How do I know if this is a false positive if...

Hi, avast! file system shield told me a virus was found:

Object: C:\Program Files(86)\Fashion Toolbox\english.dll

Infection: Wind32:Evo-gen [Susp]

Process: C:\Windows\System32\runddll32.exe

I did “Move to Chest” but it kept popping up every second until I did “Delete”
Its strange because its from a program I’ve had there for ages but I haven’t used it in aages! I was using the computer today, left it for a few minutes, came back and avast! told me this.

So I deleted it, does avast! make a log of files detected by real-time scanner?

How can I tell if this was a false positive… even though I’ve never had an issue before and haven’t used this program for ages and I deleted that file?
If it is an infection how do I know if its gone? I’ve done a full scan with Malwarebytes and SUPERAntiSpyware and they don’t detect anything. I am doing a full scan with avast! now…

Wind32:Evo-gen [Susp]
Susp = suspicious ....so notvirus yet

Suspucious files can be tested here www.virustotal.com / www.metascan-online.com / www.jotti.org

So I’m guessing I’ll never know since I deleted it…
But the thing is, I have not used that program in months, then all of a sudden a file from its folder is being flagged as suspicious when I have not touched it…?

Hello,
send the file to virus@avast.com and put “False positive” to email subject.

Milos

There are two possibilities:

  1. It was malware all along but the antivirus tool just got improved and now detects it where it did not before.

  2. It is a false positive.

Unfortunately, it seems like this particular “Infection: Wind32:Evo-gen [Susp]” is happening all too often (you’re not alone), at least some of the time on legitimate files, and it really underscores Avast’s inability to deal with false-positives very well.

As it is, by deleting a module from your Fashion Toolbox application, you may well have broken it.

One possibly better approach to dealing with a false positive on that particular file - if you’re fairly sure it’s legitimate - is to exclude the folder that contains it from Avast scanning. That’s a bit extreme, but it will allow you time to both report the false positive and continue working without further interruptions - and without destroying the viability of your program by deleting a portion of it.

I have been through EXACTLY this scenario with this particular “Win32:Evo-gen [Susp]” detection (though not with Fashion Toolbox). A few weeks after having reported it I found it was no longer being falsely detected in the particular files I use and I could remove the folder exclusion.

It’s also possible turning down one or some of the sensitivity settings would reduce the chances of this particular false positive, but I don’t know which settings that would be.

-Noel

It's also possible turning down one or some of the sensitivity settings would reduce the chances of this particular false positive, but I don't know which settings that would be.
To my knowledge you can not adjust this.... It is a on access detection only and it check for similarity behavior to known malware

See blog http://blog.avast.com/2012/12/03/new-toy-research-lab/#more-11102

@ OP See this http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

@ Pondus Thanks I tried to find that article…but couldn’t. Now bookmarked. 8)

Another check is to upload and scan the “infected” file on VirusTotal.com and see what the result is…

https://www.virustotal.com/en/

The exact same bug has occurred to me on Windows 8 x64 while I’ve had no such problems with Windows 7 x64. Would be interesting to see whether it might be a specific OS bug or not.
Anyways, I had installed Avast 8 for a little while again, because it had got me rid of the bug and had given at least control over suspicious files, however, since it wouldn’t have helped me against false positves if they had been rated as “virus” and the chest would have been buggy in reporting download URLs, I’ve simply switched to another AV solution.

In my opinion, no AV should ever need to exclude whole folders or even have to be turned (temporarily) off. I don’t know how tolerant others are, but if you’re unsatisfied with a specific program don’t hesitate and search for other options. There’s no better way to tell the developers you don’t agree with their direction of the program than to stop using it.
However, if the majority can deal with it and the forumers will stay as some kind of cult as “Evangelists” (yes, I’m aware it’s just a title reaching for a lot of postings, but that doesn’t make it look less stupid in my eyes) preaching how good Avast is or how well they’re managing with it, then nothing will change.
It’s up to the individual whether you want to give a clear sign to have the developers change their program to your liking or to adapt to every change they make and to deal with it, regardless of how bad you think it has become.

Win32/Evo-gen is a false positive. I’ve seen the same question raised elsewhere in these forums and have had this happen to me as well in V.8 Free. Avast apparently can’t (or won’t) correct it. The best solution IMO is to restore the affected file from quarantine and then exclude it from scanning.

I think it’s in Avast’s best interests to fix this because over time users will come to regard false positves as the norm, and disregard due diligence in evaluating actions taken by the program.