Antivir FPs

For Pete f-in sake, now I'm getting all kinds of FPs from Firefox Cache files with Antivir. I uploaded them and Avira says they're not FPs, but I'm pretty freakin sure they are.

This false positive crap is starting to piss me off with this product. Come on Avira, pull thy heads from thy butt.

It says the files are browser exploits. WTF

 

Hmmm well turn it down to medium don't have it on high. But i don't know why you get so many i use the latest verison of firefox and i have avira set on high and never have gotten a fp period...

 

They are not heuristic detections, so adjusting the heuristic won't help.

The file names are CC988759d01 and AEA54759d01

 

send them to heuristik2 (at) avira.com, i'm certain stefan kurtzhals will give them a look....

 

So these Exp/HTML.Unk detections are detected using the heuristic?

 

I never had so many fp's with avira.With heuristics set to high I did get a few.Turning it down to medium helped.

Not idea why you are getting "all kinds of" Fp's.

 

They're sent!

 

OK, maybe "all kinds" was overstated, just 2 THIS time. However, over the life of using this product (2 years or so), I've gotten "all kinds"!

 

Out of curiosity, what is it that makes you absolutely certain they aren't FPs?

 

Drew: I am not entirely certain, but you'll get a definite answer if you write there. However the naming convention indicates it's not a heuristic detection.

 

Because I scanned my computer with SAS, AVG, A2, KAV online scanner, FSecure online scanner, and I uploaded each file to jotti and virus total, and Avira was the only one to detect them.

 

KAV and F-Secure are practically the same scanner, and the rest aren't too hot at catching exploit files, TBH.

I'm just saying this because Avira was the only scanner to flag a BaoFeng exploit file a few days ago, both on Jotti and VT. Granted, the HTML heuristic is ridiculously prone to FPs (any iframe with height/width=0 sets it off), but I've been taking second looks since then before discounting Avira's HTML detections.

 

What's the deal with these exploit files then? They aren't actually a malacious program running, are they?

I don't know where they are coming from. Do they come from a website? I haven't visited any bad sites (that I know of!!!!).

 

Exploit files are not programs per se, they're data that instructs programs to do things you'd rather them not do, hence the name "exploit". But since you're using Firefox, chances are your browser is hardened against those exploit files, even though they've been downloaded to the cache.

You don't have to go to a bad site to get them. They can just as easily come from a compromised site.

I guess the lesson of this all is to never tell people to "pull thy heads from thy butt" unless you're 100% sure of what you're talking about, and even then it might not be such a good idea.

 

I've seen similar detection from Antivir when browsing the website of the main french ISP. One of them is labelled "Contains detection pattern of the exploits EXP/HTML.Unk" and the second one "Contains suspious code HEUR/Exploit.HTML".

Both of them actually contain obfuscated javascript code, very similar to what is usually used to hide browser exploits. I'm not sure (yet), but it looks like that the second one is coming from a web-based advertisement company (www[DOT]ads-click[DOT]com) and I guess its purpose is to prevent fraud (automatic clicks, etc.) Yet another inefficient attempt at insuring security through obscurity (you can do whatever you want with e.g. perl's WWW::Mechanize).

The first one is very similar to stuff I've seen on fraudulent websites.

In a sense, this is quite similar to the Sony rootkit case.

 

Yes, that was probably a bit harsh on my part.

Could these issues be caused perhaps by noscript? With the cross site scripting protection, a lot of legitimate scripting gets blocked. Could that be creating messed up cache files?

How could this be related to the sony rootkit?

 

DrewGT99, the way I see it is, all Avs have FPs. Relax, you have the best AV on the market protecting you. You have Stefan with Avira tweaking the software and any FPs. You are well protected, so just enjoy the product, and the internet.

 

let me help you jeff,

you have the best AV on the market protecting you

* a very bold comment!



@wdh2313 - please delete your post or the mods might see this thread as a 'policy one', and close it.

 

"I will back that bold comment"

 

That's the same philosophy

In order to protect their business, "good guys" are starting to use techniques initially developped by "bad guys" (rootkits/obfuscated code).

In both cases, the final user (you) has no means to know what is executed on its own computer.

I'm glad there are some antiviruses that detect that kind of nasty stuff. I hope it will help to limit the use of such bad practices by those online advertising companies.

 

Never had a FP with Antivir. Run Firefox all the time.

 

I have both my ondemand and real time heuristics on high and yet get no false positives ever except for an occasional one in the browser cache.

 

Last week on a clients PC, AntiVir detected what it called a system killer virus. It wasn't a heuristic detection. The file was ISRunOnceEXE.exe, part of the support package that's pre-installed on Dell PCs. They did acknowlege this as an FP.

I've had occasional problems with AntiVir and FPs on a couple of my clients PCs. I don't know exactly how many, estimating 4-6 per year total, which covers several clients.
Rick

 

This is what our HTML heuristic developer said about those "false positives":

-------------------

This is NO False Positive

It is an exploit. The heuristics is about 800 percent certain.
The highest score I've ever seen.
Decrypting it and checking the script I get a webviewfoldericon exploit,
AdoDB, XmlHttp, spraying to the heap, whatever you want (or don't want,
if it is your computer).

Short: It downloads and executes stuff.

--------------------

Smells like MPACK? Hm...

 

Thanks Stefan.

I have no clue what website I'm getting these from. Do you guys think it's exploits aimed more at Internet Explorer but still showing up in the Firefox cache?

AVG is now detecting the files on virustotal as an exploit.