Too many false positives.

Well, Avast flags 15 programs as various trojans, including some software that I wrote (it’s a Luhn key calculator, not a trojan).

Norton is quite happy with them so I’ll assume they are false.

I’m loathe to just kill scanning of these files in case they get infected by a REAL virus (when, of course, they would NOT be detected).

Is there any way to mask specific triggers on specific files??

I suspect not, but one can ask :slight_smile:

Norton is such a resource hog, but at least it works RELIABLY.

Sure, there are actually two exclusion lists: one in program settings, affecting the on-demand scanners, and another one in Standard Shield settings, affecting Standard Shield (i.e. on-access protection) only.

I’m concerned about Avast’s reliability too. :frowning:

I don’t know why Avast has continuously generated too many false positives from time to time, although it has no so-called heuristic detection that may (at least) lead to more false positives.

Once upon a time AVAST32 had promoted as a fast and accurate scanning so users are not distureb by false positives, now it would be good if Avast 4 does that way again, fast and accurate scanning with overall reliability.

Yes, all these false positives are not a pros for avast! But on the other hand, I had only one false positive on my PC during 6 months…

TAP & Ylap, do you have any file(s) in particular or just chit-chatting?

crossy, please submit the file(s) in question to virus@avast.com . But Norton is not really a good indicator whether it’s really a virus or not - when in doubt, I recommend using an online service like Jotti’s http://virusscan.jotti.org

Thanks
Vlk

Yes, I had and it already sent to virus@avast.com from time to time and it usually fixed. But I’ve noticed too many false positives reported on this forum in the last few weeks.

I’m not saying there is a big problem for me. Just many other users complains about it. I had just one file, I’ve sent it to ALWIL, and it was everything good in the other day. No complains from me. :wink:

I send a FP to Alwil 2 days ago. Got a vps update yesterday that fixed it. Also got personal email from Karel thanking me for letting Alwil know about it.

Great job Alwil. Thanks!

To everyone (just some things to keep in mind)

  • Every av has fp’s from time to time. These things happen.
  • Every av will detect things that another doesn’t.
  • If you don’t let the av vendor know if there is something wrong, they can’t fix it
  • Not really importan, but a nice option. Avast has skins :smiley:
  • If you don’t like the av, its detection or whatever… Get another one you do like. Noone is forcing you to use a certain av

Yeah every AV has them,but avast! has them far above the average at the moment.
Anywhere you look in the forum you’ll see complaints about false positives,some even repeat (AutoIt/RAR SFX for example,heck if you have problems with one specific thing several times you should check it each time before VPS release)

Thanks Karel for your hard work. But, maybe Alwil could help you with a junior 8)

Still false positives, not corrected (these are AutoIt files made by myself):

  • Vps: 0534-4

Virus has been detected!
File Name: chkdsk.exe
FileID: 378
Virus Description: Win32:Agent-BM [Trj]

Virus has been detected!
File Name: avast! Program Download.exe
FileID: 382
Virus Description: Win32:Agent-BM [Trj]

Vlk, where are the surprises you’ve promissed us? 8)

Tech, I asked you to send the files to me - still didn’t receive anything…

Sorry, I though you’ve expecting them from the Chest.
I’ll send them now. I mean, a group of files to be tested. Not all of them are false positives right now.

This is a side issue. I am not even sure if it is appropriate for this board, or exactly where it should be posted. Please move it if it should go elsewhere, or let me know if I should post this on some other forum somewhere else.

I greatly appreciate the link to the virusscan.jotti.org link, and I use it frequently before installing a downloaded file. However, it fairly regularly advises me there are “run-time packers” and that the “sandbox emulation took a longer time than normal to run”. This is even when all scanners report no malicious files. It even happens with some files that I am pretty sure should be clean.

It usually occurs with .exe type files. Are “packers” normally found in .zip files and/or .exe files? How serious should I take the presence of “packers” when all scans say the file seems to be clean?

Again, if this post is inappropriate or in the wrong place please bear with me. No offense is intended. :slight_smile: Thank you.

Packers are used to compress a file to reduce download time, zip is only one compression method there are many others. Many .exe files that are compressed may be executable zip files so on double clicking the file it automatically un zips/packs into pre-set folders. This saves the user having to do a manual installation of a program.

Packers are a common feature that you will bump into regularly and avast caters for many of the mainstream packers so you should have little to worry about. So you could use the right click context scan ashQuick.exe in explorer to scan your downloads.

DavidR, thank you for your response. :slight_smile: I did a search on packers but there is often SO much info on Google that it can be difficult to narrow it down properly. BTW, I ALWAYS right Click/Scan a new file with AVAST! before I install it ;D. That is an excellent feature.

But being on the cautious side I also use the jotti.org multi-scanner on every new program as well. I appreciate Vlk, and I think it was also Bob for pointing out this resource.

I have had very few problems with false positives from AVAST! and I am very grateful for the Free Home Version. ;D

Happy to help, I don’t recall having any false positives with avast! nor any infections either.

Lucky I guess, I don’t think so, practice safe hex, your AV should be a backup to your brain and common sense.

Sorry,but that shouldn’t be an excuse for bunch of false positives and average detection rate…

That’s actually a good question - with no satisfactory answer.
You can be quite sure that e.g. Microsoft executables or libraries are not packed by any executable packer. The same would be true for many “big” applications (e.g. Adobe ones?). However, many authors use executable packers as some kind of protection (especially for shareware tools). Some people use rather paranoid packers (so that, for example, the program wouldn’t run in presence of a system debugger) even for freeware stuff, no idea why.
So, you should be really suspicious if you find a DLL, named like a Microsoft one, in your system folder; on the other hand, it’s rather common for shareware application executables. The “suspiciousness” also depends on the particular type of executable packer used.

Oh, yeah, you’re right.
I’d rather be false positives than poor detection rate anyway…
Let’s pray for the time when we got the #1 in detection/submition antivirus rate… 8)