If a scan at VT or VirScan only turns out to be flagged by avast and not by GData as well, then here I could smell a FP,
and things that smell like a duck, sound like a duck and walk and swim like a duck in most cases turn out to be a genuine duck,
I don’t think that’s a real false positive - the detection has been for more than a year, and it looks OK to me.
I’d say something (other product’s virus signatures from memory?) somehow got into these files. Though I admit I have no idea what those .etl files are.
Igor, we need a virus analyst’s answer.
I can imagine that “other product’s virus signatures from memory” can be the issue.
First detection was after a KillSwitch being running. See snapshot.
The detection occur with the files into Chest. The files must be “corrupted” then. How?
I’m about to delete that files…
Event Trace Log (ETL) files are binary files created by Microsoft Tracelog, a program that creates logs using the events from the kernel in Microsoft operating systems; contains binary log data at the trace level, such as disk accesses or page faults; used to log high-frequency events while tracking the performance of an operating system. http://www.fileinfo.com/extension/etl
It’s very weak signature taken from malware which deletes brazilian banking software.
I see your file in our fp queue. There is 1 submit (yours only, I suppose) and has 1 point. Because the queue is ordered by points (which are added or removed by various heuristics), it’s very probable that there will be quite a while while before such file will get to the manual inspection of analyst, if ever.
The main reason for this slowness is unending flow of FP reports on files which are malware, most of them with helpful comments like
NAM: okjgkirfgj
VER:6.0.00
PUB:kdfjkk fglkprfgk
I can’t suggest any better solution that to put them in exclusions.
We are currently working on some changes which could prevent some of such falses, but they need serious testing before deployment.
Hmmm… I’ve did it, I mean, I’ve unadvertedly remove one of the banking software as I did not recognize it. The name of the files/folders are “Scopus” and the bank has other name, “Bradesco”.
Could it be?
I see. Sorry for blaming. I always think I’ll get some priority ;D
Have you ever thought on having a priority submission for Evangelists?
I mean, Polonus, Essexboy, Pondus… deserve it and won’t send you such silly comments…
I could do it, but I’ve sent the files to Chest and will try to generate them again without loading KillSwitch.
If it persists, I’ll add to the exclusion lists.
If it disappears, I’ll test KillSwitch again and if it comes again, I’ll post in Comodo forums.