Another false positive?

[Terry Pinnell]

I haven't had any threats for months and now TWO within a week! The previous
was VideoReDoPlus-2-1-1-413.exe, Tracking number 433125, which I confirmed a
day or so ago was a false positive.

This one is another 'movie software' file (part of FFDshow I think):
C:\WINDOWS\system32\ff_vfw.dll

My Anitvir Personal has just reported that it "Contains a recognition pattern
of the (harmful) BDS/Bot.111287 back-door program"

Yet it's been on my HD for ages.

I've sent it to Avira for analysis.

Virus Total online shows it as OK for all 41 programs, including Avira
AntiVir, version 7.9.1.154, update 2010.01.27

How can that be contradicted by my local Antivir Personal (free), which was
updated this morning as usual?

 

[John Williamson]

I haven't had any threats for months and now TWO within a week! The previous
was VideoReDoPlus-2-1-1-413.exe, Tracking number 433125, which I confirmed a
day or so ago was a false positive.

This one is another 'movie software' file (part of FFDshow I think):
C:\WINDOWS\system32\ff_vfw.dll

My Anitvir Personal has just reported that it "Contains a recognition pattern
of the (harmful) BDS/Bot.111287 back-door program"

Yet it's been on my HD for ages.

I've sent it to Avira for analysis.

Virus Total online shows it as OK for all 41 programs, including Avira
AntiVir, version 7.9.1.154, update 2010.01.27

How can that be contradicted by my local Antivir Personal (free), which was
updated this morning as usual?

No guarantees, but this sounds like the reason I stopped using AVG free
a while back. Far too many false positives all of a sudden.

I now use Kaspersky Internet Security, which is a real PITA when you're
installing stuff, but I've had no false positives as yet, and no obvious
false negatives.

Eset's another I've seen recommended and I used it until the sub came up
for renewal.

 

[Gene E. Bloch]

I haven't had any threats for months and now TWO within a week! The previous
was VideoReDoPlus-2-1-1-413.exe, Tracking number 433125, which I confirmed a
day or so ago was a false positive.

This one is another 'movie software' file (part of FFDshow I think):
C:\WINDOWS\system32\ff_vfw.dll

My Anitvir Personal has just reported that it "Contains a recognition pattern
of the (harmful) BDS/Bot.111287 back-door program"

Yet it's been on my HD for ages.

I've sent it to Avira for analysis.

Virus Total online shows it as OK for all 41 programs, including Avira
AntiVir, version 7.9.1.154, update 2010.01.27

How can that be contradicted by my local Antivir Personal (free), which was
updated this morning as usual?

I also have gotten a few false positives from Norton Internet Security
2010. I can't say I enjoy them

The main problem is that it's hard to keep them intact or get them
back, since in spite of how I *think* I configured the app, some items
are removed without giving me any recourse.

One friend has pointed out that it *is* possible that the program was
recently corrupted in spite of having been on my computer for years. I
agree, but somehow I don't think it happened: I suspect a new overly
enthusiastic signature.

I also experienced a reversal of fortunes, i.e., a putative virus was
not flagged again after I managed to recreate the program (in at least
one case, from a Norton quarantine, so the file was as before). This
leads me to believe that the new signature was pulled in a later
update.

I think we're stuck with this sort of hassle regardless of which AV
program we use, unless we abandon all our AV programs.

For anyone who's about to tell me that Norton is a virus, don't bother,
I won't be listening

 

[FromTheRafters]

[...]

The main problem is that it's hard to keep them intact or get them
back, since in spite of how I *think* I configured the app, some items
are removed without giving me any recourse.

I had Norton preinstalled on this computer, I *was* going to let it run
until its subscription expired - but it deleted files even though I had
it configured to only ask.

....it's gone now!

[...]

 

[FromTheRafters]

I haven't had any threats for months and now TWO within a week! The
previous
was VideoReDoPlus-2-1-1-413.exe, Tracking number 433125, which I
confirmed a
day or so ago was a false positive.

I remember it as if it were yesterday...

This one is another 'movie software' file (part of FFDshow I think):
C:\WINDOWS\system32\ff_vfw.dll

My Anitvir Personal has just reported that it "Contains a recognition
pattern
of the (harmful) BDS/Bot.111287 back-door program"

Yet it's been on my HD for ages.

I've sent it to Avira for analysis.

