win32:ircbot-KL

[beethoven]

Avast came up with an alert to show that gss.exe has been infected by win32:ircbot_Kl Trojan. I have not yet been able to run the file via jotti or kaspersky online. As this file is more than 1mb, how could I get some independant confirmation?
Could that be a false positive?

[beethoven]

Not sure why this was moved - I still think it is likely that the alert is a false positve and as such would be interesting to the developer of Ghost security and the other users there.

[Bubba]

Quote:

Originally Posted by beethoven

Not sure why this was moved - I still think it is likely that the alert is a false positve and as such would be interesting to the developer of Ghost security and the other users there.

Given that your Avast AV program is giving you an alert and given that you would like an "independant confirmation"....to me personally it resides in an appropriate Forum whereby users of an AV program might frequent and give you that confirmation if they also use regdefend.

Of course that would have been my reasoning for moving it if I had seen it first

[tazdevl]

Install KAV or Bitdefender's online scanner and see if it finds it.

[beethoven]

Downloading KAV right now

[RejZoR]

Jotti works with samples up to 10MB.
Also, is it so hard to verify source of the program? Google it maybe?

[beethoven]

Kav is still scanning overal but looking at the individual files, nothing showed up.
Jotti also did not show anything including Avast. This brings me back to the original thought that Avast is showing gss.exe as a false positive and perhaps Jason might want to contact Avast?

[Bubba]

Quote:

Originally Posted by beethoven

This brings me back to the original thought that Avast is showing gss.exe as a false positive and perhaps Jason might want to contact Avast?

Almost all threads where a False positive has been mentioned....programmers request the user contact the guilty program.

[beethoven]

If I were the developer of a software program I would not want to rely on users to act on my behalf. Some of them maybe lazy, don't know how to approach the correct people...
Personlly I would find it important to ensure that my software is not incorrectly shown as problematic and most likely I have existing contacts in the industry to get things sorted out quicker. But then again, I maybe wrong.

[Jason_R0]

If a company adds a false positive into its signature database, the onus is on them to fix it, not every developer they falsely claim is a virus/worm/spyware. Does it make you feel secure knowing your anti-virus company is having problems adding signatures to their database that it incorrectly flags other programs?

[beethoven]

Jason, I fully agree that the mistake for FP is with the AV program and that they have to fix it. My point was just that not every user will take the steps to let the "faulty" program know that they should do something.
While I did send an email to their address, I don't know when and if they will take any amendment. If I am right and it is a FP, the longer it takes the more people will be unnecessarily alarmed by the innocent software, in this case RD.

As for FP in general, I had them a few times. Some progs seem to better at avoiding them than others, still I guess we have to live with them to a certain degree.

[RejZoR]

I don't get it, whats the problem? It's a well known thing that FP's are fixed by AV vendor only. So, usually you send the FP report to AV vendor and they'll fix it. There were false positives by several AV vendors on my programs and users reported it to me FIRST. So i dealt with the FP by myself as developer.
So basically there ARE two ways, depends how people react.
Honestly, false positives aren't such a big deal imo. They happen to everyone, starting at Norton and going through NOD32, BitDefender, McAfee, Kaspersky, avast!, AVG, AntiVir blablabla etc etc...

[jbarr]

Hi Beethoven,

I was experiencing the same problem as you. But it appears that Avast! has taken care of the issue with its latest virus definition update:
VPS file version: 0551-1, Compilation date: 12-20-05

The RegDefend program did not open at startup, however upon manually opening it, the program opened without a virus warning.

Hoping Avast!'s technicians will acknowledge this assumption on my part. See my post on Avast! support forum:

http://forum.avast.com/index.php?topic=18152.0

[tazdevl]

Exclude the directory where the app is located or exclude the file itself from scans. I think at this point you can confirm it's a FP. If you still aren't comfy, scan with BitDefender's Online Scanner.

[jbarr]

Thanks tazdevl, an avast! support forum moderator has confirmed that this issue has been resolved with their virus database update earlier today.

But, in the future, I'll certainly keep your suggestion in mind, to exclude the file from an AV scan, in an effort to determine if the warning is a false positive one. Your feedback is appreciated