Warning: Avast indicates false positive on Astropulse V6 for Nvidia!

Message boards : Number crunching : Warning: Avast indicates false positive on Astropulse V6 for Nvidia!
Message board moderation

To post messages, you must log in.

AuthorMessage
Ulrich Metzner
Volunteer tester
Avatar

Send message
Joined: 3 Jul 02
Posts: 1256
Credit: 13,565,513
RAC: 13
Germany
Message 1434868 - Posted: 28 Oct 2013, 18:53:11 UTC

As the title says, the latest virus signatures for Avast Antivirus silently delete the "AP6_win_x86_SSE2_OpenCL_NV_r1843.exe" from your seti directory trashing all AP-WUs in the queue. Sorry to my wingmen, but you can see the disastrous result here:
http://setiathome.berkeley.edu/results.php?hostid=157931&offset=0&show_names=0&state=0&appid=12

Unfortunately i wasn't home to stop this "gone wild" anti virus cr@p... %(
Aloha, Uli

ID: 1434868 · Report as offensive
Profile arkayn
Volunteer tester
Avatar

Send message
Joined: 14 May 99
Posts: 4438
Credit: 55,006,323
RAC: 0
United States
Message 1434879 - Posted: 28 Oct 2013, 19:10:54 UTC - in response to Message 1434868.  

As the title says, the latest virus signatures for Avast Antivirus silently delete the "AP6_win_x86_SSE2_OpenCL_NV_r1843.exe" from your seti directory trashing all AP-WUs in the queue. Sorry to my wingmen, but you can see the disastrous result here:
http://setiathome.berkeley.edu/results.php?hostid=157931&offset=0&show_names=0&state=0&appid=12

Unfortunately i wasn't home to stop this "gone wild" anti virus cr@p... %(


Which is why we tell people to exclude the BOINC data directory from being scanned.

ID: 1434879 · Report as offensive
Ulrich Metzner
Volunteer tester
Avatar

Send message
Joined: 3 Jul 02
Posts: 1256
Credit: 13,565,513
RAC: 13
Germany
Message 1434881 - Posted: 28 Oct 2013, 19:13:48 UTC - in response to Message 1434879.  

Which is why we tell people to exclude the BOINC data directory from being scanned.
Yes, now the directory is on the exclusion list. Never had a problem with Avast for at least 6-7 years!
Oh well, mea culpa for trusting this AV-software... :/
Aloha, Uli

ID: 1434881 · Report as offensive
spitfire_mk_2
Avatar

Send message
Joined: 14 Apr 00
Posts: 563
Credit: 27,306,885
RAC: 0
United States
Message 1434888 - Posted: 28 Oct 2013, 19:37:37 UTC
Last modified: 28 Oct 2013, 19:41:07 UTC

Edit. Ok. Avast 9 is out. My current is Avast 8. I will update and see what the 9 does.
ID: 1434888 · Report as offensive
Ulrich Metzner
Volunteer tester
Avatar

Send message
Joined: 3 Jul 02
Posts: 1256
Credit: 13,565,513
RAC: 13
Germany
Message 1434893 - Posted: 28 Oct 2013, 19:46:24 UTC - in response to Message 1434888.  

Edit. Ok. Avast 9 is out. My current is Avast 8. I will update and see what the 9 does.

Be careful, i have version 9 running on WinXP, updated a few days ago.
Exclude the BOINC directory prior to the update, cause the settings will be preserved. Meanwhile Avast does not complain about the Nvidia executable anymore...
Aloha, Uli

ID: 1434893 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1434896 - Posted: 28 Oct 2013, 19:54:38 UTC

If you get a virus warning on any file (even if you're pretty certain it's a false positive), it's always a good idea to test it against a site like https://www.virustotal.com/.

I'll do that with the master copy of "AP6_win_x86_SSE2_OpenCL_NV_r1843.exe" that I built the installer with, but of course I can't be responsible for the current state of a file which may have been downloaded many months ago.

