Virus

Post here messages if you have any problems with working of Enigma Protector
Enigma
Site Admin
Posts: 2521
Joined: Wed Aug 20, 2008 2:24 pm

Re: Virus

Post by Enigma » Tue Oct 27, 2009 10:56 am

Yes, "File analyser deception" just changes signature of protected file from entry point. Strange that this option affects on the AV detection. Anyway, if it affects, this only means that analyses possibilities of such antiviruses are zero.

Few weeks ago I have tried to contact to few non famous AV that are generating false positives in virustotal, but still do not have any reply.. looks like they do not want to solve such problems...

Guys, just advice, use famous antiviruses like Kaspersky.

nfg
Posts: 1
Joined: Mon Jun 07, 2010 10:54 am

Re: Virus

Post by nfg » Mon Jun 07, 2010 11:36 am

Take a tip for me! Kaspersky 10 is no so good like 7. Try this kaspersky version 7 and you'll see by yoursign. I tested them and I am satisfied with this

shamballa
Posts: 16
Joined: Tue Jun 08, 2010 11:13 pm

Re: Virus

Post by shamballa » Wed Jun 09, 2010 12:00 am

Unfortunately I have to add to this thread...

I have just made a Test protected program and sent to Virus Total and there are 5 false positives that get picked up by some big named AV companies.

I link to the test performed here: http://www.virustotal.com/analisis/c8b1 ... 1276037313

Enigma
Site Admin
Posts: 2521
Joined: Wed Aug 20, 2008 2:24 pm

Re: Virus

Post by Enigma » Wed Jun 09, 2010 10:28 am

Guys, 5 false positives is a well result. With other protection systems you could get more falses. This is not a problem of Enigma, this is mistakes of antivirus softwares. This cannot be solved from my side, you should manually submit your files with false positives to antivirus companies and ask to solve it.

After submitting your file will be fully clear.

There is some information that can help you with submitting:

#######################################
Here are some places that can online scan the program and let you know what AV companies are giving False Positives on the files:
http://virustotal.com/
http://virusscan.jotti.org/

I'll go ahead and list some email addresses and website forms for some of the particular AV companies to make it easy for you.

A-Squared: fp@emsisoft.com

AntiVir: http://analysis.avira.com/samples/index.php
False positives:
If you think our scanner has detected a clean file by mistake please select "False positive suspicion" from the drop down menu above. Note that suspicious files and false positives need to be uploaded separately. Please make sure you verified that the latest version will still detect the file and it is not a solved false alarm at this point in time.

ArcaVir: support@arcabit.com

Avast: virus@avast.com
Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com
You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.
Until then, you can add the "false positive" file into exclusions:
Left click on "a" ball next to the clock and select Standard Shield.
Click Customize... and select Advanced tab.
Now just enter full path (path plus filename with extension) into the line and press [Enter] on keyboard.
This will exclude the file from scan, so you can use it untill false positive is resolved. Do this with caution or if you're 100% sure that the alert was false positive for that file.
Alwil staff deals with false positives very fast, so they are usually fixed on next VPS update, or even immediately if the false positive is found in any widely used program.
Try to address false positives directly to Alwil virus submission mail and not here on forums. This way the false positive is solved faster.

AVG Antivirus: virus@grisoft.cz
Put "False Positive" in the subject and explain the false positive.

BitDefender: http://forum.bitdefender.com/index.php?showforum=108

ClamAV: http://www.clamav.net/sendvirus
Complete the form at http://www.clamav.net/sendvirus. Be sure to select The file attached is… a false positive.

Comodo Antivirus: malwaresubmit@avlab.comodo.com or desktopsupport@comodo.com
Make sure you state "False Positive" in the subject and try to explain what the program is.

Dr.Web: http://vms.drweb.com/sendvirus/
Make sure you select "False Detect".

eSafe: http://www.aladdin.com/forms/send-email/form.aspx
Fill out the contact form and let them know it is a False Positive.

F-Prot Antivirus: http://www.f-prot.com/virusinfo/submission_form.html
Be sure to explain it is a False Positive!

F-Secure Antivirus: http://www.f-secure.com/samples/index.html
If you encounter a false positive, please submit a sample of it for testing and verification, specifying that you are submitting a false positive. Any additional information such as the origin of the file, scanning report file, and false positive detection name will help to resolve the issue more quickly.

Fortinet: http://www.fortiguardcenter.com/antivir ... anner.html
Submit the file and fill out the form stating it is a false positive

Ikarus: false-positive@ikarus.at

Kaspersky: newvirus@kaspersky.com
1) Put the suspected virus in a password-protected zip or rar file.
2) Compose an email message (only short description) and attach the zip file.
3) Include the password in the body/subject of the email. If you suspect a false positive, then include "Possible false positive" in the subjectline.
4) Send the zip/rar file to newvirus@kaspersky.com

McAfee: virus_research@avertlabs.com
Send an email to McAfee and let them know it is a false positive.
Make sure you zip up the file(s) and password protect it with the word infected. Even though it is not a virus this password must be contained on the zip file or they will ignore your email.

NOD32: samples@eset.sk
Put "False Positive" in the subject.

Norman Virus Control: http://www.norman.com/Support/fp/

Panda Antivirus: http://www.pandasecurity.com/about/contact/
Email them and tell them it is a False Positive.

Prevx: http://info.prevx.com/service.asp
Contact support by filling out the form and stateing the information about the false positive.

Sophos Antivirus: https://secure.sophos.com/support/samples/
Make sure you let them know it is a "False Positive".

Sunbelt
Fill out false positive submission form, attach false detected file
http://www.sunbeltsecurity.com/falsepositive/

Symantec:
To submit false positive email to Security Response
Create a new email in RFC-822 MIME format, and attach the false positive email.
In the To box, type:
North America: gfeedback@feedback-1.brightmail.com
EMEA: eurofeedback@feedback-23.brightmail.com
APAC: apacfeedback@feedback-22.brightmail.com
Japan: jpnfeedback@feedback-47.brightmail.com
Only send false positive email to the this address.
Send the message to the Security Response Center.

VirusBuster: support@virusbuster.hu
Make sure you notify them that it is a "False Positive".

ViRobot
Go to http://www.hauri.net/support/false_report.html there is a false positive submission form. Enter your name, email address, enter False Positive in the subject, some words in the text field and select a file. Note, false detected file should be zip compressed!

VBA32: newvirus@anti-virus.by
Put "False Positive" in the subject!

shamballa
Posts: 16
Joined: Tue Jun 08, 2010 11:13 pm

Re: Virus

Post by shamballa » Wed Jun 09, 2010 4:45 pm

Hello Enigma

Thank you very much for your response and for the time you have taken to set out the links. I will certainly make sure I follow your advice and upon release I will submit the false positives.

Post Reply