False Positives

[pdr]

Hi Returnil People:

If I the Virus Scan finds a file that it flags as suspicious, is there some way that I can check if that file is a false positive or not?

Thanks,

Peter

[cyberdiva]

Hi, Peter. You can upload the suspect file to VirusTotal at http://www.virustotal.com/. It runs it by about 40 different antivirus programs, including most of the well-known ones, and reports what each of them finds.

I might add that I found Returnil's Anti-Virus very unreliable. It claimed that I had a number of viruses, trojans, and the like when all other security programs I use said the files were fine. I finally disabled Returnil's AV.

[pdr]

Hello Cyberdiva:

I wonder if there are others who have similar experiences with the Virus Scan. I did, in fact, use the Virus Total web-site to verify the files in question. The results there made me wonder if the Returnil people are doing some checking for false positivies, as do many anti-virus programs.

Anyhow, I am glad that you pointed out the existence of the VirusTotal web-site. It can be used to check any file on your system that you might suspect or wish to verify.

Peter

[Coldmoon]

Hi,
The new build we are testing now includes a feature where the alert messages can be exported to file. The file will be in XML format and can be sent with your false positive detection reports to our support address. Also, please check your VG sensitivity settings to see if the files are also detected using the standard definitions rather than the advanced analysis setting.

Are they detected at the lower setting?

Mike

[pdr]

Quote:

Originally Posted by Coldmoon

Hi, ... please check your VG sensitivity settings to see if the files are also detected using the standard definitions rather than the advanced analysis setting.

Are they detected at the lower setting?

Mike

Hi Mike:

Thank you for replying to my questions.

The Virus Guard Preferences are set at (I believe) the default: in the Reat-time Advanced Malware Analysis mode:

The filled-in button is "Only proven detection rules (Recommended: This mode will identify only malicious programs)"

The button NOT filled in is: "Do not use advanced rules analysis."


In the section for Data Collection Policy, I have chosen: "Ask me for approval when parts of a malicious program are required for analysis".

Although I would have liked to know if the files identified are, in fact, maicious, I am do not recall being asked by the program to send any programs (files?) to Returnil for analysis. So I am still not sure if there is a process for verifying p[ossible False Positives.

Peter

[Coldmoon]

Hi Peter,
The data collection works independently and is sending information about behaviors and/or files of interest for more research. It does not send the files detected as they are...detected.

The new build (check your PM) allows you to export your alert messages so you can send that information to us more easily in false positive detections scenarios. Try the new build and send us a copy of the detection alerts (new green button on the messages when opened) and the files detected (in a password protected ZIP or RAR archive) so our (and Frisk's) team can investigate the issue in more detail.

Thanks
Mike

[cyberdiva]

Quote:

Originally Posted by pdr

I wonder if there are others who have similar experiences with the Virus Scan.

Hi, Peter. As I recall, when I was having this problem, I encountered others on the forum who were also experiencing what they suspected were false positives. But even if I hadn't found other people, I'd have turned off Virus Guard. It produced more false positives in the few days that I had it active than all my other security software combined had produced in the 3 1/2 years I've used this computer. And I did not have Virus Guard set at a very high level.

I'm glad to hear that Returnil is going to take more active steps to monitor the false-positive problem. However, I have no plans to reinstate Virus Guard. I have very little patience for false positives--they waste my time and raise my anxiety level. And since I feel I have excellent protection from my other security software, I see no reason to use Virus Guard.

[Coldmoon]

Quote:

Originally Posted by cyberdiva

Hi, Peter. As I recall, when I was having this problem, I encountered others on the forum who were also experiencing what they suspected were false positives. But even if I hadn't found other people, I'd have turned off Virus Guard. It produced more false positives in the few days that I had it active than all my other security software combined had produced in the 3 1/2 years I've used this computer. And I did not have Virus Guard set at a very high level.

I'm glad to hear that Returnil is going to take more active steps to monitor the false-positive problem. However, I have no plans to reinstate Virus Guard. I have very little patience for false positives--they waste my time and raise my anxiety level. And since I feel I have excellent protection from my other security software, I see no reason to use Virus Guard.

Hi,
Nor should you feel compelled to use it if it is not useful in your setup. It is there to do what it does, not because we require its use. Further, we have been investigating every FP report we get and will continue to do so...

Mike

[pdr]

Hi Cyberdiva:

I understand the stress of having a lot of virus warnings, having had quite a few of them with the Returnil virus scans. However, it seems that Mike's offer will allow me to report some of them, for more direct study than that available via Virus Total or other general analysis.

So I will try that out. I hope that I will be able to get some feedback on the files that I do submit; then I will feel a bit more confident that the positives really are false. And hopefully, that will improve the virus scanning machine that Returnil is using.

But I have to admit that I really hate spendiing time on this sort of thing. I would wish all kinds of plagues to personally descend on those creeps that invent these insidious malware programs that cause so much distress to others. (End of rant.)

Peter