False Positives?
in [Windows Viruses]
|
Prev: Windows POSReady 2009 OS
Next: Dreaded KB977165 Patch
From: Daave on 13 Feb 2010 22:09 I use Avira Antivir. When I visited this page: http://www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios-rootkit-process-elimination.html the Avira Guard went off, identifying 35035[1].js as containing the following: Virus or unwanted program 'HEUR/HTML.Malware [heuristic]' I moved it to the Quarantine (actually this happened twice). I assume this is a false positive, but is there an easy way to confirm? I thought about restoring it to its location in the TIF folder and then uploading it to Virus Total and/or Jotti. But is there a way to upload directly from the Quarantine? Also, is there an online service that will scan a Web page? If so, I would like to send the above URL to get a second opinion.
From: David H. Lipman on 13 Feb 2010 22:30 From: "Daave" <daave(a)example.com> | I use Avira Antivir. | When I visited this page: | h**p://www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios- | rootkit-process-elimination.html | the Avira Guard went off, identifying | 35035[1].js | as containing the following: | Virus or unwanted program 'HEUR/HTML.Malware [heuristic]' | I moved it to the Quarantine (actually this happened twice). | I assume this is a false positive, but is there an easy way to confirm? | I thought about restoring it to its location in the TIF folder and then | uploading it to Virus Total and/or Jotti. But is there a way to upload | directly from the Quarantine? | Also, is there an online service that will scan a Web page? If so, I | would like to send the above URL to get a second opinion. Not happening with me. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: MEB on 13 Feb 2010 22:35 On 02/13/2010 10:09 PM, Daave wrote: > I use Avira Antivir. > > When I visited this page: > > http://www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios-rootkit-process-elimination.html > > the Avira Guard went off, identifying > > 35035[1].js > > as containing the following: > > Virus or unwanted program 'HEUR/HTML.Malware [heuristic]' > > I moved it to the Quarantine (actually this happened twice). > > I assume this is a false positive, but is there an easy way to confirm? > I thought about restoring it to its location in the TIF folder and then > uploading it to Virus Total and/or Jotti. But is there a way to upload > directly from the Quarantine? > > Also, is there an online service that will scan a Web page? If so, I > would like to send the above URL to get a second opinion. > > http://www.UnmaskParasites.com/security-report/?page=www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios-rootkit-process-elimination.html You must enable JAVA and allow cookies to use the site. -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___---
From: "FromTheRafters" erratic on 14 Feb 2010 07:24 "Daave" <daave(a)example.com> wrote in message news:%23o3hsMSrKHA.4236(a)TK2MSFTNGP02.phx.gbl... >I use Avira Antivir. > > When I visited this page: > > http://www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios-rootkit-process-elimination.html > > the Avira Guard went off, identifying > > 35035[1].js > > as containing the following: > > Virus or unwanted program 'HEUR/HTML.Malware [heuristic]' That is not happening here, did it happen only once? > > I moved it to the Quarantine (actually this happened twice). I assume you mean the alert, not the website visit. Avira AntiVir will alert twice because it scans twice (once on read operation once on write). Does going back to the site consistantly produce the alert? (perhaps an objection to an advertisement?) > I assume this is a false positive, but is there an easy way to > confirm? Have it looked at by professionals. > I thought about restoring it to its location in the TIF folder and > then uploading it to Virus Total and/or Jotti. Sometimes that is helpful. Sometimes not for you, but only for the participating vendors. New malware can give results similar to a FP declaration's results. > But is there a way to upload directly from the Quarantine? IIRC there is a way to send a sample via e-mail to Avira directly from quarantine. Otherwise, you may have to restore from quarantine to upload to VT, Jotti, or VirScan. > > Also, is there an online service that will scan a Web page? If so, I > would like to send the above URL to get a second opinion. You could check Norton's "Safeweb", but I don't know if you can submit it for consideration by them.
From: Daave on 15 Feb 2010 13:47
FromTheRafters wrote: > "Daave" <daave(a)example.com> wrote in message > news:%23o3hsMSrKHA.4236(a)TK2MSFTNGP02.phx.gbl... >> I use Avira Antivir. >> >> When I visited this page: >> >> http://www.techsupportforum.com/hardware-support/motherboards-bios-cpu/230932-bios-rootkit-process-elimination.html >> >> the Avira Guard went off, identifying >> >> 35035[1].js >> >> as containing the following: >> >> Virus or unwanted program 'HEUR/HTML.Malware [heuristic]' > > That is not happening here, did it happen only once? Just for that one visit. >> I moved it to the Quarantine (actually this happened twice). > > I assume you mean the alert, not the website visit. Avira AntiVir will > alert twice because it scans twice (once on read operation once on > write). > > Does going back to the site consistantly produce the alert? (perhaps > an objection to an advertisement?) No. It's fine now. |