If you downloaded a fresh copy, please tell me where from, and I can check whether it matches my master copy.
ID: 1434896 · Report as offensive
Ulrich Metzner
Volunteer tester
Avatar

Send message
Joined: 3 Jul 02
Posts: 1256
Credit: 13,565,513
RAC: 13
Germany
Message 1434901 - Posted: 28 Oct 2013, 20:05:07 UTC
Last modified: 28 Oct 2013, 20:05:24 UTC

Hello,
the MD5sum of the executable:

AP6_win_x86_SSE2_OpenCL_NV_r1843.exe - 4811e3e8ed814ea3f3a313eb1ccd44fd

BTW:
It is still recognized as a virus by Avast, i just checked again.
I accidentally had it on the white list.
Aloha, Uli

ID: 1434901 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1434915 - Posted: 28 Oct 2013, 20:49:26 UTC - in response to Message 1434901.  

Hello,
the MD5sum of the executable:

AP6_win_x86_SSE2_OpenCL_NV_r1843.exe - 4811e3e8ed814ea3f3a313eb1ccd44fd

Master build copy on my machine has identical MD5, and a file size of 849,920 bytes.

VirusTotal calculates SHA256: eb1ac69c71df145f5b7872f73fb7618dc64bc0cb8ac843631e4fb191ba77cc14

for the copy I uploaded, and finds no virus report among the 47 virus scanning engines they're currently using to test:

https://www.virustotal.com/en/file/eb1ac69c71df145f5b7872f73fb7618dc64bc0cb8ac843631e4fb191ba77cc14/analysis/1382993010/
ID: 1434915 · Report as offensive
Profile Uli
Volunteer tester
Avatar

Send message
Joined: 6 Feb 00
Posts: 10923
Credit: 5,996,015
RAC: 1
Germany
Message 1435041 - Posted: 29 Oct 2013, 0:53:39 UTC

From one Uli to another, thank you for the heads up. So far I have not had any problems with Avast.
Other issues were Seti related communication issues.

Pluto will always be a planet to me.

Seti Ambassador
Not to late to order an Anni Shirt
ID: 1435041 · Report as offensive
Thomas
Volunteer tester

Send message
Joined: 9 Dec 11
Posts: 1499
Credit: 1,345,576
RAC: 0
France
Message 1435090 - Posted: 29 Oct 2013, 7:10:59 UTC - in response to Message 1434868.  

Thanks for the heads-up Ulrich.
ID: 1435090 · Report as offensive
Profile BilBg
Volunteer tester
Avatar

Send message
Joined: 27 May 07
Posts: 3720
Credit: 9,385,827
RAC: 0
Bulgaria
Message 1435138 - Posted: 29 Oct 2013, 12:30:11 UTC - in response to Message 1434915.  

VirusTotal ... finds no virus report among the 47 virus scanning engines they're currently using to test

I wonder why the file is removed on people's systems and not detected in online tests (on 3 sites which may use different settings - e.g. for Heuristics Sensitivity):

https://www.virustotal.com/en/file/eb1ac69c71df145f5b7872f73fb7618dc64bc0cb8ac843631e4fb191ba77cc14/analysis/

http://virusscan.jotti.org/en/scanresult/a0008b68f4926ecf23760399e083a28957c5c233

http://r.virscan.org/report/808b98fa425e8be88dff891e97df9028.html

(This have to be some 'Behavioral Analysis' or how they call it by Avast or this is specific to Avast v9/2014 and do not happen on Avast v8/2013)


 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 
ID: 1435138 · Report as offensive
Profile Gatekeeper
Avatar

Send message
Joined: 14 Jul 04
Posts: 887
Credit: 176,479,616
RAC: 0
United States
Message 1435193 - Posted: 29 Oct 2013, 19:59:58 UTC - in response to Message 1435138.  
Last modified: 29 Oct 2013, 20:02:02 UTC

(This have to be some 'Behavioral Analysis' or how they call it by Avast or this is specific to Avast v9/2014 and do not happen on Avast v8/2013)



It did happen to me on Avast v8. There was a definitions update released by Avast sometime around 0500UTC yesterday, and it was after that update that the file was quarantined by Avast. I've since applied global exclusions on Avast on all my rigs, so I don't know if subsequent definition updates are doing the same thing.

