jds, on 07 September 2012 - 03:55 AM, said:
As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this.
I would speculate that the frequency of false positives depends on what one is scanning. Most of the stuff I am scanning comes from the mule and often contains patches etc. Some of these little files are apparently created by software with which also malware may be produced. Some antivirus programs tend to identify all files created by such software as malware, even if the files are good and clean.
False positives might lead one to delete files which are actually good. I have come across a rare false positive by Kaspersky Anti-Virus for one series of little files, which was incorrectly identified as a trojan "packed win32.black.a". About 5-20% of the downloads with the mule are infected, as identified by Kaspersky. Avast flags more - but it is practically impossible to know whether these files flagged by Avast, and not by Kaspersky, are really infected or just false positives.
About 2 years ago, after the terrible infection with the Tenga exe infector, I had installed Avast under WinXP and Kaspersky under Win98, for double-checking. After a while I stopped using Avast because of the (probably) false positives.
Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.
virustotal is impractical for checking large quantities of files. I make a pre-check
of the stuff from the mule as follows:
1) I open archive files (e.g. .rar) with WinRAR. Maybe 5% don't open (corrupt archives or the file extension was changed from e.g. .avi to .rar). I then look at the modification dates of the files in the archive. If the file modification dates differ substantially, e.g. by several years, then some recent malware may have been injected and the archive is suspicious. If the archive contains just a few files, including a .dat
and a .exe file, it is in most cases malware.
is a most useful program for pre-checking downloads containing an .nfo file. After opening an archive in WinRAR I just double-click on the .nfo file in the WinRAR window. If nfodiz displays a nice-looking nfo, and the modification dates of the other files in the archive are close to the modification date of the .nfo file (and close to the date often displayed in the .nfo window), there is a good chance that the archive is Ok. If nfodiz displays jibberish, then the archive is infected and can be deleted. The description page of nfodiz is http://web.archive.o...3050_index.html
nfodiz can be downloaded from http://liveweb.archi...fodiz_setup.exe
3) downloaded .exe files I drag onto the desktop icon of MiTeC EXE Explorer
. If the .exe file is supposed to be old software, but has a much more recent timestamp, the .exe is most likely infected.
These 3 steps identify about 60% of the infected files. About 50% of the files identified in these 3 steps are not flagged by Kaspersky, although eventually Kaspersky will identify many as infected, with subsequent signature updates. This is not a critique of Kaspersky, there are just too many new malware programs.
This post has been edited by Multibooter: 07 September 2012 - 11:32 PM