Antivir FPs

Avira is ussually the first with detection of new malware. Its proactive detection is crazy and i wouldnt wanna call heur fps fps at all wich is not the case here but is ussually aimed at by anti avira nubs. Be glad,be very glad your protected by the umbrella corporation.

 

Fully agreed, would rather have minor annoyance of FPs than go through a ITW virus which would hose my system, Avira does a fantastic job for sure.

 

If AntiVir is looking for heap spraying as part of its heuristic, thats a pretty poor way to detect a JScript/ActiveX/HTML exploit as there is an infinite ways the heapspraying can be written as well as obfuscated.

it must be able to detect solely on any attempt to pass an invalid 1st param to the setSlice method in WebViewFolderIcon i.e. 0x7FFFFFFFF

var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);


and there are an infinite number of ways to set that first parm to 0x7FFFFFFFF

AntiVir is pretty easily defeated by using a different technique to change that first param

e.g. var a = 1;
var b = 0x7FFFFFFE;

a.setSlice (a + b, 0, 0x41424344, 0);

Among the 9 products that I've looked at, only NIS/NAV2008 can detect the above generically.

So no, you dont have the best protection against drive-by attacks with AntiVir.

 

Hi All,

I am getting the following warning from Avira. The file is vsfilter.dll and vistacodecpack is a (well-known) pack of video codec's. At virustotal, only avira and webwasher-gateway indicate a trojan. All the other scanners say it is clean. Has somebody else experienced the same?

Ciao.

 

Most likely a FP, have you sent the file for analysis? http://analysis.avira.com/samples/index.php and/or virus[AT]avira.com
.