English
Français 
Deutsch 
Italiano 
日本語 
Русский 
Español 
Čeština 
polski 
Português 
Türkçe 
Ukrainian Early warning may save your bacon :-)
Another day, another entry in the avast! Virus Lab submission system for reporting false positives:
just another groovy submission?
Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious – it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint – there’s definitely something fishy here.
Let’s simulate the behavior of an average user who want to download the file and then goes to the site and clicks the link (well, I’m not quite strong in decrypting Turkish and the google translate results were a bit fuzzy, but here we go):
connection blocked due to an infection
Nice, the download was promptly blocked by our engine. That’s very important – we can warn the user at a very early stage and show him that something dangerous is inside. No waiting, no shillyshally fumbling around, just a straight STOP to the infection.
But what if the user wants to wait for the emergency brake (on-execution scan of sivanamain.exe after unpacking the setup which is already running) and put all of his or her faith in this protection of last resort? An early warning can increase user trust in us (as it shows that we know what’s going on from the beginning) and we can confirm the validity of this detection later when the infected binary is about to run and we block it with the “emergency brake.” The final decision is up to the individual avast! user, but when it comes to reporting dangerous stuff, my opinion is clear – the sooner, the better.
And what about other AV products and their early warnings on this specific binary file? (Remember, this result partly depends on what level of scan thoroughness has been established on a particular machine, but VirusTotal uses the highest possible level as far as I know.)
VT results for the setup
Frankly, the early warning results are nothing to celebrate with only five out of the more than 40 AV apps catching the malware (and two were from avast!). However, the emergency brake works well for most of tested AV engines:
infected binary extracted from the setup
The conclusion: When driving your computer on the internet highway, remember that only a few AVs work well as early warning systems. But nearly all have functioning emergency brakes – most of the time.
avast! on Twitter
avast! on Facebook
What happened to NOD32 in the second set of results?
@deesnider
Ooops, it was not my intention to exclude NOD. There’s something wrong on VT side.
I use avast and I recommend to everyone to use at home or work, I use the two way at home and at work, where I have two web servers and never had any problems, thanks avast
This is good to aware people about such kind of bad viruses, i use every virus scan/ antivirus , program but i found avast the best solutions , thanks to avast!!!
The sooner, the better
Good chasing.
Thank you avast for your Great Service…..!!!!!!!!!
Me parece que avast hace un buen trabajo, nunca e tenido problemas con el sino que no me deja el alojo de posibles virus y eso seria fatal por el manejo de informacion valiosa.
Vraiment Vous étes un Programe 5 etoiles Mercie Bien pour tous ce que vous faites pour nous Bonne Continuation
maybe because AV’s do not scan the password protected packed files ???
How much ever packers you guys add to your database , there will always be new ways to crypt existing stuff. The number of Viruses running FUD is unimaginable
Since I have very small PC”experience,BUT WITH AVAST,ONLY!!!!!!!!!!!!!!
Good stuff….ust had my PC cleaned up…man, it’s like a new machine!!!
@bong2x
But this is not a password protected archive.
@HackToHell
Igor would tell you the exact number. There’s a threshold – some packers are more widespread than others, thus some are worth the effort to unpack, some are very rare (suspicious), some can be detected as a threat at all. And starting with version 5, unknown packers are generically unpacked with our emulator. It’s too complex to explain here in a reply. Anyway, ClickTeam installer used here is quite common packer for setups.
When I put my cursor on the little spinning ball in the tray, the sign often comes up that warns me that my computer is not fully protected. When I open the interface, it tells me that my computer is fully secure. What is going on with that?
try restarting your computer michael it even happened with me i did this and then the problem never happpened.
Bonjour
J’ai telecharger l’antivirus hier mais il ne fonctionne pas
i am able to access the avast! blog in ie 8 and not in chrome whts on with that? chrome says the site is unresponsive? any guess whts the problem?
hello now i am writing this comment through chrome i think so avast! people repaired the problem on their blog. thanks a lot!!! luv u avast!!!!
well,michal early warning for avast! is a good function but what if the web shield is not configured to unpack the concerned packer???
then i think so it would find it at the downloading time or not? or the file system will catch it???
what do u say??
@shre54321
The screenshot above was taken with default WebShield settings and it caught the file early. And there’s the emergency brake in addition, thus you don’t have to worry.
well michal whats the deal with the blogs june 2011 archive it doesnt load in chrome???pls tell me whts causing chrome to tell me the the page is unresponsive???if u have any idea???it oads in ie 8….
sorry that is loads…..and not oads
@shre54321
No clue. I don’t use chrome. And no other users observe such issues so far.
So it a indication of any infection?
so michal can it be indication of infection on my pc???
@shre54321
It seems to be rather something wrong with Chrome settings. But this is definitely not a good place to discuss such unrelated stuff. Visit our forums and try to resolve everything there. And next time pls no links to possibly infected domains here.
sorry michal next time no links to possibly infected domains..sorry!!! but did u check the site pls check it and let me know…..thankyou…
i performed a quick scan frm avast! today michal and it found this:
Win32:KillApp-w[pup] and it has now moved it to the chest….
tell me one thing michal can potentially unwanted program can be harmfull for a pc i have never seen this before doing anything?????could it be a false positive????{thanks for ur advice to visit the forum the people out there resolved the problem wwith chrome}
CRap it STILL remains
http://netload.in/index.php?id=10&file_id=sal29ybUfF&s=b0601cd95b&captcha=1