False Positives in antivirus-programs

avast detecting sfloppy.sys as hidden rootkit.

There have been numerous reports of this detection since early this morning.

As reported in this topic: Rootkit hidden filefloppy sys, the detection appears to be a false positive as of the last database update. Since many of our members use avast, I wanted to post the information so everyone is aware.

I received the same notification after booting up an hour ago and the database was updated. I submitted the file to virustotal and it came back clean so I choose to ignore it. No official confirmation from avast yet but users should monitor the topic for further replies.

Reply #67 from Milos: Yesterday at 02:58:10 PM

Hello,
the issue (causing false positive) was resolved. VPS will be released asap.

Milos

Had a problem with Avast this morning:

Version: 6.0.1367 FREE
Virus Definition: 12112-1

Downloading Combofix...

From Web Log:
1/13/2012 7:54:59 AM
http://download.bleepingcomputer.com/sUBs/ComboFix.exe|>$0\pev.3XE|>[PECompact]
[L] Win32:Rootkit-gen [Rtk] (0)

FYI

Archer12

avast! has been reporting it as Win32:Rootkit-gen for the past three days now. See here .

Read my reply to another user as to why.

The problem is really with the anti-vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database but avast is taking longer this time.

The problem has been rectified:

Avast Update

Definition update: 120113-0

Thanks

archer12

Antivirus: Avast
Version: 7.0.1426 Free
Virus Definition: 120310-2

Scan Log:
11/03/2012 12:00:00

Infected files: 1

Process 888 [rapportmgmtservice.exe], memoryblock 0x0000000000400000, block size 937984 (RapportMgmtService.exe)
Severity: High
Threat: Win32:MalOb-JN[Cryp]

Screenshot of avast log

dev0070

Antivirus: Avast
Version: 7.0.1426 Free
Virus Definition: 120429-0

Web Shield Log:
29/04/2012

URL: http//oldtimer.geekstogo.com/OTL.exe
Severity: High
Threat: Win32:Rootkit-gen [Rtk]
Action: Blocked

Screenshot of popup

edit: typo

Edited by dev00790, 29 April 2012 - 06:35 AM.

is AVG popping false positives of Trojan downloaders?  i hope so otherwise i am seriously infected even though malware bytes and ESET show nothing 

Candigram, there is no way to e sure without knowing what it detects (filenames). However just because other scanners don't see it, doesn't mean automatically it is a false-positive.

is AVG popping false positives of Trojan downloaders?  i hope so otherwise i am seriously infected even though malware bytes and ESET show nothing 

I think so, I know i used avg to remove a "virus" and got the blue screen of death.

given the nature, Superone click and zerge are showing up as trojan horses.

supposedly avg is the, best free antivirsus id just suggest if you find something questionable type is "filename.etc.." legit into google and see what folks have to say.

Edited by Gedeonmateo, 14 February 2013 - 06:10 PM.

Detection-wise AVG is definitely not the best free AV in my opinion. As far as free goes you're much better of with MS Security Essentials. It makes no sense to speculate on whether or not AVG's detections are FPs without having a copy of the file or seeing the location.

Greetings everyone.
 
Just wanted to let you know that I recieved two (!) possible False Postives this morning (5 AM here on the Eastern Seaboard, U.S.A) when I fired up my computer.
 
Both Trojans were Quarantined by my Malwarebytes (Pro version) upon start up.
 
I wasn't real concerned about it as I downloaded one of these programs from here at BC and these exe files have been on my computer for a couple of weeks now.
 
Both programs (the exe. files were for PC decrapifier and the other was the exe. file for ImgBurn) were/are being reported as Trojan.Backdoor.MRX files.
 
 
A quick look over at the Malwarebytes Forum seems to indicate that this known FP  and is being adressed but wanted to let everyone here know as well.
 
Will let you know if/when a resolve is reached/discovered and pushed out.
 
onward,
 
Winterland

Only MBAM can tell you when the FP will be fixed.

 

Generally speaking though, every security vendor will have FPs now and then, with the amount of detections that is added each day that is almost unavoidable. Usually such FPs are fixed pretty fast when reported (though this may differ from vendor to vendor).

Also, just as an aside...this Forum showed/shows that it's Pinned, so I wasn't even sure I could post here.

 

Part of the bugs with the new roll out perhaps?

 

Thought you should know.

 

onward,

 

Winterland

This topic has always been pinned, see the first post (which is quite some years ago ). Its not used very often though, which it may have confused you.