Avira false positive maybe

Discussion in 'other anti-virus software' started by MalwareDie, Apr 15, 2007.

Thread Status:
Not open for further replies.
  1. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    It detects this:

    Virus or unwanted program 'TR/Dloader.BAK'
    detected in file 'C:\WINDOWS\Downloaded Program Files\HGStart9USA.exe' [TR/Dloader.BAK].

    And i cannot send this to fix it if it is a false positive.
     
  2. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    uhhh... that is queer. it detetcted it three times and then stopped detecting it and Avira didn't have an update that fixed it.
     
  3. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Im sure its an fp because that file is used by ijji.com to launch gunbound revolution.

    The signature TR/Dloader.BAK, The dloader part is probably the updater it detected because HGStart9USA.exe updates gunbound.
     
  4. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Ok i thought it was an fp and it is now detecting it again. Where does Avira keep quarantined files? I cant compress it and send it to them.
     
  5. SteveS335

    SteveS335 Registered Member

    Joined:
    Jan 16, 2007
    Posts:
    43
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    Hi MalwareDiw, rightclick tray icon of Antivir, click Start Antivir to load the main GUI, click on Quarantine tab, RightClick on the Quarantined item/ items and choose Restore to, then browse to the folder where u want to restore it to.
    Send it here and let,s know how it goes.

    http://analysis.avira.com/samples/index.php

    Thanks
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      90.9 KB
      Views:
      401
  7. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Okay ill give it a shot when I get home. I can't believe I didn't consider doing that though.
     
  8. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,624
    Location:
    Sneffels volcano
    What's your heuristics level settings?
     
  9. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    It didnt detect it with heuristics I think. The detection wasnt HEUR/something.
     
  10. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,624
    Location:
    Sneffels volcano
    Thanks, please let us know what they find :)
     
  11. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    They have confirmed it to be an fp and wil fix it later.
     
  12. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    I'm just wondering now though. how do AV's get fps without heuristics? generic signatures?
     
  13. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    False positives with "specific" signatures are much more common than you think.
    AFAIK this is possible by mere coincidence (when the right part of a file matches the signature) or when the virus analysts select by accident a part of the file that it's common with other programs to create the signature. For example if a signature for malware created with AutoIt is created using a string that exist in all or most AutoIt program, a lot of legitimate autoit programs are detected as malware.

    If I'm wrong I'm sure that members with much more knowledge (like Inspector Clouseau) can correct me.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.