FALSE Alarm - Avira Antivirus Professional Warns about virus in

[Maximus5]

Originally reported on Google Code with ID 555

OS version: Win7 SP1 x64

I've attached picture.

Reported by Cuchuk.Sergey on 2012-05-25 18:11:59

---

• Attachment: AviraGoesCrazy.png
  

[Maximus5]

Check of ConEmuSetup.120417.exe succeeds.

Reported by Cuchuk.Sergey on 2012-05-25 18:18:31

[Maximus5]

Check unpacked 7z of these versions

Reported by ConEmu.Maximus5 on 2012-05-25 18:51:16

[Maximus5]

Thank you! That helped. Avira didn't showed any messages. 

Reported by Cuchuk.Sergey on 2012-05-25 19:59:56

[Maximus5]

I can't do anything with false alarms of Avira.
Probaly, You, as user of Avira, may contact with their tech support, and ask them,
what exactly seems suspicious from their point of view. In this case, may be...

My installer was not significantly changed (only one visual bug in dialog was fixed
on 09.05.2012).

BTW, did you import my certificate?
http://code.google.com/p/conemu-maximus5/wiki/Certificate

Reported by ConEmu.Maximus5 on 2012-05-25 20:15:29

[Maximus5]

i will send them setup and ask to remove false alarm.

Reported by Cuchuk.Sergey on 2012-05-25 20:56:31

[Maximus5]

OK.

KIS have "cloud protection". May be Avira has something like that too.

Reported by ConEmu.Maximus5 on 2012-05-25 21:02:01

• Status changed: Fixed

[Maximus5]

i will post what they will answer (file analyzes takes about 2 weeks). 

Reported by Cuchuk.Sergey on 2012-05-25 21:13:34

[Maximus5]

Thank you for your recent inquiry.

The present file is falsely detected by Avira AntiVir as TR/Dropper.Gen.

This is a false positive detection, which will be fixed with one of the next VDF updates
from AntiVir. With this update, the file itself should not be detected anymore.

Please note that this is a generic false positive.

This means, that this false positive appears on the basis of certain unique characteristics
inside the file. Therefore it is possible that similar files will also be reported
with this detection.

This false positive will finally be fixed with the next engine update.

Thanks in advance.

For further questions don't hesitate to contact us.
-- 
Freundliche Gruesse / Best regards
Avira Operations GmbH & Co. KG

Bernd Kersten
Consumer Services - International Services & Support

Avira Operations GmbH & Co. KG
Kaplaneiweg 1, D-88069 Tettnang, Germany
Internet: http://www.avira.com

Geschaeftsfuehrender Gesellschafter: Tjark Auerbach
Sitz der Gesellschaft: Tettnang; AG Ulm HRA 722586
----------------------------------------------------------------------
ALLGEMEINE GESCHAEFTSBEDINGUNGEN
Es gelten unsere Allgemeinen Geschaeftsbedingungen (AGB).
Sie finden sie in der jeweils gueltigen Fassung unter:

Reported by Cuchuk.Sergey on 2012-06-05 18:48:06

[Maximus5]

Well, okay.

Reported by ConEmu.Maximus5 on 2012-06-05 19:09:48

[Maximus5]

Issue 596 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2012-06-14 05:29:23

[Maximus5]

Issue 597 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2012-06-14 20:02:53

[Maximus5]

Reported by ConEmu.Maximus5 on 2012-06-14 20:06:53

• Status changed: Visible

[Maximus5]

Reported by ConEmu.Maximus5 on 2012-06-14 20:07:52

[Maximus5]

Issue 1343 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2013-11-16 14:58:22

[Maximus5]

Issue 1343 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2013-11-16 14:58:36

[Maximus5]

Reported by ConEmu.Maximus5 on 2013-11-16 14:59:03

• Labels added: False-Alarm

[Maximus5]

Issue 596 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2013-11-16 14:59:58

[Maximus5]

Issue 597 has been merged into this issue.

Reported by ConEmu.Maximus5 on 2013-11-16 15:00:28

[Maximus5]

Reported by ConEmu.Maximus5 on 2013-11-16 15:01:19

[Maximus5]

I'm encountering the same problem. Has anyone found a fix to this?

Reported by pablo@vdevices.com on 2013-11-17 18:28:12

[Maximus5]

Report false alarms to Avira.

Many ConEmu console-related features requires Windows API hooking. ConEmuHk wiki describes
that. It's strongly not recommended totally disable them (that may cause problems),
but if that is only way in your case - "howto" described in ConEmuHk#Conclusion.

Reported by ConEmu.Maximus5 on 2013-11-17 18:53:16

[Maximus5]

Yes, report version and false alarm to Avira.
They will check version and add file hash to safe list.
Also be on stable branches to not do this very oftern.

Reported by Cuchuk.Sergey on 2013-11-17 19:18:52

[Maximus5]

As for hooking i suggest to extract it to separate library (which will update extremely
rarely) to make Avira only once check it and add it to safe list its hash.

Reported by Cuchuk.Sergey on 2013-11-17 19:23:57

[Maximus5]

Are you sure, Avira checks only dll hash? I suppose it check executable too, no?

Reported by ConEmu.Maximus5 on 2013-11-17 19:26:25

[Maximus5]

I see here ConEmuC.exe, but not a library
https://conemu-maximus5.googlecode.com/issues/attachment?aid=13430000000&name=conemu+false+positive.png&token=imBcncP3wLdUjdn9b2VKBtp-hIk%3A1384716391237&inline=1

Reported by ConEmu.Maximus5 on 2013-11-17 19:27:45

[Maximus5]

i wish i could know for sure.

Reported by Cuchuk.Sergey on 2013-11-17 19:27:58

[Maximus5]

> I see here ConEmuC.exe, but not a librar
Sure, process name should be shown to user for such things. Dll name will tell user
nothing.
But i still don't know how the process is organized.

Reported by Cuchuk.Sergey on 2013-11-17 19:44:55

[Maximus5]

probably you right, adding dll to safe list is bad, because malicious software could
use it.

Reported by Cuchuk.Sergey on 2013-11-17 19:46:48