Another false positive?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I haven't had any threats for months and now TWO within a week! The previous
was VideoReDoPlus-2-1-1-413.exe, Tracking number 433125, which I confirmed a
day or so ago was a false positive.

This one is another 'movie software' file (part of FFDshow I think):
C:\WINDOWS\system32\ff_vfw.dll

My Anitvir Personal has just reported that it "Contains a recognition pattern
of the (harmful) BDS/Bot.111287 back-door program"

Yet it's been on my HD for ages.

I've sent it to Avira for analysis.

Virus Total online shows it as OK for all 41 programs, including Avira
AntiVir, version 7.9.1.154, update 2010.01.27

How can that be contradicted by my local Antivir Personal (free), which was
updated this morning as usual?

--
Terry, East Grinstead, UK

Re: Another false positive?



Terry Pinnell wrote:
Quoted text here. Click to load it
No guarantees, but this sounds like the reason I stopped using AVG free
a while back. Far too many false positives all of a sudden.

I now use Kaspersky Internet Security, which is a real PITA when you're
installing stuff, but I've had no false positives as yet, and no obvious
false negatives.

Eset's another I've seen recommended and I used it until the sub came up
for renewal.

--
Tciao for Now!

John.

Re: Another false positive?



On 1/27/10, Terry Pinnell posted:
Quoted text here. Click to load it







I also have gotten a few false positives from Norton Internet Security
2010. I can't say I enjoy them :-)

The main problem is that it's hard to keep them intact or get them
back, since in spite of how I *think* I configured the app, some items
are removed without giving me any recourse.

One friend has pointed out that it *is* possible that the program was
recently corrupted in spite of having been on my computer for years. I
agree, but somehow I don't think it happened: I suspect a new overly
enthusiastic signature.

I also experienced a reversal of fortunes, i.e., a putative virus was
not flagged again after I managed to recreate the program (in at least
one case, from a Norton quarantine, so the file was as before). This
leads me to believe that the new signature was pulled in a later
update.

I think we're stuck with this sort of hassle regardless of which AV
program we use, unless we abandon all our AV programs.

For anyone who's about to tell me that Norton is a virus, don't bother,
I won't be listening :-)

--
Gene Bloch 650.366.4267 lettersatblochg.com



Re: Another false positive?




[...]

Quoted text here. Click to load it

I had Norton preinstalled on this computer, I *was* going to let it run
until its subscription expired - but it deleted files even though I had
it configured to only ask.

...it's gone now!

[...]





Re: Another false positive?



On 1/27/10, FromTheRafters posted:

Quoted text here. Click to load it





When this subscription expires, it might go away here too, but in
general it is approximately OK. My major complaint is what happens when
I try to restore from a restore point. There is a way - actually a
pretty easy one - to make it work, but it requires remembering to do
the trick. I usually remember after the initial failure :-)

I had that problem since last year's version (Norton Internet Security
2009). It amazes me that Norton has neither fixed it nor advised users
about it... It wouldn't surprise me if it's older than that, but I had
avoided Norton for a while until the 2009 version got stellar reviews.

Norton is also pretty wonky after a system restore. It loses track of
where it is (in terms of definition updates) & it takes a while for it
to straighten itself out, and while it's happening the messages and
choices are very misleading. In fact, I'd have to say crazy. It
shouldn't confuse a very experienced guy like me; what will it do to
relative novices?

They should hire me for PR, don't you think? After all, as I said, I'm
a satisfied user.

--
Gene Bloch 650.366.4267 lettersatblochg.com



Re: Another false positive?



Quoted text here. Click to load it

I actually liked NAV 5.0, never had a problem with it even after it
"expired". Definitions could still be downloaded even though it
indicated otherwise. After that, new versions tried doing too much
(bloat) and I went with free alternatives (AVG, AntiVir, and Avast!).



Re: Another false positive?




Quoted text here. Click to load it

I remember it as if it were yesterday...

Quoted text here. Click to load it

I have my ideas on why this might be, and have in the past discussed
this in the virus groups. It would be nice to hear it from "the horse's
mouth" so to speak - could you ask the good folks at Avira?



Re: Another false positive?




Quoted text here. Click to load it

Can you summarise, or point me to a relevant post please? Whatever the cause
is, it seems to imply that my simple assumptions are wrong. Such as: daily
definition updates keep me, er, up-to-date.

Quoted text here. Click to load it

As well as posting to the Labs I also posted to the forum, but I have little
hope of any explanation forthcoming from there. See my post a minute ago, 'No
replies allowed in Avira forums?'.

--
Terry, East Grinstead, UK

Re: Another false positive?



Quoted text here. Click to load it

AntiVir has options that may not match between your installation and
VirusTotal's installation. Particularly, under configuration - expert
mode - heuristics. That, and the fact that VT won't have the luxury of
context scanning since it is a file submission service.

I looked back at your discussion in their forum, and noticed they had it
marked as resolved (closed) or some such thing. This after wrongly
telling you that the file was indeed "MALWARE" and you still doubting
their results. Readers of that thread will probably never know the
truth.

...still, it *is* a free service <G>



Site Timeline