False Positives

Discussion in 'General Returnil discussions' started by pdr, Feb 20, 2010.

Thread Status:
Not open for further replies.
  1. pdr

    pdr Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    14
    Hi Returnil People:

    If I the Virus Scan finds a file that it flags as suspicious, is there some way that I can check if that file is a false positive or not?

    Thanks,

    Peter
     
  2. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Hi, Peter. You can upload the suspect file to VirusTotal at http://www.virustotal.com/. It runs it by about 40 different antivirus programs, including most of the well-known ones, and reports what each of them finds.

    I might add that I found Returnil's Anti-Virus very unreliable. It claimed that I had a number of viruses, trojans, and the like when all other security programs I use said the files were fine. I finally disabled Returnil's AV.
     
  3. pdr

    pdr Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    14
    Hello Cyberdiva:

    I wonder if there are others who have similar experiences with the Virus Scan. I did, in fact, use the Virus Total web-site to verify the files in question. The results there made me wonder if the Returnil people are doing some checking for false positivies, as do many anti-virus programs.

    Anyhow, I am glad that you pointed out the existence of the VirusTotal web-site. It can be used to check any file on your system that you might suspect or wish to verify.

    Peter
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    The new build we are testing now includes a feature where the alert messages can be exported to file. The file will be in XML format and can be sent with your false positive detection reports to our support address. Also, please check your VG sensitivity settings to see if the files are also detected using the standard definitions rather than the advanced analysis setting.

    Are they detected at the lower setting?

    Mike
     
  5. pdr

    pdr Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    14

    Hi Mike:

    Thank you for replying to my questions.

    The Virus Guard Preferences are set at (I believe) the default: in the Reat-time Advanced Malware Analysis mode:

    The filled-in button is "Only proven detection rules (Recommended: This mode will identify only malicious programs)"

    The button NOT filled in is: "Do not use advanced rules analysis."


    In the section for Data Collection Policy, I have chosen: "Ask me for approval when parts of a malicious program are required for analysis".

    Although I would have liked to know if the files identified are, in fact, maicious, I am do not recall being asked by the program to send any programs (files?) to Returnil for analysis. So I am still not sure if there is a process for verifying p[ossible False Positives.

    Peter
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Peter,
    The data collection works independently and is sending information about behaviors and/or files of interest for more research. It does not send the files detected as they are...detected.

    The new build (check your PM) allows you to export your alert messages so you can send that information to us more easily in false positive detections scenarios. Try the new build and send us a copy of the detection alerts (new green button on the messages when opened) and the files detected (in a password protected ZIP or RAR archive) so our (and Frisk's) team can investigate the issue in more detail.

    Thanks
    Mike
     
  7. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Hi, Peter. As I recall, when I was having this problem, I encountered others on the forum who were also experiencing what they suspected were false positives. But even if I hadn't found other people, I'd have turned off Virus Guard. It produced more false positives in the few days that I had it active than all my other security software combined had produced in the 3 1/2 years I've used this computer. And I did not have Virus Guard set at a very high level.

    I'm glad to hear that Returnil is going to take more active steps to monitor the false-positive problem. However, I have no plans to reinstate Virus Guard. I have very little patience for false positives--they waste my time and raise my anxiety level. And since I feel I have excellent protection from my other security software, I see no reason to use Virus Guard.
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    Nor should you feel compelled to use it if it is not useful in your setup. It is there to do what it does, not because we require its use. Further, we have been investigating every FP report we get and will continue to do so...

    Mike
     
  9. pdr

    pdr Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    14
    Hi Cyberdiva:

    I understand the stress of having a lot of virus warnings, having had quite a few of them with the Returnil virus scans. However, it seems that Mike's offer will allow me to report some of them, for more direct study than that available via Virus Total or other general analysis.

    So I will try that out. I hope that I will be able to get some feedback on the files that I do submit; then I will feel a bit more confident that the positives really are false. And hopefully, that will improve the virus scanning machine that Returnil is using.

    But I have to admit that I really hate spendiing time on this sort of thing. I would wish all kinds of plagues to personally descend on those creeps that invent these insidious malware programs that cause so much distress to others. (End of rant.)

    Peter
     
Thread Status:
Not open for further replies.