What is the best way to know if the files your AV detected are a FP?

Discussion in 'other anti-virus software' started by cheater87, May 4, 2009.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,122
    Location:
    Pennsylvania.
    I know one of the signs is when the computer stops working. What are some other signs?
     
  2. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293

    Your best bet is,uploading /sending them to the AV vendor that your using so that they can verify if the files are indeed a FP or not.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    If I suspect a FP, I go to the vendors forum and look around for posts that are similar to my issue. If they have a FP section, that's a good place to start.

    If I have no reason to believe it's dangerous, I don't quarantine it and upload the questionable file to VirusTotal or Jotti. If it comes up relatively clean there, I post on the vendors site or send them an email with the relative information and a link to the scan results so they can fix the FP. I don't recommend allowing a file out of quarantine for inexperienced users.
     
  4. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    1. use my discression (filename/location/date/detection name)
    2. google + virustotal it
    If I think its not a FP, then I've determined if its a FP or not.
    If FP/unsure
    3. send to the AV.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    I send it to the AV company.
    avoids any guesswork. There should be quick reply and fixed within next update.
     
  6. Cloud_Shadow

    Cloud_Shadow Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    46
    First Google the file, about 95% times i find out what the file is, if i cant i upload it on virustotal.
     
  7. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I agree with Cloud_Shadow, first Google search the file.
    If that doesn't help, I scan it at VirusTotal.
    In some cases I will send it to the vendor. Especially if it looks like a false positive.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I agree with this step, and follow it myself all the time. Often, when you do this, there will be nothing there yet, so it becomes your job to post about the possible FP and wait for others to input what they are seeing. I have noticed over the years that there is a definite downside to being fast with downloading new updates... you get the full brunt of the FPs before the vendor has had the opportunity to iron them all out. I wonder sometimes if it wouldn't be smarter to NOT be so quick to install new updates... but I always end up opting for grabbing the most recent updates as soon as I can. What I've done instead is to stop using the applications that I believed were pumping out a high number of FPs.

    Edit in: Also, looking at the age of the file that is under scrutiny can be a clue. If it has been residing on your HD for a long time, and suddenly, after updating your AV (or other security app), it is being called a threat, it gives you a pretty good idea that the newest definitions contained a FP. If, otoh, the file is a new one, then maybe it is more likely to be an actual threat.
     
    Last edited: May 4, 2009
  9. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    First, do not needlessly ever download software from other than the program author's web site.

    If the author does not give either an email address for support questions, or a forum in which to ask questions, do not even bother downloading the software.

    Following the above advice will reduce the number of false positives and malware.

    Recently, I ran one of my own programs in KAV 7.1.0.325 and KIS 8.0.0.506, which has raised an issue that I am attempting to discuss at http://forum.kaspersky.com/index.php?showtopic=115496.

    In addttion, I recently found a company that has a product that will allegedly let you know whether your riskware is malware or not. As I have not investigated their methodology, I will not name the company, but I will point out that a few weeks ago, I accientally discovered that they had 3 of my programs listed as "CURRENTLY BEING REVIEWED".

    Their documents made very incorrect statements about the programs.
    I contacted them and just gave them pointers to the URLs for the programs, and they quickly whitelisted the programs.

    My impression is that they get requests from their own customers about particular files, and add lots of programs to the "CURRENTLY BEING REVIEWED" list. In effect, they are trying to scare folkes into buying their programs.

    If I had not contacted them, I wonder how long it would have taken for my programs to get whitelisted, if ever. Indeed, they mentioned my name in one listing, so they knew who I was.

    At some point, I want to further investigate their methodology, then air this discussion in an open forum.

    Wonder how many other companies are in this business.

    In any case, as others have said, the best you can do is send the allegedly FP to the AV vendor for confirmation.

    But, that does always work!

    A few years ago, I was a good-boy and sent such critters to Symantec, however, their mail program scanned the files at their end and just regurgitated the FP warning. These were with files I KNEW were false positives. So, do not bother sending files if they are going to merely pass thru an automatic filter, as that will likely generate the same FP as the AV software.

    Of course, as a programmer, I am capable of examining source code myself.
    I expect that few malware would have their source code available, but with all the nuts out there anything is possible.

    With MSFT Office, it is oft possible to examine even hidden source code, tho, these daze, nasty malware folkes are more likely to compile code into DLLs.
     
  10. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Finding the MD5 value of the file, and then googling that value can sometimes give answers...
     
  11. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Try and recall if you've installed or changed anything recently on your PC.
    If not its most likely a FP.

    If you have installed new security or anti-rootkit scanners , they are often flagged as a FP.

    Check google and virustotal.

    That's usually my sequence.
     
  12. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    All good replies.
    I locate the file and examine its properties.
    Google the file name.
    Look on security forums, especially that of my AV.
    Upload the file to virustotal.
    Send it to my AV company.

    All depends on the circumstances. Some sets of circumstances will give a strong indication it is malware, such as new icons appearing, things not working, redirects to wrong pages etc.
    I haven't seen anything like that for quite a while.
     
  13. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Best to zip the file up and then send to AV maker.. Let them test the pest in the lab weither it could be FPs or not?
     
  14. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Another reason that does not always work is the following.

    A number of years agom as a member of distribution list, I receined a message that had an HTML doc as an attachment.

    NAV flagged it as a virus/warning.

    As I knew the author, I contacted him, and used his contacts in Symantec to remedy the problem in a short time.

    However, I've been using KAV/KIS for about 3 years now, they warn about the same message. I have not yet, and may never, take the time to report this to them.

    I can only guess that the particular message contains something that looks like a known virus signature.
     
  15. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    So whats your point?... they won't fix it unlessd they know there is a FP in the first place :D
     
  16. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Yes, but reporting such a message is way down my priority list.
     
  17. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    upload them www.jotti.org or www.virustotal.com
     
  18. Az7

    Az7 Registered Member

    Joined:
    Sep 14, 2005
    Posts:
    139
    :blink:

    You are asking about signs of infections ?

    * Files are changing in size, location, date/time etc..
    * Strange messages popping up ..
    * Strange sounds, graphics, icons, etc..
    * Slowdown in : booting, program execution, shutdown, etc..
    * Windows / antivirus / apps crash..
    * BSODs, hanging, ..
    * etc..
     
  19. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    the only real way to tell if its a FP for your chosen product is to upload it to them,not check using virustotal or any other site,there have been odd times wher only one or two products have detected things as being malware that was malware and the others haven't,using consensus to decide is not always accurate,only the vendor will be able to tell you without doubt as to whether their product is "telling the truth" or not
     
Loading...
Thread Status:
Not open for further replies.