Antivir Classic Installer False Positive

Discussion in 'ewido anti-spyware forum' started by Londonbeat, Dec 6, 2006.

Thread Status:
Not open for further replies.
  1. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    AVG AS with latest updates is detecting the Antivir Classic installer (antivir_workstation_win7u_en_h.exe) as Trojan.Qhost.dx

    Is this already known?

    Londonbeat
     
    Last edited: Dec 6, 2006
  2. strangequark

    strangequark Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    296
    Location:
    OZ
    I have the same thing. This isn't the first time AVG AS has labeled another security program as a trojan, not long ago it was ProcessGaurd and PortExplorer. Their false positive record over all, even with heuristics turned off, is fairly bad. I wont be renewing my license with them next time around but will rely on Boclean, which in my humble opinion is a far superior product.
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  4. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Sorry for this. We will fix this false-positive with the next update.

    We're sorry for the inconvenience.
     
  5. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Please keep in mind, that BOClean scans starting applications only as there is no file scanner. If you scan only 1% (or less) of all files on a computer, the chances that you hit a false positive are very low, which on the other hand does not automatically mean, that there aren't any. Also, every scanner has these problems, AntiVir for example detected Internet Explorer as being infected yesterday, McAfee detected some Windows system files, Symantec had a false positive on the Nullsoft Installer (for many days or even weeks!) and so on...

    That's also the main disadvantage of having a public board like this one as when a users has a problem (he might be the only one or one of the few users to have this problem) or there is a false positive (could affect many users or only some very old version of a quite unknown program), it's posted here. This makes the program look like that there are many problems with it...
     
  6. strangequark

    strangequark Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    296
    Location:
    OZ
    Yes I agree all scanners will from time to time put out a false positive reading, but a quick look through the ewido forum shows that eWido, sorry AVG AS, has quite a few, more than it's fair share - again in my opinion, others may disagree. The thing that worries me is that this can create what could be called The Boy That Cried Wolf Syndrome, the more false positives a program labels can, and probably will, lead to a situation where a person starts not to take much notice of them and possibly start to ignore them - " It's probably just another false positive, all the rest have been so I needn't worry about this one either" - BANG infected. This happens, I've had to clean a couple of computers where people have thought just that. I doubt if any one at these forums would fall for that three card trick but the average person out there very well might, and in my experience has.

    And yes your right Boclean is not a scanner, but you can drag any file onto the Boclean window and it will be scanned.

    I would have thought having a public board like this one would be of no disadvantage but just the opposite, you have a reasonably large group of security minded individuals continually testing the products of companies who are smart enough to try to have their product listed here, all for no cost to the company.

    As for AntiVir detecting Internet Explorer as being infected who can argue with that ;-)
     
    Last edited: Dec 7, 2006
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Actually the BOClean scanner is hidden/undocumented for a reason.....it's not reliable enough. :)

    I have both BOClean and ewido (i refuse to call it by it's other name! ;)) and i have had more false positives with BOClean than with ewido and i think what you're suggesting regarding "The Boy That Cried Wolf Syndrome" is very theoretical and i think you're wrong, users are not IME going to say " It's probably just another false positive, all the rest have been so I needn't worry about this one either", they will always be on alert when something is found or amazingly enough...i often come across users who have skipped warnings for a while and now can't understand why they cannot clean "it" and why it keeps coming back now!

    BOClean has the advantage of having been around since the stoneage and therefore perhaps detects things ewido doesn't.

    ewido on the other hand seems to offer much better cleaning when the monitor detects an infection.

    Just my 2 cents.
     
  8. strangequark

    strangequark Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    296
    Location:
    OZ
    I too have both Boclean and ewido (I'm with you on the name, ah the fun of being a recalcitrant), purchased them with in a week of each other within days of TDS going under. In that time I've had one false positive with Boclean, which I posted here, in the same amount of time I have had numerous false positives with ewido. As for TBTCW syndrome, I doubt anybody who is at all computer savvy will fall for it, it's the people who aren't and who don't want to be are the ones I'm talking about, and as I mentioned before I have had to clean two computers of people, who should have known better, who did fall for it. Remember peoples knowledge or experience bank is made up of passed experiences, and if those experiences keep saying 'it's ok remember last time nothing happened' then there is the potential for trouble.
     
Thread Status:
Not open for further replies.