EDIT: Avast called the .exe "suspicious-evo-win32"
ID: 1435193 · Report as offensive
Dr Who Fan
Volunteer tester
Avatar

Send message
Joined: 8 Jan 01
Posts: 3193
Credit: 715,342
RAC: 4
United States
Message 1435201 - Posted: 29 Oct 2013, 20:08:55 UTC - in response to Message 1435193.  

Please report False Positive to AVAST @ http://www.avast.com/contact-form.php change subject to suite your case [file name that supposedly infected].
ID: 1435201 · Report as offensive
Profile BilBg
Volunteer tester
Avatar

Send message
Joined: 27 May 07
Posts: 3720
Credit: 9,385,827
RAC: 0
Bulgaria
Message 1435606 - Posted: 30 Oct 2013, 14:28:28 UTC - in response to Message 1435193.  

I've since applied global exclusions on Avast on all my rigs, so I don't know if subsequent definition updates are doing the same thing.

EDIT: Avast called the .exe "suspicious-evo-win32"

I don't know what you mean by "global exclusions" (exclude BOINC dir?, exclude the .exe file name?)

You can check by:
1) Copy the file (AP6_win_x86_SSE2_OpenCL_NV_r1843.exe)
from ...\projects\setiathome.berkeley.edu\ (which is excluded)
e.g. to your Desktop (which is not excluded and have to trigger the detection)

2) Rename the copy of the file (if you excluded AP6_win_x86_SSE2_OpenCL_NV_r1843.exe by name - new name have to trigger the detection)

(I reported False Positive to AVAST using the link from Dr Who Fan post)


 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 
ID: 1435606 · Report as offensive
David S
Volunteer tester
Avatar

Send message
Joined: 4 Oct 99
Posts: 18352
Credit: 27,761,924
RAC: 12
United States
Message 1439669 - Posted: 7 Nov 2013, 14:52:16 UTC

I just sent the owner of this host a PM telling him that all his v7 work is coming back with a PROT_WRITE error and it's probably caused by his AV, and then after sending the PM I looked again and realized it's running Linux. I sent another PM to try to remove my foot from my mouth. But the fact remains that all his v7s are coming back with an error 127. His APs are fine, though.

David
Sitting on my butt while others boldly go,
Waiting for a message from a small furry creature from Alpha Centauri.

ID: 1439669 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1439679 - Posted: 7 Nov 2013, 15:06:08 UTC - in response to Message 1439669.  

I just sent the owner of this host a PM telling him that all his v7 work is coming back with a PROT_WRITE error and it's probably caused by his AV, and then after sending the PM I looked again and realized it's running Linux. I sent another PM to try to remove my foot from my mouth. But the fact remains that all his v7s are coming back with an error 127. His APs are fine, though.

Private (optimised) download without a chmod +x on the binary, perhaps?
ID: 1439679 · Report as offensive
spitfire_mk_2
Avatar

Send message
Joined: 14 Apr 00
Posts: 563
Credit: 27,306,885
RAC: 0
United States
Message 1439710 - Posted: 7 Nov 2013, 16:05:20 UTC - in response to Message 1434888.  
Last modified: 7 Nov 2013, 16:11:47 UTC

Edit. Ok. Avast 9 is out. My current is Avast 8. I will update and see what the 9 does.

Update.

It has been a week or a little more since I upgraded Avast 8 to Avast 9. No problems. I try to do AP units on GPU only, so I manually abort CPU AP units. If you look at my tasks, my GPU AP units are validating just fine.
http://setiathome.berkeley.edu/results.php?hostid=7103832&offset=0&show_names=0&state=0&appid=12

I did not modify Avast 8 to ignore any files. I did not modify Avast 9 to ignore any files. I simply installed Avast 8 when I installed the OS, however, obviously it does not work this way for everyone. Maybe I got lucky with how the original installation of Avast 8 worked.
ID: 1439710 · Report as offensive

Message boards : Number crunching : Warning: Avast indicates false positive on Astropulse V6 for Nvidia!


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.