Avira still picking up fals positives

Started by ajm0528, August 22, 2008, 09:13:08 PM

Previous topic - Next topic

ajm0528

Despite the fact I disable the heuristics thingy Avira is still picking up false positives.  :(

Eddy

My Avira setup finds 'viruses' in the executables in the \System Volume Information\ hidden directory.
For example:
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\RP122\A0026205.exe
I also have heuristic scanning turned off.

Kind regards
Eddy
www.devotechs.com -- HIME : Huge Integer Math and Encryption library--

ajm0528

Quote from: Eddy on August 22, 2008, 09:21:24 PM
My Avira setup finds 'viruses' in the executables in the \System Volume Information\ hidden directory.
For example:
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\RP122\A0026205.exe
I also have heuristic scanning turned off.

Kind regards


Same here. That \System Volume Information\ directory keeps appearing lately.

Eddy

I have added the "D:\System Volume Information\" directory to the exception list of the guard. This makes Avira ignore this directory, but it still leaves me wondering if Aviras warnings are false positives or not ...
So I uploaded a file that Avira signals as infected, to the online virusscanner VirusTotal: http://www.virustotal.com .
See the result of that scan in attached zip file.
21 of 36 virusscanners finds 'something' in my uploaded file, but as you can see, a lot of the scanners use a heuristic scan or simply label the file as 'suspicious'....

Kind regards




[attachment deleted by admin]
Eddy
www.devotechs.com -- HIME : Huge Integer Math and Encryption library--

hutch--

Eddy,

I gather these are PB files. hve you ever reported the problem to the vendor ? I know with certainty that the PB compilers are sound and conform to the PE specs but it may be worth pointing this problem out to them so they can have a play with it.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

jj2007

Quote from: hutch-- on August 24, 2008, 12:20:17 AM
I gather these are PB files.
vbaledit.ocx sounds more like a Visual Basic control. Where did you get the file from, in which folder did you find it? If it's a legitimate control, its origins should be traceable.

EDIT: Google is your friend... but still unclear why a nine-year old MS Access control should trigger a virus alert.

Any free Unicode-compatible rich text box? VBA/Access
Zone: Microsoft Access Database
Tags: text, rich, access, unicode, vba
Since the Microsoft Rich text Box Ver 6 (SP4) is not fully Unicode-compatible, and will not display international languages through its .text property assignment, I am looking for a Unicode-compatible Rich Text Box, to internationalise an application written in VBA/Access 2002/2000
Are there any such free-license and trouble-free controls? 

I cannot get the vbAccelerator Rich Edit control to work.  The vbAccelerator Rich Edit control sounds ideal, and is the only free one I could find.  I downloaded files from http://www.vbaccelerator.com/codelib/richedit/richedit.htm and did the following:
1. "Registered", using the VBRegTLB.exe registration utility provided, the following files (I don't know whether this was necessary, or the implications):
      OLEGUIDS.TLB
      SSubTmr.dll
2.-- Created VB/Access database with one form, Form1
3. -- In VB environment, selected References... from menu and inserted the paths & filenames of  the following
        vbalEdit.ocx  (159 KB)

Eddy

Quote from: hutch-- on August 24, 2008, 12:20:17 AM
I gather these are PB files.

Hutch,

I can't tell. Gathering from the fact that (for example):
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\
is a hidden directory and looking at its name, my first guess is that this file is related to the Windows "System Restore Point" feature.
Such a file will probably contain a lot of compressed (?) data, meaning it contains pretty much random data. A lot of (pseudo)random data is likely to contain a byte sequence that resembles or matches one of the thousands virus signatures that an AVscanner looks for. Especially when that AVscanner scans the heuristic way.

Come to think of it. Maybe it would be an interesting exercise to generate a number of files that contain only pseudorandom data and have it scanned for viruses. See how long it takes before a virusscanner finds a 'virus' ...  :bg

Kind regards



Eddy
www.devotechs.com -- HIME : Huge Integer Math and Encryption library--

Eddy

Quote from: Eddy on August 24, 2008, 07:01:06 PM
Maybe it would be an interesting exercise to generate a number of files that contain only pseudorandom data and have it scanned for viruses.

