FP for database engine

I think since Monday avast! has decided that BDB_Pro.exe has a virus. I took my original CD with the zip file from 2 years ago to another machine and unzipped it. avast! on that machine flagged it too. So, either it’s had a trojan nobody picked up for years, or it’s a false positive. I submitted it to virustotal too and 5 of them flagged it. Seems too weird to me. So, is there a way to tell avast to ignore a file?

File BDB_Pro.exe received on 07.23.2008 18:18:54 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.24.0 2008.07.23 -
AntiVir 7.8.1.11 2008.07.23 -
Authentium 5.1.0.4 2008.07.23 -
Avast 4.8.1195.0 2008.07.23 Win32:Trojan-gen {Other}
AVG 8.0.0.130 2008.07.23 Generic9.AURO
BitDefender 7.2 2008.07.23 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.23 -
DrWeb 4.44.0.09170 2008.07.23 -
eSafe 7.0.17.0 2008.07.23 -
eTrust-Vet 31.6.5976 2008.07.23 -
Ewido 4.0 2008.07.23 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.23 Suspicious:W32/Guap!Gemini
Fortinet 3.14.0.0 2008.07.23 -
GData 2.0.7306.1023 2008.07.23 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.07.23 -
Kaspersky 7.0.0.125 2008.07.23 -
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.23 -
NOD32v2 3292 2008.07.23 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.23 -
Prevx1 V2 2008.07.23 -
Rising 20.54.22.00 2008.07.23 -
Sophos 4.31.0 2008.07.23 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.23 -
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.23 -
VBA32 3.12.8.1 2008.07.23 -
VIRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.23 -
Additional information
File size: 4681728 bytes
MD5…: b7a7c6ab4b1cd26a682102d64daed3aa
SHA1…: 0ebdf3e43031d0e81bd7bbe073dc9bb25207d5aa
SHA256: b6c9c61dc38f68fb23cfe70bf04741a60aea9825a12521ff19680ed6516b06f0
SHA512: b1cc21a02a034c9d0aeb2fe349aff4feef85a5bb2f980a81d1d3b7e8f27de84b
d2ed82b395a9a6d8dfc1d0a99186f2f3ce0102486bc2ebfed61e5fcdf8f83dc3
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40f7fc
timedatestamp…: 0x46976cd0 (Fri Jul 13 12:15:12 2007)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x470f00 0x471000 5.96 e4edb10cd14fd17a2b489047189e3591
.data 0x472000 0x21d2c 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x494000 0x307c 0x4000 3.21 ad773ac29024db9b3e6b9353ed684d6b

