What other AVs did you test it on, did you try virus total ?
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
VirusTotal was mostly inconclusive: a few pointers that yielded nothing specific on Google:
[ scan result ]
AhnLab-V3 2008.10.15.0/20081014 found nothing
AntiVir 7.8.1.34/20081014 found [HEUR/Malware]
Authentium 5.1.0.4/20081014 found nothing
Avast 4.8.1248.0/20081014 found [Win32:Notre]
AVG 8.0.0.161/20081014 found nothing
BitDefender 7.2/20081015 found nothing
CAT-QuickHeal 9.50/20081014 found nothing
ClamAV 0.93.1/20081015 found nothing
DrWeb 4.44.0.09170/20081015 found nothing
eSafe 7.0.17.0/20081012 found nothing
eTrust-Vet 31.6.6148/20081014 found nothing
Ewido 4.0/20081014 found nothing
F-Prot 4.4.4.56/20081014 found nothing
F-Secure 8.0.14332.0/20081015 found nothing
Fortinet 3.113.0.0/20081014 found nothing
GData 19/20081015 found [Win32:Notre]
Ikarus T3.1.1.34.0/20081014 found nothing
K7AntiVirus 7.10.493/20081014 found nothing
Kaspersky 7.0.0.125/20081015 found nothing
McAfee 5405/20081014 found nothing
Microsoft 1.4005/20081015 found nothing
NOD32 3522/20081014 found nothing
Norman 5.80.02/20081014 found nothing
Panda 9.0.0.4/20081014 found nothing
PCTools 4.4.2.0/20081014 found nothing
Prevx1 V2/20081015 found nothing
Rising 20.66.12.00/20081014 found nothing
SecureWeb-Gateway 6.7.6/20081015 found [Heuristic.Malware]
Sophos 4.34.0/20081015 found nothing
Sunbelt 3.1.1722.1/20081014 found [VIPRE.Suspicious]
Symantec 10/20081015 found nothing
TheHacker 6.3.1.0.110/20081014 found nothing
TrendMicro 8.700.0.1004/20081014 found nothing
VBA32 3.12.8.6/20081014 found nothing
ViRobot 2008.10.14.1419/20081014 found nothing
VirusBuster 4.5.11.0/20081014 found nothing
I think the VT results are fairly conclusive in their own right, aside from not seeing a hit on avast (not unusual with VT as the seem to be behind the users version of VPS), however the other 2 detections are heuristic which are more prone to FP.
You should, a) ensure you have the latest VPS and b) if still detected, sibmit the file for further analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
I’m not entirely sure if files ‘outside’ the system folders are checked in this way and I’m also not sure if the default option is to skip this check.
@ orenf
Can you check the Program Settings, Troubleshooting section and report what this settings is of, ‘Skip checking of digital signatures of infected files’ checked or unchecked (see image) ?
Note that I can no longer easily manipulate the file…
I can rename it (say PROJWIZ.EXEa), and then I can copy it and move - no alert from Avast. But if I leave it as PROJWIZ.EXE, than Avast triggers. If I try to copy/upload/move the file, I get a pop up from Windows - “Cannot Copy PROJWIZ.EXE: Access Is Denied”. So I cannot even upload the file without renaming it (which does work - odd).
Also, right-click->properties on the file no longer shows the various tabs and entries (listing file version, etc.) - see image.
Thanks for the information on the Skip digital signature check.
Normally you won’t be contacted unless they need more information.
Hopefully it will be corrected quickly (normally is), periodically scan the copy in the chest to see if it is still detected. When it is no longer detected you can restore it and remove any exclusions.
I’ve deleted the offending file (PROJWIZ.EXE), which is part of Office 2000. So far so good. But now MS Word crashes whenever I shut it down. Annoying.
So I’m on the Microsof Office website, downloading MS Office SP 3 update, hoping it may solve the issue. Sure enough, as part of the download/install process, AVAST comes to life, alerting me that… PROJWIZ.EXE is infected. Since I deleted the file, it can only have come from the Microsoft update package, which is downloaded directly from their Office update website.
Since other AVs don’t find anything wrong with this file, I’m just ignoring it.
Why does it ‘have’ to be a false positive, it doesn’t ‘have’ to be anything, that is why we gave a link so you can confirm the detection one way or another. Deletion is never a good option (IMHO) that is what the chest is for, it can do no harm there.
The results basically confirm there is a high likelihood it is a false positive, and avast are usually very quick to correct when it is confirmed. You could have rescanned the file in the chest if you had it there and didn’t delete it. If it was no longer detected then you could also have restored it from the chest.
I would have send the sample again if after this time it was still detected.
Hey, I’m just a humble user. I did my part - scanned, uploaded, emailed, even posted. I’m moving on.
IMHO is HAS to be a FP (note, just MHO) as it is “unlikely” (which I only use to avoid saying “impossible”) that MSFT have a virus embedded in their download (which has been available for a couple of years now) without anyone (except AVAST) noticing it.
Well I too am just a humble avast user trying to help other avast users and if by submitting the sample the VPS is corrected then ‘other’ avast users also benefit.