Avira false positive maybe

Discussion in 'other anti-virus software' started by MalwareDie, Apr 15, 2007.

Thread Status:
Not open for further replies.
  1. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    It detects this:

    Virus or unwanted program 'TR/Dloader.BAK'
    detected in file 'C:\WINDOWS\Downloaded Program Files\HGStart9USA.exe' [TR/Dloader.BAK].

    And i cannot send this to fix it if it is a false positive.
     
  2. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    uhhh... that is queer. it detetcted it three times and then stopped detecting it and Avira didn't have an update that fixed it.
     
  3. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Im sure its an fp because that file is used by ijji.com to launch gunbound revolution.

    The signature TR/Dloader.BAK, The dloader part is probably the updater it detected because HGStart9USA.exe updates gunbound.
     
  4. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Ok i thought it was an fp and it is now detecting it again. Where does Avira keep quarantined files? I cant compress it and send it to them.
     
  5. SteveS335

    SteveS335 Registered Member

    Joined:
    Jan 16, 2007
    Posts:
    43
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi MalwareDiw, rightclick tray icon of Antivir, click Start Antivir to load the main GUI, click on Quarantine tab, RightClick on the Quarantined item/ items and choose Restore to, then browse to the folder where u want to restore it to.
    Send it here and let,s know how it goes.

    http://analysis.avira.com/samples/index.php

    Thanks
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      90.9 KB
      Views:
      400
  7. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Okay ill give it a shot when I get home. I can't believe I didn't consider doing that though.
     
  8. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    What's your heuristics level settings?
     
  9. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    It didnt detect it with heuristics I think. The detection wasnt HEUR/something.
     
  10. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Thanks, please let us know what they find :)
     
  11. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    They have confirmed it to be an fp and wil fix it later.
     
  12. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    I'm just wondering now though. how do AV's get fps without heuristics? generic signatures?
     
  13. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    False positives with "specific" signatures are much more common than you think.
    AFAIK this is possible by mere coincidence (when the right part of a file matches the signature) or when the virus analysts select by accident a part of the file that it's common with other programs to create the signature. For example if a signature for malware created with AutoIt is created using a string that exist in all or most AutoIt program, a lot of legitimate autoit programs are detected as malware.

    If I'm wrong I'm sure that members with much more knowledge (like Inspector Clouseau) can correct me.
     
Loading...
Thread Status:
Not open for further replies.