( 1 imports )
> MSVBVM60.DLL: EVENT_SINK_GetIDsOfNames, -, __vbaVarTstGt, __vbaVarSub, -, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, -, __vbaVarVargNofree, -, __vbaAryMove, __vbaFreeVar, __vbaGosubReturn, __vbaLineInputStr, __vbaLateIdCall, __vbaLenBstr, __vbaStrVarMove, -, __vbaPut3, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaPut4, EVENT_SINK_Invoke, __vbaLineInputVar, __vbaFreeObjList, __vbaR8Sgn, -, -, _adj_fprem1, __vbaRecAnsiToUni, -, -, __vbaI2Abs, __vbaCopyBytes, __vbaStrCat, __vbaVarCmpNe, __vbaLsetFixstr, __vbaWriteFile, -, -, __vbaSetSystemError, __vbaRecDestruct, -, -, __vbaNameFile, __vbaHresultCheckObj, -, -, __vbaVargVarCopy, __vbaLenVar, _adj_fdiv_m32, -, __vbaAryVar, __vbaVarTstLe, Zombie_GetTypeInfo, __vbaVarXor, __vbaAryDestruct, __vbaVarCmpGe, -, __vbaLateMemSt, -, __vbaStrBool, __vbaVarPow, __vbaBoolStr, __vbaExitProc, __vbaVarForInit, -, -, -, -, -, __vbaOnError, __vbaObjSet, -, _adj_fdiv_m16i, -, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, -, __vbaFpR4, -, __vbaForEachCollVar, __vbaStrFixstr, __vbaBoolVar, -, -, -, __vbaFPFix, -, -, __vbaRefVarAry, __vbaVargVar, __vbaBoolVarNull, __vbaFpR8, __vbaVarTstLt, _CIsin, -, __vbaErase, -, __vbaVarZero, __vbaVargVarMove, -, __vbaVarCmpGt, __vbaChkstk, __vbaCyVar, __vbaGosubFree, -, __vbaFileClose, EVENT_SINK_AddRef, __vbaVarAbs, __vbaGenerateBoundsError, -, __vbaCyI2, __vbaStrCmp, -, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaNextEachCollVar, __vbaPrintObj, __vbaObjVar, __vbaI2I4, DllFunctionCall, -, __vbaVarLateMemSt, __vbaVarOr, __vbaCastObjVar, __vbaStrR4, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaR8Cy, __vbaRedim, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, -, __vbaUI1I2, _CIsqrt, __vbaVarAnd, __vbaObjIs, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaFpCmpCy, -, __vbaVarMul, __vbaExceptHandler, -, __vbaInputFile, __vbaStrToUnicode, __vbaPrintFile, _adj_fprem, _adj_fdivr_m64, -, __vbaGosub, -, __vbaI2Str, __vbaLateIdStAd, __vbaVarDiv, -, -, -, __vbaVarCmpLe, -, __vbaFPException, -, __vbaInStrVar, -, -, __vbaGetOwner3, __vbaStrVarVal, __vbaUbound, __vbaVarCat, -, __vbaDateVar, -, __vbaI2Var, -, __vbaStopExe, -, -, -, _CIlog, -, __vbaErrorOverflow, __vbaFileOpen, -, __vbaR8Str, __vbaInStr, __vbaVar2Vec, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaCyMulI2, -, __vbaVarInt, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, -, __vbaI4Str, __vbaLateMemNamedCall, __vbaFreeStrList, __vbaVarCmpLt, __vbaVarNot, -, _adj_fdivr_m32, __vbaPowerR8, __vbaR8Var, _adj_fdiv_r, -, -, __vbaVarTstNe, __vbaI4Var, __vbaVarCmpEq, __vbaFpCy, -, __vbaLateMemCall, __vbaAryLock, __vbaVarAdd, -, __vbaStrComp, __vbaVarDup, __vbaStrToAnsi, -, -, -, __vbaVerifyVarObj, -, __vbaFpI2, __vbaVarMod, -, __vbaVarTstGe, __vbaFpI4, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaUnkVar, __vbaRecDestructAnsi, -, __vbaR8IntI2, __vbaLateMemCallLd, _CIatan, -, __vbaCastObj, __vbaStrMove, __vbaAryCopy, __vbaMidStmtVar, -, -, __vbaR8IntI4, __vbaStrVarCopy, __vbaVarNeg, -, -, -, _allmul, __vbaVarLateMemCallSt, -, __vbaLateIdSt, __vbaAryRecCopy, __vbaLateMemCallSt, -, _CItan, -, __vbaAryUnlock, __vbaFPInt, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaI4ErrVar, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr, -

( 0 exports )

If you really want to take that risk… strange detection, I’m not sure it’s a false positive, but indeed it could be…
You need to use the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

You can use wildcards like * and ?.
But be careful, you should ‘exclude’ that many files that let your system in danger.

Too strange. Why doesn’t my post show up in the list for the forum?

Anyway, I’ve tried to use the exclude and it doesn’t work. I can exclude the directory where the file is in both standard sheild and on demand, but when I try to run it, avast gets angry again.

If the file is bad, then it’s had a trojan in it for 2 years and we’ve been using it. I need to get this FP fixed!

Then post exactly what the text string is that you are entering and we can check if it is correct.

C:\Program Files\Brilliant Database 5.1 Pro\BDB_Pro.exe
In quotes in standard and I just explore and click on it in the on demand (program settings) exclude.
I’ve tried with excluding the whole directory but that doesn’t work either.

Yay! I got it to exclude it so I can run my database.

BUT, the FP should be taken care of.

You need to submit the sample so they can analyse it.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.