Welcome Guest.   Make a donation to an author on the site September 30, 2014, 02:53:45 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Your Support Funds this Site: View the Supporter Yearbook.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: How's *that* for a false positive? And is it? (Avira AV)  (Read 4755 times)
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: November 30, 2009, 04:51:38 PM »

My XP doesn't have that much life left in it before I upgrade to 7, so, out of boredom and sheer malice, I re-enabled Windows Update after a long hiatus, to see what gifts it would bring. And lo, I am bored no longer!



I got three such screens in sequence. I am of course assuming it is a false positive, but I still clicked Deny, because (unlike UAC smiley ) anti-virus software is often useful and I won't ignore its advice blindly. AV heuristics is off, by the way, so Avira must have seen something it knows to be wicked.

What to do, what to do? Trust that no-one hacked into Windows Update servers and placed a trojan there, or trust Avira knows a trojan when it sees one? It's almost like Russian Roulette, isn't it?






Logged

mouser
First Author
Administrator
*****
Posts: 33,416



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: November 30, 2009, 04:58:05 PM »

What you do is go track down that file, and upload it to a site that will scan it with lots of antivirus programs, like http://www.virustotal.com/
Then you'll have a second and third and fourth opinion.
Logged
mouser
First Author
Administrator
*****
Posts: 33,416



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: November 30, 2009, 05:00:31 PM »

And you also search for information on the reported malware found, in your case "tr_crypt.xpack.gen", and when you do you realize the "gen" stands for generic, which is your first signal that this is probably a false positive.  more info:
http://www.avira.com/en/t...8/tr_crypt.xpack.gen.html

i have written over and over again, and am getting sick of repeating myself, that antivirus companies MUST STOP this ridiculous behavior where they report wild guesses as confident detections.  it is absolutely inexcusable.
Logged
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: November 30, 2009, 05:08:26 PM »

The file is no longer there - as you can see from the filename, it was a temporary file. Either it got successfully renamed to who-knows-what, or Avira prevented storing the file, or it was a "system temp" file and got automatically unlinked as soon as the downloader closed it.

i have written over and over again, and am getting sick of repeating myself, that antivirus companies MUST STOP this ridiculous behavior where they report wild guesses as confident detections.  it is absolutely inexcusable.

No, it's all just harmless fun! smiley
Logged

mouser
First Author
Administrator
*****
Posts: 33,416



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: November 30, 2009, 05:09:35 PM »

this is another pet peeve i have, antivirus alert windows that dont show you the full filename of the detected file. these companies seem so damned determined to not let the user figure out what is going on.
Logged
rgdot
Supporting Member
**
Posts: 1,625


View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: November 30, 2009, 06:01:55 PM »

Agreed mouser. It is so bad that I don't remember the last time I saw any alert that didn't have gen or generic in it.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: December 01, 2009, 01:46:12 AM »

At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.
Logged

- carpe noctem
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: December 01, 2009, 02:13:29 AM »

At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.

f0dder, it seems there is no way we are ever going to agree on this.

Every UAC notification is a false positive by design, because UAC doesn't know that the application is trying to do anything untoward, so it warns about practically all of them. AV software at least tries to detect actual harm.

I'll take a false positive from AV software once a week or so(*) - though I do agree they are insidious and cause grief to upstanding developers. But so does UAC.

That said, the only actual benefit I got from running AV since I recall has been limited to stopping trojans on other people's pendrives, or my own after I'd taken them to a printing shop. (I have yet to see a printing shop with an uninfected computer.) I disable autorun as a rule, but at least once I've realized it was enabled for USB drives while I wasn't aware of that. Whether this is sufficient pay-off for the performance penalty associated with real-time protection and 60+ MB memory use, I honestly don't know. There should be a better way - like me being still more diligent about disabling autorun for all removable drives.

(*) Though it's more like once a month for me.
« Last Edit: December 01, 2009, 02:15:32 AM by tranglos » Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: December 01, 2009, 02:20:06 AM »

You don't get UAC prompts from software that's properly programmed smiley

Unfortunately there's still a lot of software that isn't, because MS made the bad decision to make the default NT account administrator (started to become a problem with Win2k which had some mainstream usage, and especially once XP was introduced) - and of course for Win9x being a total p.o.s. without a concept of security.

