I can't understand the Avira Lab response

Discussion in 'other anti-virus software' started by bonedriven, Aug 19, 2009.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    ~Private email removed per the Terms Of Service for using the forums.~

    First of all,why is the result in the alternative link different from their own report above?

    Secondly,it seems Avira now adds the file to FP again after some hours and says it is FP if you upload the same file again. So even the Avira lab can't decide if a file is malware or not sometimes?

    Thirdly,I sent a sample gamebooster.exe(from IObit) too when Avira detected it as malware. The lab has now confirmed that IT IS MALWARE. Thankfully,the alternative link's result is the same with its own report,"MALWARE". However,at this time I think I should believe in IObit but not Avira lab. Right?
     
    Last edited by a moderator: Aug 19, 2009
    bonedriven, Aug 19, 2009
    #1
  2. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    OK. The situation is like this. I sent a file(tsepb.dat) to Avira lab. In the response mail,it confirmed the file as malware. But in the alternative link the mail had provided,it actually showed "false positive". The mail seems confusing to me so I don't know if I missed something.
     
    bonedriven, Aug 19, 2009
    #2
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Thanks for summarizing the email contents. (I hope you understand about the need to remove private emails. We always suggest that people summarize in their own words what was written rather than posting verbatim any message. It's usually just as good in any case.)

    My take on this is that it's a timing issue. The report at the link (stating it was a F/P) and the email (stating it was malware) were generated at different times, of course. That is not unheard of. Think about how many files get submitted to these vendors. Not every submission results in some tech leaning over a keyboard for an hour doing a reverse engineering analysis. There is some automation involved, otherwise, the labs would be forever behind in a mass of files. But, it is not unreasonable to think that in some cases, a more in-depth analysis gets performed and a previous assessment gets overridden.

    The trick is to determine which statement is the accurate one. Logic would say that the first one was wrong because the second one was later released and corrected the first one. Perhaps the timestamp on the email vrs the time that the updated VDF was released, as noted in the link, would say which one was the "final" determination. (Or, in other words, if you rescan after loading the latest defs, what it determines is their final word on the file. Of course, the contents at the link is something that could be updated after the fact. The email can't. So, I guess that is also the answer.)
     
    LowWaterMark, Aug 19, 2009
    #3
  4. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    Thank you,admin.

    Avira lab is not that reliable I guess. :'(
     
    bonedriven, Aug 20, 2009
    #4
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,910
    Location:
    USA
    In my case it was a system file, I have the heuristic set to high. Avira premium said it was some Medium level virus. The results took about 8 hours, the result was stated clearly that it was a false positive. You could send the sample to Virus total if you don't think Avira is reliable.
     
    Carver, Aug 20, 2009
    #5
  6. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    818
    Why do you think Avira is not that reliable? - they had a FP and fixed it - surely its a good thing fixing it, all AVs do this.
    And if Avira said its malicious in the email and on the link said its a FP, there's not much confusion involved... at the time you sent it, they defined it as malicious, but changed their mind after.

    Changing detections of a file multiple times is strange, would have thought they would have maybe whitelisted it if it happens many times on a file, not sure to what extent you are talking about in your initial post, my guess is its only happened once or twice to an individual file. (I have no experience of this, so am only giving an assumption).
    It may be considered a greyware which is why the decision flips sometimes, depending on the analyst.
     
    Last edited: Aug 21, 2009
    dawgg, Aug 21, 2009
    #6
  7. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    Hi carver, dawgg,

    It is neither a system file nor from grayware. It is a file of the most popular IM in China called "QQ".

    The problem between the file tsepb.dat and Avira has lasted for years. While recently it is also detected by norton,nod32,Mcafee,people suspect if there's really something wrong with the file. Even after Avira added the file to FP again a few days ago,there's still a doubt that it might be a compromise so that it won't affect the growing market of Avira in China. Simplified Chinese version of Avira will also be released soon in the coming 2010.
     
    bonedriven, Aug 21, 2009
    #7
  8. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Tis no reason to not detect it.
     
    volvic, Aug 21, 2009
    #8
  9. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    It is only a doubt anyway...:doubt:
     
    bonedriven, Aug 21, 2009
    #9
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...