topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 7:37 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: How's *that* for a false positive? And is it? (Avira AV)  (Read 12720 times)

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
How's *that* for a false positive? And is it? (Avira AV)
« on: November 30, 2009, 04:51 PM »
My XP doesn't have that much life left in it before I upgrade to 7, so, out of boredom and sheer malice, I re-enabled Windows Update after a long hiatus, to see what gifts it would bring. And lo, I am bored no longer!

windowsupdatevirus.png

I got three such screens in sequence. I am of course assuming it is a false positive, but I still clicked Deny, because (unlike UAC :) ) anti-virus software is often useful and I won't ignore its advice blindly. AV heuristics is off, by the way, so Avira must have seen something it knows to be wicked.

What to do, what to do? Trust that no-one hacked into Windows Update servers and placed a trojan there, or trust Avira knows a trojan when it sees one? It's almost like Russian Roulette, isn't it?







mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #1 on: November 30, 2009, 04:58 PM »
What you do is go track down that file, and upload it to a site that will scan it with lots of antivirus programs, like http://www.virustotal.com/
Then you'll have a second and third and fourth opinion.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #2 on: November 30, 2009, 05:00 PM »
And you also search for information on the reported malware found, in your case "tr_crypt.xpack.gen", and when you do you realize the "gen" stands for generic, which is your first signal that this is probably a false positive.  more info:
http://www.avira.com...crypt.xpack.gen.html

i have written over and over again, and am getting sick of repeating myself, that antivirus companies MUST STOP this ridiculous behavior where they report wild guesses as confident detections.  it is absolutely inexcusable.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #3 on: November 30, 2009, 05:08 PM »
The file is no longer there - as you can see from the filename, it was a temporary file. Either it got successfully renamed to who-knows-what, or Avira prevented storing the file, or it was a "system temp" file and got automatically unlinked as soon as the downloader closed it.

i have written over and over again, and am getting sick of repeating myself, that antivirus companies MUST STOP this ridiculous behavior where they report wild guesses as confident detections.  it is absolutely inexcusable.

No, it's all just harmless fun! :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #4 on: November 30, 2009, 05:09 PM »
this is another pet peeve i have, antivirus alert windows that dont show you the full filename of the detected file. these companies seem so damned determined to not let the user figure out what is going on.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #5 on: November 30, 2009, 06:01 PM »
Agreed mouser. It is so bad that I don't remember the last time I saw any alert that didn't have gen or generic in it.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #6 on: December 01, 2009, 01:46 AM »
At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.
- carpe noctem

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #7 on: December 01, 2009, 02:13 AM »
At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.

f0dder, it seems there is no way we are ever going to agree on this.

Every UAC notification is a false positive by design, because UAC doesn't know that the application is trying to do anything untoward, so it warns about practically all of them. AV software at least tries to detect actual harm.

I'll take a false positive from AV software once a week or so(*) - though I do agree they are insidious and cause grief to upstanding developers. But so does UAC.

That said, the only actual benefit I got from running AV since I recall has been limited to stopping trojans on other people's pendrives, or my own after I'd taken them to a printing shop. (I have yet to see a printing shop with an uninfected computer.) I disable autorun as a rule, but at least once I've realized it was enabled for USB drives while I wasn't aware of that. Whether this is sufficient pay-off for the performance penalty associated with real-time protection and 60+ MB memory use, I honestly don't know. There should be a better way - like me being still more diligent about disabling autorun for all removable drives.

(*) Though it's more like once a month for me.
« Last Edit: December 01, 2009, 02:15 AM by tranglos »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #8 on: December 01, 2009, 02:20 AM »
You don't get UAC prompts from software that's properly programmed :)

Unfortunately there's still a lot of software that isn't, because MS made the bad decision to make the default NT account administrator (started to become a problem with Win2k which had some mainstream usage, and especially once XP was introduced) - and of course for Win9x being a total p.o.s. without a concept of security.

