Virus Guard: False positives on other AV programs, disabled it

Discussion in 'General Returnil discussions' started by VanguardLH, Dec 30, 2010.

Thread Status:
Not open for further replies.
  1. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    I understand why many anti-virus programs trigger on the Nirsoft utilities that *I* chose to install on my host. At least, even with Virus Guard, I can whitelist those files by adding them to the Exclude list. That seems to happen with every AV product.

    However, Virus Guard was also false alerting on update files for Avast. I'd get an update for avast which puts its file in the %temp% folder before extraction and Virus Guard would alert on it. Well, I suppose it does have the malware signatures in it on which Virus Guard would alert. Alas, I cannot whitelist these temp files because they'll have a differently randomly generated numbered filename for each update. The last example of a false alert on Avast was:


    Date: 12/29/2010 10:45:14 PM
    Malware Type: Security risk
    Malware Id: W32/Heuristic-COC!Eldorado
    Detection Accuracy: Heuristically identified
    Location: \DEVICE\HARDDISKVOLUME1\WINDOWS\TEMP\_AVAST5_\UNP55841812.TMP
    First accessed by: \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\AVASTSVC.EXE
    Detected by: Real-time Scan in Standard Mode on 12/29/2010 10:45:09 PM started at 12/29/2010 10:22:11 PM
    Quarantine Status: Not quarantined.
    Restore Analysis: Done.
    Restore File: N/A

    Since I really don't need two AV programs attempting to provide the same basic coverage (and because Avast has more features), I disable Virus Guard in RSS. Presumably Avast will still be active in the virtualized state (although anything it quarantines or any action committed by it, like deleting a file, will probably get lost on a reboot).

    While Virus Guard may have won a VB100 award, many low-coverage performers happen to make that list. Plus VB lets failed products to get updated by their vendors to retry passing the VB testing (I forget how many retries they get but I think it's 3), so rather than a fair test the failed vendors get a chance to cover their butts. I've stopped relying on VB100 awards a long time ago. AV products with low coverage (anythin below 90%) can still get the VB100 award. I'd rather trust a site like av-comparatives.org but even their testing is limited. Virus Guard isn't even mentioned at that site which could be the vendor requesting their product not get tested (which is how Comodo kept their poor AV program from inclusion and also by keeping it in "beta" status for somewhere around 3 years), ask the results not be published, or their coverage is too low to include in the report with the other top performers.

    I don't see the point of duplicating AV programs on my host especially since they may conflict with each other, duplicate some of their detection abilities, and can false alert on each other during updates. So I'll go with Avast and disable RSS' Virus Guard. Hopefully there aren't other functions of Virus Guard that would be lost that aren't specifically the realm of AV programs but some additional protection offered by Virus Guard.
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Send all false positive reports to us with a copy of the file(s) detected to: support (dash) tech (at) returnil (dot) com

    Include a copy of your Virus Guard log as well (Virus Guard > Log > Export button)

    Mike
     
  3. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    Alas, as with most AV updates, they create a temp file from which to extract its update files and then delete these temp files when the update is over. So I got the alert from Virus Guard about the temp file created by Avast, Avast completed its update, and then the temp file was gone. By the time I got around to handling the alert and deciding it was an Avast update file, the file was already gone. There's no point in adding to Virus Guard's exclusion list since the temp filename will likely be different next time.

    Thanks for the e-mail address to where I send suspect e-mails (that I figure are false positives).
     
Thread Status:
Not open for further replies.