Avira PE Premium False Positive - Tale of Woe

Discussion in 'other anti-virus software' started by jaydub, May 2, 2007.

Thread Status:
Not open for further replies.
  1. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    I've had a thread running on the AntiVir forum for the last five days.

    http://forum.antivir.de/thread.php?threadid=21404

    The issue is that on a regular scan on April 9th, I had the file KumaGames_Install.exe get flagged as containing DR/Tool.PSkill.Q.229.

    I checked this at VirusTotal and the majority of antivirus vendors did not flag any issues with the file. I then submitted the file to Avira as a query false positive and had a response back on April 10th to confirm that the virus detection was a false positive.

    The email stated:

    "The file 'KumaGames_Install.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates."

    My expectation is for anti-virus companies to be able to resolve these sort of issues within 48 hours maximum.

    Antvir is stil flagging this file up as malware three weeks later and I am now unsurprisingly reaching the end of my patience with Avira.

    Is this typical?
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Not as far as I know, AVIRA has always been very fast at adding detection and fixing FPs from the reports I get...
     
  3. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    you need to manully rescan this file otherwise it will still stay in your quarantite.
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I just downloaded it from here and AntiVir gives no warning here. (I have heuristics set to high and all extended threat categories except "Games" checked.)

    Have you updated your AntiVir?

    MD5 of KumaGames_Install.exe: 013d0db4f858bfce21e5a47c889480ef

    EDIT: My mistake, turns out that this file downloads another file to C:\Documents and Settings\(user)\My Documents\Downloads\GameZone also called KumaGames_Install.exe with MD5 value: eb1a4ed37752e35206f328622c5a764e . It seems indeed that this file is being detected as "DR/Tool.PsKill.Q.229"
     
    Last edited: May 2, 2007
  5. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    I have also submitted two fps that were confirmed to be fps that have not been fixed for 3 weeks.
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Were they heuristic detections? If so it could be why it takes some time. Also maybe it would be better if you wrote an e-mail to this address heuristik(at)antivir.de about it, if indeed it was heuristic detections? Include the samples detected in a password-protected archive/zip, and don't forget to mention the password in the e-mail you send.
     
  7. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    They were signatures based detections
     
  8. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    I think the copy your downloaded was a compressed exe file (.exe.exe extension?), which explains why the detection only occurs once you have run it.

    Our file source is the Kuma Games web site:

    http://www.kumagames.com/

    Having saved the file, if I I right click scan the file in explorer, it quarantines the file, identifying it as containing DR/Tool.PSkill.Q.229.

    My settings are similar to yours and are based on ColdPlay's settings.

    I have resubmitted the file again in the hope that some action takes place this time.
     
  9. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    Coldplay,

    I must be missing something here. Can you explain what you mean about manually rescanning.
     
  10. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    on the quarantite box, click on the item right click to drop down menu , there is a rescan option , do that. if they have updated their VDF, there will be no detection then you can restore the file.
     
  11. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    Well, I'd try, but my quarantine box, which had about 20 entries in it is now mysteriously empty.

    Another Antivir feature?! :)
     
  12. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    That's strange, usually if a file is sent to Antivir quarantine it stays there permenantly (until it's deleted). Even if you select the option of 'restoring' the file a copy of it still remains in quarantine.
     
  13. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    The problem seems to have been resolved.

    Having lost my quarantine files, I have downloaded the file again and now there is no malware detection.

    I then went on to submit this file to VirusTotal and it came up clean across all AV products. I now suspect Kuma have modified their install.exe file, rather than Avira having made any changes.
     
  14. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191

    using CCleaner?
     
  15. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    You can check this as Kjempen has given the MD5 above for the file that was being flagged: eb1a4ed37752e35206f328622c5a764e , virustotal will give you the MD5 of the new file you've re-downloaded, if it's the same then it's likely Antivir have updated to remove the false positive.
     
  16. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    Yes. I did run it!!

    Well spotted.
     
  17. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    The MD5 is now 819d051f92175be54d6e990abf23108a so the file has changed. My suspicions appear to be correct! :)
     
  18. jaydub

    jaydub Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    75
    My thanks for pointing out the significance of the MD5 - I'd completely missed that :)
     
  19. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Okay my fps is fixed. That took a million years. next time ill send to Stefan instead of throguh the site to make sure it doesnt take so long to get fixed
     
  20. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    I have had just three False Positives in sixteen months of High Heuristic setting
    (have had more True Positives).

    One was nearly catastrophic, an innocent Symantec file that happened to be in many locations.

    Fresh Search Engine Update (September'06) and AntiVir refused to 'restart', an attempt to start from Program just froze system,
    then it would not boot Windows and had to GoBack to an earlier state.

    Could have booted into Safe Mode, as it does not try to load Guard.

    Did that after a repeat and a Safe Mode Scan found the offending files.

    The Temporary solution was to just reduce heuristic to Medium and a new Search Engine was up within hours of my submission.
     
Loading...
Thread Status:
Not open for further replies.