Virus Total online shows it as OK for all 41 programs, including Avira
AntiVir, version 7.9.1.154, update 2010.01.27

How can that be contradicted by my local Antivir Personal (free),
which was
updated this morning as usual?

I have my ideas on why this might be, and have in the past discussed
this in the virus groups. It would be nice to hear it from "the horse's
mouth" so to speak - could you ask the good folks at Avira?

 

[Gene E. Bloch]

[...]

The main problem is that it's hard to keep them intact or get them back,
since in spite of how I *think* I configured the app, some items are
removed without giving me any recourse.

I had Norton preinstalled on this computer, I *was* going to let it run until
its subscription expired - but it deleted files even though I had it
configured to only ask.

...it's gone now!

[...]

When this subscription expires, it might go away here too, but in
general it is approximately OK. My major complaint is what happens when
I try to restore from a restore point. There is a way - actually a
pretty easy one - to make it work, but it requires remembering to do
the trick. I usually remember after the initial failure

I had that problem since last year's version (Norton Internet Security
2009). It amazes me that Norton has neither fixed it nor advised users
about it... It wouldn't surprise me if it's older than that, but I had
avoided Norton for a while until the 2009 version got stellar reviews.

Norton is also pretty wonky after a system restore. It loses track of
where it is (in terms of definition updates) & it takes a while for it
to straighten itself out, and while it's happening the messages and
choices are very misleading. In fact, I'd have to say crazy. It
shouldn't confuse a very experienced guy like me; what will it do to
relative novices?

They should hire me for PR, don't you think? After all, as I said, I'm
a satisfied user.

 

[Terry Pinnell]

I remember it as if it were yesterday...


I have my ideas on why this might be, and have in the past discussed
this in the virus groups.

Can you summarise, or point me to a relevant post please? Whatever the cause
is, it seems to imply that my simple assumptions are wrong. Such as: daily
definition updates keep me, er, up-to-date.

It would be nice to hear it from "the horse's
mouth" so to speak - could you ask the good folks at Avira?

As well as posting to the Labs I also posted to the forum, but I have little
hope of any explanation forthcoming from there. See my post a minute ago, 'No
replies allowed in Avira forums?'.

 

[FromTheRafters]

[...]

The main problem is that it's hard to keep them intact or get them
back, since in spite of how I *think* I configured the app, some
items are removed without giving me any recourse.

I had Norton preinstalled on this computer, I *was* going to let it
run until its subscription expired - but it deleted files even though
I had it configured to only ask.

...it's gone now!

[...]

When this subscription expires, it might go away here too, but in
general it is approximately OK. My major complaint is what happens
when I try to restore from a restore point. There is a way - actually
a pretty easy one - to make it work, but it requires remembering to do
the trick. I usually remember after the initial failure

I had that problem since last year's version (Norton Internet Security
2009). It amazes me that Norton has neither fixed it nor advised users
about it... It wouldn't surprise me if it's older than that, but I had
avoided Norton for a while until the 2009 version got stellar reviews.

Norton is also pretty wonky after a system restore. It loses track of
where it is (in terms of definition updates) & it takes a while for it
to straighten itself out, and while it's happening the messages and
choices are very misleading. In fact, I'd have to say crazy. It
shouldn't confuse a very experienced guy like me; what will it do to
relative novices?

They should hire me for PR, don't you think? After all, as I said, I'm
a satisfied user.

I actually liked NAV 5.0, never had a problem with it even after it
"expired". Definitions could still be downloaded even though it
indicated otherwise. After that, new versions tried doing too much
(bloat) and I went with free alternatives (AVG, AntiVir, and Avast!).

 

[FromTheRafters]

Can you summarise, or point me to a relevant post please? Whatever the
cause
is, it seems to imply that my simple assumptions are wrong. Such as:
daily
definition updates keep me, er, up-to-date.


As well as posting to the Labs I also posted to the forum, but I have
little
hope of any explanation forthcoming from there. See my post a minute
ago, 'No
replies allowed in Avira forums?'.

AntiVir has options that may not match between your installation and
VirusTotal's installation. Particularly, under configuration - expert
mode - heuristics. That, and the fact that VT won't have the luxury of
context scanning since it is a file submission service.

I looked back at your discussion in their forum, and noticed they had it
marked as resolved (closed) or some such thing. This after wrongly
telling you that the file was indeed "MALWARE" and you still doubting
their results. Readers of that thread will probably never know the
truth.

....still, it *is* a free service <G>