Antivir FPs

Discussion in 'other anti-virus software' started by Drew99GT, Sep 24, 2007.

Thread Status:
Not open for further replies.
  1. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    For Pete f-in sake, now I'm getting all kinds of FPs from Firefox Cache files with Antivir. I uploaded them and Avira says they're not FPs, but I'm pretty freakin sure they are.

    This false positive crap is starting to piss me off with this product. Come on Avira, pull thy heads from thy butt.

    It says the files are browser exploits. WTFo_O :mad:
     
  2. wdh2313

    wdh2313 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    18
    Hmmm well turn it down to medium don't have it on high. But i don't know why you get so many i use the latest verison of firefox and i have avira set on high and never have gotten a fp period...
     
  3. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    They are not heuristic detections, so adjusting the heuristic won't help.

    The file names are CC988759d01 and AEA54759d01
     
  4. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    send them to heuristik2 (at) avira.com, i'm certain stefan kurtzhals will give them a look....
     
    Last edited: Sep 24, 2007
  5. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    So these Exp/HTML.Unk detections are detected using the heuristic?
     
  6. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    I never had so many fp's with avira.With heuristics set to high I did get a few.Turning it down to medium helped.

    Not idea why you are getting "all kinds of" Fp's.
     
  7. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs

    They're sent!
     
  8. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    OK, maybe "all kinds" was overstated, just 2 THIS time. However, over the life of using this product (2 years or so), I've gotten "all kinds"!
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Out of curiosity, what is it that makes you absolutely certain they aren't FPs?
     
  10. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Drew: I am not entirely certain, but you'll get a definite answer if you write there. However the naming convention indicates it's not a heuristic detection.
     
  11. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs

    Because I scanned my computer with SAS, AVG, A2, KAV online scanner, FSecure online scanner, and I uploaded each file to jotti and virus total, and Avira was the only one to detect them.
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    KAV and F-Secure are practically the same scanner, and the rest aren't too hot at catching exploit files, TBH.

    I'm just saying this because Avira was the only scanner to flag a BaoFeng exploit file a few days ago, both on Jotti and VT. Granted, the HTML heuristic is ridiculously prone to FPs (any iframe with height/width=0 sets it off), but I've been taking second looks since then before discounting Avira's HTML detections.
     
  13. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    What's the deal with these exploit files then? They aren't actually a malacious program running, are they?

    I don't know where they are coming from. Do they come from a website? I haven't visited any bad sites (that I know of!!!!).
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Exploit files are not programs per se, they're data that instructs programs to do things you'd rather them not do, hence the name "exploit". But since you're using Firefox, chances are your browser is hardened against those exploit files, even though they've been downloaded to the cache.

    You don't have to go to a bad site to get them. They can just as easily come from a compromised site.

    I guess the lesson of this all is to never tell people to "pull thy heads from thy butt" unless you're 100% sure of what you're talking about, and even then it might not be such a good idea.
     
  15. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    I've seen similar detection from Antivir when browsing the website of the main french ISP. One of them is labelled "Contains detection pattern of the exploits EXP/HTML.Unk" and the second one "Contains suspious code HEUR/Exploit.HTML".

    Both of them actually contain obfuscated javascript code, very similar to what is usually used to hide browser exploits. I'm not sure (yet), but it looks like that the second one is coming from a web-based advertisement company (www[DOT]ads-click[DOT]com) and I guess its purpose is to prevent fraud (automatic clicks, etc.) Yet another inefficient attempt at insuring security through obscurity (you can do whatever you want with e.g. perl's WWW::Mechanize).

    The first one is very similar to stuff I've seen on fraudulent websites.

    In a sense, this is quite similar to the Sony rootkit case.
     
  16. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Yes, that was probably a bit harsh on my part.

    Could these issues be caused perhaps by noscript? With the cross site scripting protection, a lot of legitimate scripting gets blocked. Could that be creating messed up cache files?

    How could this be related to the sony rootkit?
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    DrewGT99, the way I see it is, all Avs have FPs. Relax, you have the best AV on the market protecting you. You have Stefan with Avira tweaking the software and any FPs. You are well protected, so just enjoy the product, and the internet.;)
     
  18. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    let me help you jeff,

    you have the best AV on the market protecting you

    * a very bold comment!

    :D

    @wdh2313 - please delete your post or the mods might see this thread as a 'policy one', and close it.
     
    Last edited: Sep 24, 2007
  19. wdh2313

    wdh2313 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    18
    "I will back that bold comment"
     
  20. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    That's the same philosophy ;)

    In order to protect their business, "good guys" are starting to use techniques initially developped by "bad guys" (rootkits/obfuscated code).

    In both cases, the final user (you) has no means to know what is executed on its own computer.

    I'm glad there are some antiviruses that detect that kind of nasty stuff. I hope it will help to limit the use of such bad practices by those online advertising companies.
     
  21. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    :doubt: Never had a FP with Antivir. :blink: Run Firefox all the time.
     
  22. Arup

    Arup Guest

    I have both my ondemand and real time heuristics on high and yet get no false positives ever except for an occasional one in the browser cache.
     
  23. herbalist

    herbalist Guest

    Last week on a clients PC, AntiVir detected what it called a system killer virus. It wasn't a heuristic detection. The file was ISRunOnceEXE.exe, part of the support package that's pre-installed on Dell PCs. They did acknowlege this as an FP.

    I've had occasional problems with AntiVir and FPs on a couple of my clients PCs. I don't know exactly how many, estimating 4-6 per year total, which covers several clients.
    Rick
     
  24. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    This is what our HTML heuristic developer said about those "false positives":

    -------------------

    This is NO False Positive

    It is an exploit. The heuristics is about 800 percent certain.
    The highest score I've ever seen.
    Decrypting it and checking the script I get a webviewfoldericon exploit,
    AdoDB, XmlHttp, spraying to the heap, whatever you want (or don't want,
    if it is your computer).

    Short: It downloads and executes stuff.

    --------------------

    Smells like MPACK? Hm...
     
  25. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Thanks Stefan. :thumb:

    I have no clue what website I'm getting these from. Do you guys think it's exploits aimed more at Internet Explorer but still showing up in the Firefox cache?

    AVG is now detecting the files on virustotal as an exploit.
     
Thread Status:
Not open for further replies.