, 2007, 9:31pm

hmm I see, so the only way to bypass it is to add it to the exclusions list?
I downloaded iroffer from http://iroffer.org/ just now and got this result

Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.0 2007.09.10 Win-AppCare/Iroffer.250600
AntiVir 7.6.0.5 2007.09.10 BDS/Iroffer.AB.14
Authentium 4.93.8 2007.09.09 W32/Backdoor.QHH
Avast 4.7.1043.0 2007.09.10 Win32:Iroffer-072
AVG 7.5.0.485 2007.09.10 BackDoor.Generic2.CUF
BitDefender 7.2 2007.09.10 Backdoor.Iroffer.AB
CAT-QuickHeal 9.00 2007.09.10 Backdoor.Iroffer.ab
ClamAV 0.91.2 2007.09.10 Trojan.Ioffer
DrWeb 4.33 2007.09.10 BackDoor.Iroffer.1235
eSafe 7.0.15.0 2007.09.04 Win32.Iroffer.ab
eTrust-Vet 31.1.5124 2007.09.10 -
Ewido 4.0 2007.09.10 Backdoor.Iroffer.ab
FileAdvisor 1 2007.09.10 High threat detected
Fortinet 3.11.0.0 2007.09.10 Iroffer
F-Prot 4.3.2.48 2007.09.09 W32/Backdoor.QHH
F-Secure 6.70.13030.0 2007.09.10 Backdoor.Win32.Iroffer.ab
Ikarus T3.1.1.12 2007.09.10 Backdoor.Win32.Iroffer.AB
Kaspersky 4.0.2.24 2007.09.10 Backdoor.Win32.Iroffer.ab
McAfee 5116 2007.09.10 potentially unwanted program Iroffer
Microsoft 1.2803 2007.09.10 -
NOD32v2 2519 2007.09.10 a variant of Win32/Iroffer
Norman 5.80.02 2007.09.10 W32/Iroffer.PP
Panda 9.0.0.4 2007.09.09 Application/Iroffer.BQ
Prevx1 V2 2007.09.10 -
Rising 19.40.02.00 2007.09.10 Backdoor.Iroffer.ab
Sophos 4.21.0 2007.09.10 Iroffer
Sunbelt 2.2.907.0 2007.09.07 Backdoor.Win32.Iroffer.ab
Symantec 10 2007.09.10 -
TheHacker 6.1.10.183 2007.09.10 Backdoor/Iroffer.ab
VBA32 3.12.2.4 2007.09.09 Backdoor.Win32.Iroffer.ab
VirusBuster 4.3.26:9 2007.09.10 Backdoor.Iroffer.BA
Webwasher-Gateway 6.0.1 2007.09.10 Trojan.Iroffer.AB.14

They say it’s a virus, but it’s a fresh file.

polonus · September 10, 2007, 9:40pm

Hi Mad_Hat,

Strange thing about this is that the DrWeb hyperlink av scanner scans the link as you posted it as CLEAN.File size: 9773 bytes

iroffer.org - archive HTML

iroffer.org/Script.0 - OK
iroffer.org/Script.1 - OK
iroffer.org - OK

polonus

system · September 10, 2007, 9:46pm

http://iroffer.org/ is just the main page of the website for the program…
the actual download link is on the download page h**p://iroffer.org/archive/v1.3/iroffer_win32bin_1.3.b11.zip
I downloaded that, unzipped the iroffer.exe and submitted just the exe

DavidR · September 10, 2007, 9:56pm

The problem is what it does could be used for good or evil and most AVs can’t determine the intention.

http://www.liutilities.com/products/wintaskspro/processlibrary/iroffer/

I would be concerned with any of the malware names listing it as a backdoor which may be able to bypass your firewall. With so many hits I wouldn’t care about its origin I would be looking for another application that doesn’t rate this kind of attention by AV scanners.

A google search for iroffer, iroffer.exe and convertxdccfile.exe return many hits relating to malware.
http://www.google.com/search?q=iroffe
http://www.google.com/search?q=iroffer.exe
http://www.google.com/search?q=convertxdccfile.exe

DavidR · September 10, 2007, 9:59pm

Please modify your post and break the link (as I have done in the quoted text) so it isn’t active to avoid accidental exposure to suspect files.

Fixing a false positive

Announcements