UNINSTALL.EXE an FP ?

Hello all,
My last Avast boot time scan detected the UNINSTALL.EXE file from the Microsoft
“Game Age of Empire II” as infected :Win32:Trogen-gen {other}. I bet this a FP.
I am running Avast4.8 Family Edition Nov [4.8.1290], so this is the last version
compiled and installed yesterday 20/11/2008.
Shall I post this file to ALWIL ?

Confirm the detection.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hello, sorry for my late response.
I tried to submit to VT, but a received a “0 byte message”. Indeed the file is about 450Ko.
I had the same problem some months ago, but cannot remember the trick, can you recall me it, pls ?

Did you do what David post? If not, or you’re trying to send withing Chest, the file will be blocked by avast.

Yes, it is what I tried to do, but for some reason, I missed something. I retried this morning,
and VT returned me a listing …

It appears that Avast (4.8.1281.0) does not detect the file as infected any more (only Fortinet
does it : PossibleThreat), so I believe that in the meantime the problem has been solved …

Avast 4.8.1281.0 2008.11.24

Later, I will restore the file in its original location, and run a boot time scan, and see if the
problem is still there, as I hope …

Thanks for the help.

It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Since there was only one other and that was suspicious/heuristic which are more prone to FP, then I would suggest sending the sample to avast for analysis, use the link I gave on how to report it to avast and how to exclude from scans…

So I don’t think the problem has been solved, you can confirm that by scanning the file from within the chest, if it alerts then it isn’t resolved.

I have selected the suspicious file from within the chest, and pressed the 6th icon from
the avast “zone de quarantaine” to analyse it, and I had no alert message.

I tried also to analyse it also by right clicking on the file that I moved on the C:\suspect
folder, but as this folder is in the avast exclusion list, I suppose this way of doing it will
not work, right ?

I used also the next icon to send the file to avast, for double check. BTW, has this
display apparence change recently ?

If you didn’t add the suspect folder to the on-demand exclusions (Program Settings, Exclusions) then it should detect it, only the on-access scanner would be excluded by what I suggested.

So if a right click scan in the suspect folder didn’t detect it then it looks like the detection has been corrected, as your scan within the chest basically confirms it was an FP.

I think that it isn’t an issue sending the file to avast as I feel sure the detection has been corrected, so now you can Restore the file to its original location.

  1. Select the file within the Chest, Infected Files section.
  2. Right click the file and select Restore.
  3. That will send a copy of the file back to its original location, avast shouldn’t alert if the detection was corrected.
  4. Check that the file is back in the original location, if so, delete the copy in the chest and the suspect folder.

I don’t believe it has changed recently, I have an image of the chest from July 2008 and it looks the same.

Hello,
I have done all what you suggested, and all works fine : no Avast alert !
Did you finally receive the suspected file ?
Anyway, many thanks fore the help !

You’re welcome.

I didn’t receive it, I’m just an avast user like your self, I don’t work for Alwil software ;D

You will not normally receive a reply/confirmation unless they require more information.