[Solved] False positives reported but not corrected

Seems clearly false positives. I’ve reported before but the detection remains :cry:
Are you the only right antivirus in the yard?

ShutdownCKCL.etl
http://www.virustotal.com/file-scan/report.html?id=62eaf94f76c6e19be43b02f7c414f3093487a9626e1dea392482e294d12b0ca6-1305920608

ReadyBoot.etl
http://www.virustotal.com/file-scan/report.html?id=d213d65f6f62ca3175a5f87d8dbf774eaeb2d67cd901a14dcd2dd239be3c66fe-1305921109

BootCKCL.etl
http://www.virustotal.com/file-scan/report.html?id=8e29fbc926d8377045952647143c000fe0d81485fe69359303ea5a0242b542d7-1305922367

Hi Tech,

Similar result at VirScan.org: http://7.www.virscan.org/report/c2f5b5d4263af65a97f87b3962a383cf.html
and here: http://virscan.org/report/5fb102ebcad92e3b83d2461cca3749bd.html

polonus

Thanks Polonus, but what do you think? False positives or not?

Still being detected with 110521-1 :cry:

I think these dedections are FPs.
Where did you report them…??
Here…?? http://www.avast.com/contact-form.php?loadStyles

From Chest.
They always said that these files, reported from Chest, have high priority.

No.
Did not lose time to that… and won’t.
Why don’t they correct the false positive? >:(

Hi Tech,

If a scan at VT or VirScan only turns out to be flagged by avast and not by GData as well, then here I could smell a FP,
and things that smell like a duck, sound like a duck and walk and swim like a duck in most cases turn out to be a genuine duck,

polonus

Thanks Polonus.
What more can I do? :cry:

Do you have similar files .etl in your computer?
Are they being flagged?

Hi Tech,

This issue is one year old: http://forum.avast.com/index.php?topic=60305.0

polonus

Try using virus@avast.com Maybe you will get a reply. Try posting in Avast subforum, that is more read than this

They always advocate the opposite for false positives.

Well, false positives were always posted here.

The problem is that they do not say anything about…
Why does this happen to me?

The false positive continues… 110522-1

I had send false positive there and had personal replies and in the forum. You will not lose if try both

I don’t think that’s a real false positive - the detection has been for more than a year, and it looks OK to me.
I’d say something (other product’s virus signatures from memory?) somehow got into these files. Though I admit I have no idea what those .etl files are.

It does…??
Did you look at the VT results in Tech’s original post…?
I think we need a reply from the viruslab guys here…!! :wink:

Igor, we need a virus analyst’s answer.
I can imagine that “other product’s virus signatures from memory” can be the issue.
First detection was after a KillSwitch being running. See snapshot.

The detection occur with the files into Chest. The files must be “corrupted” then. How?

I’m about to delete that files…
Event Trace Log (ETL) files are binary files created by Microsoft Tracelog, a program that creates logs using the events from the kernel in Microsoft operating systems; contains binary log data at the trace level, such as disk accesses or page faults; used to log high-frequency events while tracking the performance of an operating system.
http://www.fileinfo.com/extension/etl

These files could be converted to text files: http://msdn.microsoft.com/en-us/library/bb801253(v=office.12).aspx

Since it is just a log file you can delete it (http://forums.cnet.com/7726-12546_102-5069671.html).
I suppose the virus analyst can check the file I’ve send by Chest, can’t they?

It’s very weak signature taken from malware which deletes brazilian banking software.

I see your file in our fp queue. There is 1 submit (yours only, I suppose) and has 1 point. Because the queue is ordered by points (which are added or removed by various heuristics), it’s very probable that there will be quite a while while before such file will get to the manual inspection of analyst, if ever.
The main reason for this slowness is unending flow of FP reports on files which are malware, most of them with helpful comments like
NAM: okjgkirfgj
VER:6.0.00
PUB:kdfjkk fglkprfgk

I can’t suggest any better solution that to put them in exclusions.
We are currently working on some changes which could prevent some of such falses, but they need serious testing before deployment.

Hmmm… I’ve did it, I mean, I’ve unadvertedly remove one of the banking software as I did not recognize it. The name of the files/folders are “Scopus” and the bank has other name, “Bradesco”.
Could it be?

I see. Sorry for blaming. I always think I’ll get some priority ;D

Have you ever thought on having a priority submission for Evangelists?
I mean, Polonus, Essexboy, Pondus… deserve it and won’t send you such silly comments…

I could do it, but I’ve sent the files to Chest and will try to generate them again without loading KillSwitch.
If it persists, I’ll add to the exclusion lists.
If it disappears, I’ll test KillSwitch again and if it comes again, I’ll post in Comodo forums.

Thanks. I’m glad to help.

I have those etl file on my 7 system I am running a scan now to see if they alert

No alert on my etl files - latest vps 110522-1

Could Avast be alerting on the way killswitch was changing the attributes on the files prior to deletion ?