posible FP in trendmicro file

the following file is a stand alone virus scanner from Trendmicro used together with their dat file

http://www.trendmicro.com/ftp/products/tsc/sysclean.com

when run it creates several files in the directory, one of them: sysclean.exezz is detected by avast as having the virus: VBS:Redlof

pls somebody check if this is a virus or a FP

Thanks

It’s a FP.

The forum has a search function which will provide more details.

  1. You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
    Or VirusTotal - Multi engine on-line virus scanner

  2. It may be possible this is a signature file detection (false positive as FWF mentioned), which is one reason you shouldn’t have two resident scanners running at the same time.

David, sysclean.com is not resident, just an on-demand scanner and won’t conflict with avast. Am I wrong?

When it is running it is in effect resident, extracting and opening, scanning files, so in effect you have two scanners scanning the same thing at the same time. This is no different to temporarily disabling your resident AV whilst doing an on-line scan (this too is on-demand).

I disable standard shield before running ewido, adaware, spybot, etc. if for no other reason than avast won’t be double scanning and slowing the process down. Obviously I’m not connected to the internet whilst doing this.

Ok, you’re right, I’ve got your point of view 8)

Hi mif,

Look here for further info:
http://forum.avast.com/index.php?topic=2982.0.
Always update and patch for vulnerabilities.

greets,

polonus

OK guys
I understand that it is advisable not to use two virus scanners at the same time
I still think that this is a false positive and the avast people has to fix it
Last time I run sysclean with avast running was some 4 weeks ago so it must be in the last month virus definitions

Thanks to you all

Mif

I’d say it’s simply another case of non-encrypted virus signatures (in Trendmicro tool).

Anti-virus programs look for and detect virus signatures, unfortunately it can’t really understand the context in which it was detected, e.g. if it was in another AVs signature files that weren’t encrypted to avoid false positive hits by other AVs. How is it to know what purpose this virus signature is to be put.

So if this is the case, unencrypted virus signature file causing a false positive, the only way to confirm is to know its location and file name, if that location is associated with another AVs signature files (even if you were to know all the other AVs and the location they store their signature files). This would add a lot of processing effort into scanning, slowing scan speed, all because someone doesn’t encrypt their signature files.

So it is not simply a case of excluding it in the next VPS otherwise genuine viruses with that signature would also be ignored, not I think what you want. The people who should fix it are those who don’t encrypt their virus signature files.