At least Vista and the UAC popups are now forcing developers to look at their crappy code and do things properly... as well as providing security Wink
Logged

- carpe noctem
Innuendo
Charter Member
***
Posts: 1,923

View Profile Give some DonationCredits to this forum member
« Reply #9 on: December 01, 2009, 10:50:58 AM »

I'll take a false positive from AV software once a week or so(*) - though I do agree they are insidious and cause grief to upstanding developers. But so does UAC.

I see a false positive from my AV maybe once a month. However, that's also the frequency I see UAC prompts as well.
Logged
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: December 08, 2009, 12:05:14 PM »

Today Avira decided uTorrent.exe was a trojan. Similar reports to be found on uTorrent forum. For my part, I have declared Avira malware and removed it. I really hope Mouser's Superior AV project takes off!

FWIW, Kaspersky is one AV that you can decide not to run at startup, or quit it when it is running, and it won't leave any services behind when you do. This means it can be used in manual-only mode, but with a slight hitch: the right-click menu command to scan a file is inactive if Kaspersky is not running. This means that in order to check a file you must start KAV, then right-click a file and scan, then quit KAV.

On the bad side, Kaspersky is awfully unfriendly to other AV and malware detecting applications. Here's a long list of applications Kaspersky claims are "incompatible" with it: http://support.kaspersky.com/faq/?qid=208280128

The KAV installer detects all these products and uninstalls them (!) for you. Thankfully there is a prompt, but you cannot continue installing KAV as long as it detects any of the listed products. There is a procedure to skip the check, but it's not for the timid:
http://support.kaspersky....010/install?qid=208280398

Logged

Deozaan
Charter Member
***
Posts: 6,364



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: December 08, 2009, 09:05:25 PM »

At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.

f0dder, it seems there is no way we are ever going to agree on this.

Every UAC notification is a false positive by design, because UAC doesn't know that the application is trying to do anything untoward, so it warns about practically all of them.

I hated UAC on Vista so much that I disabled it. On Windows 7 it doesn't seem that bad. But that might be because I've been using Ubuntu off and on since January (nearly a year now!) and I find Windows 7's UAC prompts to be about the same as Ubuntu's "pop-up protection" (whatever it's called). Only Ubuntu's is "worse" because you have to type in your password every time to grant administrator privileges. At least in UAC you can just click the "Allow" button.
Logged

biox
Charter Member
***
Posts: 74


View Profile Give some DonationCredits to this forum member
« Reply #12 on: December 09, 2009, 12:56:12 AM »


On the bad side, Kaspersky is awfully unfriendly to other AV and malware detecting applications. Here's a long list of applications Kaspersky claims are "incompatible" with it: http://support.kaspersky.com/faq/?qid=208280128

The KAV installer detects all these products and uninstalls them (!) for you. Thankfully there is a prompt, but you cannot continue installing KAV as long as it detects any of the listed products. There is a procedure to skip the check, but it's not for the timid:
http://support.kaspersky....010/install?qid=208280398

That's one hell of an un!impressive list. What's got an AV to do with a firewall (Outpost in my case)?
Logged
kakarukeys
Supporting Member
**
Posts: 25



Save time play more

View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: December 09, 2009, 03:29:02 AM »

 Grin One month ago, after an update Avira started to brand all my AutoHotKey compiled programs as trojan. I began to think which part of the code triggered the false alarm, was it the low-level keyboard hook or the program's signature 'AutoHotKey'?
Logged

life is short, play hard
Innuendo
Charter Member
***
Posts: 1,923

View Profile Give some DonationCredits to this forum member
« Reply #14 on: December 09, 2009, 05:32:42 PM »

Avira has always been bad about false positives. It's always been good about detecting the bad stuff, but I have never in good conscience been able to recommend it due to the false positives.
Logged
Tuxman
Supporting Member
**
Posts: 1,478


OMG not him again!

View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: December 10, 2009, 05:39:19 AM »

Avira has always been bad about false positives. It's always been good about detecting the bad stuff, but I have never in good conscience been able to recommend it due to the false positives.
Confirmed.

Maybe this one is of any interest here. "Many false alarms" is a no-go for a virus scanner IMO.
Logged

I bet when Cheetahs race and one of them cheats, the other one goes "Man, you're such a Cheetah!" and they laugh & eat a zebra or whatever.
- @VeryGrumpyCat
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.04s | Server load: 0.08 ]