The update to Avast today resulted in a false positive for Spyware Doctor v5 update.exe. I have forwarded this to support. But I added it to the program exclusions and restored it, only to have Avast blocked again. I re-added it and restored it a second time but it wouldn’t even run te second time. Direct running fails to get it to run and t appears to be locked.
Once some one sorts out the problem how do I get it unblocked?
Have you added it to the standard shield exclusions as that is what I think is detecting it (on-access when it it used) the Program Settings, Exclusions, are for the on-demand scans.
First confirm that it is an FP by further scanning.
- Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thanks it was sujested I replacd the program and deleated oit from the vault. This worked, I had replaced it with the program in exclutions befor oly to have avast block it agan. I have sent the program to avast and hope they will let me know when there is a fix so I can remove it from exclutios.
I have pointed out to PC Tools there is a problem with the update.exe as a number of the programs were unhappy with it AhnLab-V3 2008.6.26.0 2008.06.25 -
AntiVir 7.8.0.59 2008.06.25 -
Authentium 5.1.0.4 2008.06.25 -
Avast 4.8.1195.0 2008.06.26 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.26 -
CAT-QuickHeal 9.50 2008.06.25 -
ClamAV 0.93.1 2008.06.25 -
DrWeb 4.44.0.09170 2008.06.26 -
eSafe 7.0.17.0 2008.06.25 -
eTrust-Vet 31.6.5906 2008.06.26 -
Ewido 4.0 2008.06.25 -
F-Prot 4.4.4.56 2008.06.25 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.26 -
GData 2.0.7306.1023 2008.06.26 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.06.26 -
Kaspersky 7.0.0.125 2008.06.26 -
McAfee 5325 2008.06.25 -
Microsoft 1.3704 2008.06.26 -
NOD32v2 3219 2008.06.26 -
Norman 5.80.02 2008.06.25 -
Panda 9.0.0.4 2008.06.26 Suspicious file
Prevx1 V2 2008.06.26 -
Rising 20.50.30.00 2008.06.26 -
Sophos 4.30.0 2008.06.26 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.26 -
TheHacker 6.2.92.362 2008.06.26 -
TrendMicro 8.700.0.1004 2008.06.26 -
VBA32 3.12.6.8 2008.06.25 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.26 Virus.Win32.FileInfector.gen (suspicious
I think that the problem lies with the detection rather than pc tools as:
a) two report it as suspicious (heuristics)
b) GData uses two AVs one of them avast, so that would account for its detection
c) the -gen element of the malware name usually indicates a generic signature, which is attempting to catch many variants of the same type of malware with the one signature, a difficult task.
So I believe it is a false positive and you should send the sample to avast and exclude it from scans, as in the information in the link I gave above (though it looks like you have done that, read it fully as you have to exclude the file in two different locations and I don’t believe you have done that).
avast doesn’t normally contact you unless they need more information, but they are usually quick to rectify any FP.
Welcome to the forums.
Just check scan the file that is in the chest periodically (after VPS Updates) when it isn’t detected remove the exclusions.detected
Pity they don’t let you know as I have already removed the files from avast, only after that did it stop blocking the restored file.
Well the safest bet is always to quarantine (send to the chest) and investigate and that I guess is no different in spyware doctor.
The move to chest is the default recommended action I believe.