At least Vista and the UAC popups are now forcing developers to look at their crappy code and do things properly... as well as providing security ;)
- carpe noctem

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #9 on: December 01, 2009, 10:50 AM »
I'll take a false positive from AV software once a week or so(*) - though I do agree they are insidious and cause grief to upstanding developers. But so does UAC.

I see a false positive from my AV maybe once a month. However, that's also the frequency I see UAC prompts as well.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #10 on: December 08, 2009, 12:05 PM »
Today Avira decided uTorrent.exe was a trojan. Similar reports to be found on uTorrent forum. For my part, I have declared Avira malware and removed it. I really hope Mouser's Superior AV project takes off!

FWIW, Kaspersky is one AV that you can decide not to run at startup, or quit it when it is running, and it won't leave any services behind when you do. This means it can be used in manual-only mode, but with a slight hitch: the right-click menu command to scan a file is inactive if Kaspersky is not running. This means that in order to check a file you must start KAV, then right-click a file and scan, then quit KAV.

On the bad side, Kaspersky is awfully unfriendly to other AV and malware detecting applications. Here's a long list of applications Kaspersky claims are "incompatible" with it: http://support.kaspe...m/faq/?qid=208280128

The KAV installer detects all these products and uninstalls them (!) for you. Thankfully there is a prompt, but you cannot continue installing KAV as long as it detects any of the listed products. There is a procedure to skip the check, but it's not for the timid:
http://support.kaspe...nstall?qid=208280398


Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #11 on: December 08, 2009, 09:05 PM »
At least UAC gives you a clear indication that an application is trying to access locations that most applications shouldn't - with the amount of false positives AV products throw, all bets are off.

f0dder, it seems there is no way we are ever going to agree on this.

Every UAC notification is a false positive by design, because UAC doesn't know that the application is trying to do anything untoward, so it warns about practically all of them.

I hated UAC on Vista so much that I disabled it. On Windows 7 it doesn't seem that bad. But that might be because I've been using Ubuntu off and on since January (nearly a year now!) and I find Windows 7's UAC prompts to be about the same as Ubuntu's "pop-up protection" (whatever it's called). Only Ubuntu's is "worse" because you have to type in your password every time to grant administrator privileges. At least in UAC you can just click the "Allow" button.

biox

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 74
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #12 on: December 09, 2009, 12:56 AM »

On the bad side, Kaspersky is awfully unfriendly to other AV and malware detecting applications. Here's a long list of applications Kaspersky claims are "incompatible" with it: http://support.kaspe...m/faq/?qid=208280128

The KAV installer detects all these products and uninstalls them (!) for you. Thankfully there is a prompt, but you cannot continue installing KAV as long as it detects any of the listed products. There is a procedure to skip the check, but it's not for the timid:
http://support.kaspe...nstall?qid=208280398

That's one hell of an un!impressive list. What's got an AV to do with a firewall (Outpost in my case)?

kakarukeys

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 25
  • Save time play more
    • View Profile
    • Time-saving Guides, Windows and Office Tips to increase your productivity
    • Read more about this member.
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #13 on: December 09, 2009, 03:29 AM »
 ;D One month ago, after an update Avira started to brand all my AutoHotKey compiled programs as trojan. I began to think which part of the code triggered the false alarm, was it the low-level keyboard hook or the program's signature 'AutoHotKey'?
life is short, play hard

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #14 on: December 09, 2009, 05:32 PM »
Avira has always been bad about false positives. It's always been good about detecting the bad stuff, but I have never in good conscience been able to recommend it due to the false positives.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: How's *that* for a false positive? And is it? (Avira AV)
« Reply #15 on: December 10, 2009, 05:39 AM »
Avira has always been bad about false positives. It's always been good about detecting the bad stuff, but I have never in good conscience been able to recommend it due to the false positives.
Confirmed.

Maybe this one is of any interest here. "Many false alarms" is a no-go for a virus scanner IMO.