Avast false positive?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
After recent virus def update I tried to open a socks program
I have been using for years without any noticeable problem.

Avast stops the execution and automatically sends the file to the
vault, without asking me, even though my settings are set to ask first.

It gives the warning socks program stopped contains Win32:Evo-gen
Looking up this virus it sounds quite dangerous, it's reported as a  
rootkit trojan that allows takeover of your system.

I ran kaspersky's root kit detector, no problems. AND Avast does not  
detect the trojan when the executable for this socks program is scanned  
on demand. Apparently it is doing something on execution that avast  
doesn't like in it's new update-never reported it before.

Reported it as a false positive to Avast. Anyone else had this one?


Re: Avast false positive?

wrote:

Quoted text here. Click to load it

Check that your file system shield settings are still set to "Ask."
It's possible that successive updates to the base program did not
inherit all preferences.

Quoted text here. Click to load it

There are scare sites on the internet that make hair-on-fire claims
and then offer a download of a "free" scanner/removal tool. Guess what
they do? (Note: there are probably genuinely helpful sites out there
but there are some bad actors, as well, so be careful.)

A Win32::*-gen detection *is* a potential threat but the -gen, for
"general," suffix indicates that Avast has not detected a specific
strain. There's a judgment call as to whether to flag something that
might be a problem but it isn't certain.

Quoted text here. Click to load it

I've actually had this particular alert hit fairly often. It seems to
be triggered most often by executables compiled years ago (i.e., using
older library code, perhaps) that can alter other files. For example
the "ci" and "rcs" components of RCS, which I've been using for a long
time. Also a CRC installer, used to place a CRC value into loadable
Intel hex files for embedded processors, that I wrote and compiled.
I'm pretty sure I didn't build it with a rootkit component.

Too many false positives and the tool is a pain in the arse and nobody
will want to use it. But one false negative and the game's over.

Avast does appear to have added exceptions for the false positives
which I've reported.

Re: Avast false positive?


Quoted text here. Click to load it

Ok thanks for the informative reply. Yeah I wasted a lot of time trying
to figure out if this virus was real and was not happy about that.  

It's the first false positive I've had with Avast. I like their program
but it's a little too intrusive for my tastes. It used to be that only
Kaspersky was good at detecting trojans for me, but I guess they've
improved detection rates with programs like Avast.  

I never click on those scare popup, they just remind me that I forgot to
turn off javascript, so I turn it off and reload the page and voila,
popups are gone. There are so many of these nowadays, like the crap that
facebook keeps sticking in my face (I will never join them).  

Yeah you're probably right, the program I was running is very old, but
it was only on the latest update that avast reported the virus.  





Re: Avast false positive?

wrote:

Quoted text here. Click to load it

And, just in case you're not aware of it, it's possible to get a quick
second opinion online for files smaller than 64 MB over at
<https://www.virustotal.com/ , for that extra peace of mind.

Re: Avast false positive?


Quoted text here. Click to load it
what
using
long
nobody
to
that

Thanks for the url, I was looking for just such a service, looks good :-)
BTW, the file that Avast alerted on came out clean on virustotal


Site Timeline