Since July 4, I have had four false positives of totally legit programs. This is a new trend for Avast, because I have never encountered so many in such a short amount of time.
It has detected:
SDInfo.sdp from spyware doctor
an executable install for a totally legitimate icon editor program. (I double checked with virus total just to make sure)
Two processes in Zone Alarm’s update executable.
The issue here is, I now need to go in and set up exceptions for each path/file, since there is no “ignore” function in avast, only “do nothing”. While I am doing this, avast keeps interrupting me with the same alarm.
I have double checked with virus total for at least one of those files, and only two antiV packages found FPs with it, both based on heuristic analysis, and both flagged them as trojan generics.
I am hesitant to set the standard shield on “normal” instead of “high”, because I have never encountered this problem with avast before, but I may have to.
What the heck has happened to avast? If false positives keep happening, it makes one tend to be complacent and ignore a possible legit positive.
I really don’t want to migrate to another program, since I have always had good luck with avast in the past. I’m almost afraid to run file scans now, since I have a feeling it is going to come up with a huge string of FPs that I will need to investigate one by one.
7/4/2008 10:52:55 AM 1215193975 SYSTEM 1188 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Spyware Doctor\SDInfo.sdp” file.
7/4/2008 11:09:22 AM 1215194962 SYSTEM 1340 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Spyware Doctor\SDInfo.sdp” file.
7/13/2008 5:10:09 PM 1215994209 SYSTEM 1196 Sign of “Win32:Trojan-gen {Other}” has been found in “H:\Ooreka\ooreka_screens\icon-editor.exe” file.
7/13/2008 5:11:16 PM 1215994276 SYSTEM 1196 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Ooreka\ooreka_screens\icon-editor.exe” file.
7/13/2008 5:12:59 PM 1215994379 Jonathan 3820 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Ooreka\ooreka_screens\icon-editor.exe” file.
7/13/2008 7:49:00 PM 1216003740 SYSTEM 1196 Sign of “Win32:Sytro-AB [Wrm]” has been found in “C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\spyware0.xml” file.
7/13/2008 7:49:21 PM 1216003761 SYSTEM 1196 Sign of “Win32:Sytro-AB [Wrm]” has been found in “C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\spyware.xml” file.
I’m using the current version. 4.8… virus db 070813-0 updated on the 13th.
Unfortunately, I can’t submit the spyware.xml files to virus total, since they are temporary unpackers, and are now gone from my system since the update.
Oh… and here’s another bit of loveliness. Since the update today, it takes forever to download my email. I use thunderbird. It practically freezes my computer when downloading each message. This was not an issue yesterday, and due to the fact that I am getting almost identical messages (I’m currently subscribed to a few threads in a gaming forum.) I know that it is because of today’s update. I even tried sending myself a few messages from that email address. Same problem. I terminated mail protect to see if it helped… it didn’t. However, when I terminated standard shield, everything was fine. I turned it back on and set it to normal, and email is now flowing normally.
What… the F?
This is really cheesing me off. Standard shield is now (reluctantly) set to normal for the time being.
hehe… thats my thread… and i agree with Tech… if this keeps up, avast will lose its fan base.
My issue isn’t with any specific FP, especially since I have avast set up to now ignore that file. I was using those as instances of what was a drastic and disturbing increase in FPs. It’s the cry wolf thing, you know? Basically regarding the headache one has to go through when dealing with FPs happening over and over.
I think that heuristics can be a double-edged sword. If they are too sensitive, it can put you just as much at risk, because you are equally as likely to ignore a legitimate threat, because of irritation regarding false positives.
Also, the slowdown with email is really a problem. I had to bump down the level of protection because of it.
I also want to head off at the pass any comments here about it not being a good idea to have several security packages running real time protection at the same time. This has never been a problem in the past, and I personally feel that every user should have an antivirus, antispyware, and some sort of firewall program running resident real-time protection at all times. Preferably these programs should be from different vendors as well. A false positive or conflict is an issue every once in a while, but the increase in frequency with avast is cause for concern on my part, especially since I have been so pleased with Avast so far.
I’m not sure what has been going on since July, but this is the first time I have had such problems with Avast. Have they employed a new detection method in their heuristics signatures, I wonder?
7/13/2008 7:49:00 PM 1216003740 SYSTEM 1196 Sign of “Win32:Sytro-AB [Wrm]” has been found in “C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\spyware0.xml” file. 7/13/2008 7:49:21 PM 1216003761 SYSTEM 1196 Sign of “Win32:Sytro-AB [Wrm]” has been found in “C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\spyware.xml” file.
These two files are P2P Worms according to Sunbelt Labs.
Yes, I am aware that it is a specific diagnosis. However, the detection was in the ZoneLabs directory, and that IS a valid location for Zone Alarm. I have just posted on their forum to see if anyone was having problems with it.
In addition, the zone alarm update icon WAS being displayed at the time, which leads me to believe that it was a valid update.
avast does not use heuristic analysis for it’s resident scanner (real time protection) and on demand scanner. that was confirmed by Avast technical department. it only uses its definition database for detections. so how come their so much false positive. if an anti virus program that doesn’t use heuristic it shouldn’t have false positive. hope avast would solve this problem as soon as possible.
Is this really the only thing you are concerned with, it seems to be the only theme of your posts, avast must have heuristics and you hate FPs, who doesn’t.
FPs are an unfortunate consequence of trying to catch multiple variants either by the ‘heuristics’ you want or the use of generic signatures. Detecting these FPs and submitting the samples to avast contribute to the tweaking of these generic or logarithmic signatures, that is how to improve detections and reduce FPs.
With the greatest of respect the VB100 test is not really that important if you are trying to gage the effectiveness (detection rate) of an AV as it is artificial with only a limited set of malware. The av-comparative test I would say is a better indicator, but that to isn’t perfect.
Um, if memory serves, I’ve made two posts in recent history. If I made others, it was a long time ago.
A false positive once in a while is not a big deal. This was a string of positives within a short amount of time. Yes, that is an issue. Especially when there is always the possibility that it is not an FP. This is the only post I have made where I have assumed that it is a false positive. The other one I was concerned that it might not be, which is always a concern of mine, even if it is pointing to an apparently “legitamite” folder such as spyware doctor or zone alarm.
Besides, it’s helpful for people to know if someone else has gotten the same FP that they did.
I’m assuming the reason you have an issue with this thread is my tone and my frustration, as opposed to me simply talking about false positives, because I certainly hope that just because someone has had previous instances of that and have posted about it in the forum, you feel that they should STFU. In my defense, and if memory serves, this is the first time I’ve been b*tchy about it. The other times I was worried… and my tone was more like “Pleaaaase tell me this is a false positive!” because I get that way with any alert. I’m not always savvy enough to assume one way or the other.
The post was directly below leemar’s and who it was directed, you only need to check his post history to see what I mean.
If it were directed at you it would have either been posted after one of your posts, quoted your post or been directly addressed to you.
I have absolutely no problem your frustration or tone (or I would have said), you haven’t been posting this point in multiple topics, avast must have heuristics and why so many FPs, leemar has and I also mentioned his about vb100.