Well, I did that exercise: My small test program generated 100 files with a random number (between 1000 and 100000) of pseudo random bytes.
I had Avira scan those files for viruses. I did that for about 20 times (generating new files every time) but Avira found nothing suspicious ...
So I guess, heuristic scanning is not 'that' bad ...:-)

Kind regards
Eddy
www.devotechs.com -- HIME : Huge Integer Math and Encryption library--

Mark Jones

Try copying the file into a standard folder and debugging it, perhaps like this. Avira likes to say that similar files are problematic here, usually with the name A011gfgsfwg.exe or something.

Once, some trojan did get through, back in the days when e-mail bugs jumped out of unopened mail (and "real" men didn't wear A/V protection...) The polymorphic thing spawned 4 processes, installed 5 spy tools, including a rootkit and a backdoor remote control. Long story short, it was doing this from files in the \windows folder named A000agareebw.exe or similar. It locked its running threads so it was not terminatable; I ended up putting that disk in another machine to delete the offending files. Aaaah, those were the days...

So when I saw Avira's report of an A010gapawe.exe file infeciton, it made me stop and wonder for a second... was traces of that trash still in there? Which of course is impossible, that was a completely different PC and physical disk ago. :toothy
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

jorgon

I've been in touch with Avira because sometimes some executables made with GoAsm and GoLink were reported as containg a Trojan.

They have said as follows:-

QuoteWe will take out the pattern recognition in one of our next (engine-)updates.
I'm going to wait and see what happens.  I have Avira installed on my machine, but switched off, and I shall try it out in a few days time.

Incidentally my contacts at Avira are:-

Freundliche Gruesse
Avira GmbH
and
Fabian Henne
First Level Support
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com
Email: virus_malware@avira.com

Since this problem with Avira and apparently with other AV programs too affects all assembler programmers I believe we should fight this one. 

In my opinion a false positive reported for a program is a libel upon the author and distributor.

Author of the "Go" tools (GoAsm, GoLink, GoRC, GoBug)

jj2007

Quote from: Eddy on August 24, 2008, 07:01:06 PM

...Gathering from the fact that (for example):
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\
is a hidden directory and looking at its name, my first guess is that this file is related to the Windows "System Restore Point" feature.


After having been infected with Conficker through a USB stick, I decided today to install Avira, and did a complete scan. Guess what? I got:

- 5 detections of the System Volume Information\_restore type
- one in C:\WINDOWS\SoftwareDistribution\Download\9859834e89172702ef462fbc3265334a\BIT83.tmp, difficult to verify
- and 63 100% sure false positives, most of them self-created executables in the Masm32 tree, plus a number of self-created ZIP archives.

Now all these files are hanging around in the "quarantine", and are pretty useless because Avira writes, without any warning, some stuff into the headers.

For me, probably no serious damage - I have copies of all really important files on a different PC. However, destroying archives without warnings is an action that could mean bankruptcy for a software company.

I think a lawsuit against Avira would be an adequate reaction to this behaviour.

Jimg

I think you should first ask for your money back.

Quote3) The computer program described in the user manual conforms to the latest
   technological standards. AVIRA GmbH (hereinafter called "Licensor")
   wishes to point out, however, that the latest technological standards do not
   guarantee software programs to function entirely without error in all applications
   and combinations.

rags

while on the subject of virii, who comes up with these names for them?
Ie- conficker,
someone sitting at a desk at symantec or elsewhere with nothing else better to do the day new ones are discovered?
God made Man, but the monkey applied the glue -DEVO

jj2007

Quote from: Jimg on April 26, 2009, 09:32:35 PM
I think you should first ask for your money back.

Quote3) The computer program described in the user manual conforms to the latest
   technological standards. AVIRA GmbH (hereinafter called "Licensor")
   wishes to point out, however, that the latest technological standards do not
   guarantee software programs to function entirely without error in all applications
   and combinations.

See this post for a description how to see whether you got Conficker or not. I still got it, apparently, in spite of Avira.

Money back would be nice, but it's free. They finance it as an ad for their professional versions (those which can really kill Conficjer, eh ::))

And, just in case you were ironically pointing to the fact that I signed the EULA - is there anybody around who has time to read the EULA? Let's be realistic...

Astro

I have Avira (it is disabled most of the time) and just scanned the MASM directory - nothing suspicious found.

In the whole time I've used it (3 years now) I've only ever had it flag viruses.