Possible False Positive

[sythetron]

just got an auto quarantine message from immunet protect free while avira antivir personal 10 was attempting to update to latest definition v7.10.11.157, 9/13/2010.

file aegen.dll was detected as W32.Jeefo, file was located at D:\Program Files\Avira\AntiVir Desktop\

 

I tried to submit the file through the false positive form but was unable to zip the file because restoring it from quarantine failed and the form does not take the file in quarantine just by itself. I tried manually updating avira again but it would not re-download the file so i am unable to attain the original file.

 

I am attaching the quarantined file here hoping you can receive and determine whether it is a false positive or not.

 

I am currently using Immunet version 2.0.15.12

[sythetron]

hmm seems i cant attach the file here either, is there another possible way i can submit the quarantined file??

[Guest Orlando]

First of all open Immunet, click on quarantine under history (next to detailed history) in the middle column. Click on possible false positive read on the right path, and then click on restore. Now find the file path. You can send that file to support@immunet.com with the subject "possible false positive".

You can also post the file here if it is not too large.

 

Thanks for the support,

Orlando

[sythetron]

As i have stated previously I have tried to restore it, but it fails. In history it states that "Restore Quarantined File Failed" an error message dialog box also opens up with the following message "File Could Not Be Restored. Check to see if Agent is online. Please contact support@immunet.com."

 

I am online and connected. All check marks on bottom of immunet are green and checked. I have tried to reboot and try again but same message.

 

 

 

First of all open Immunet, click on quarantine under history (next to detailed history) in the middle column. Click on possible false positive read on the right path, and then click on restore. Now find the file path. You can send that file to support@immunet.com with the subject "possible false positive".

You can also post the file here if it is not too large.

 

Thanks for the support,

Orlando

[Guest Orlando]

As i have stated previously I have tried to restore it, but it fails. In history it states that "Restore Quarantined File Failed" an error message dialog box also opens up with the following message "File Could Not Be Restored. Check to see if Agent is online. Please contact support@immunet.com."

 

I am online and connected. All check marks on bottom of immunet are green and checked. I have tried to reboot and try again but same message.

 

Have you checked if Agent.exe and Iptray.exe are active in task manager?

 

Orlando

[sythetron]

yep they are both up.

 

I sent the quarantined file to virustotal, it recieved a 3/43

http://www.virustotal.com/file-scan/report.html?id=9af6f6d541a2c48ad7e23a699dcd56a03b21052acdf6b3f18a5a93e7769818aa-1284453911

 

I also went through the avira support forums and see several people are reporting the file being flagged by some other antivirus companies as well.

 

 

 

 

 

Have you checked if Agent.exe and Iptray.exe are active in task manager?

 

Orlando

[Guest Orlando]

yep they are both up.

 

I sent the quarantined file to virustotal, it recieved a 3/43

http://www.virustotal.com/file-scan/report.html?id=9af6f6d541a2c48ad7e23a699dcd56a03b21052acdf6b3f18a5a93e7769818aa-1284453911

 

I also went through the avira support forums and see several people are reporting the file being flagged by some other antivirus companies as well.

 

It could be a false positive, you can not send the file directly from a quarantine? The file is inside the folder "quarantine" folder where you installed Immunet.

 

Orlando

[sythetron]

It keeps on saying You aren't permitted to upload this kind of file when trying to attach the file to a post or through the false positive submission form. I sent an email of the quarantined file to support@immunet.com though.

 

 

 

 

It could be a false positive, you can not send the file directly from a quarantine? The file is inside the folder "quarantine" folder where you installed Immunet.

 

Orlando

[sythetron]

got avira to update again, attaching a copy of the file

aegen.zip

[Guest Ceb65]

The same here: Antivir's aegen.dll identified as malware -> quarantine message -> Test at Virustotal -> result 3/43 -> having a look at Avira's forum -> some posts there from today confirming "false positive" including some answers claiming that Immunet and Avira are not fully compatible (not good for PR...) -> restoring from Immunet's quarantine folder doesn't work although iptray.exe and agent.exe are running.

 

However, updating Antivir obviously brought back Antivir's aegen.dll without any further reaction of Immunet. I hope I can be sure now that Antivir is now as up-to-date as it should be (?? - perhaps I should ask this in Avira's forum). But why didn't the restore function work? (If nobody knows I think I'll wait if it happens again and post if necessary).

[Guest Orlando]

Put all Avira folders in the esclusion (in settings). It's a false positive.

 

Orlando

[Ceb65]

Put all Avira folders in the esclusion (in settings). It's a false positive.

 

Orlando

 

Thank you for your quick answer. I've tried to do as told, but all exclusions are already (suddenly?) listed. I think this means "cloud protection", and Protection Exclusions are updated automatically, too? (sorry for this funny lack of computer-related knowledge... ) Does it mean anything important that now C:\Program Files\Avira\Antivir Desktop\aegen.dll is listed eight times in Immunet's exclusion list? And (if you don't mind me asking here instead of Avira's forum) I think Avira is ok again after manually udating (seems so, aegen.dll is back in the Antivir folder)?

[Guest Orlando]

Thank you for your quick answer. I've tried to do as told, but all exclusions are already (suddenly?) listed. I think this means "cloud protection", and Protection Exclusions are updated automatically, too? (sorry for this funny lack of computer-related knowledge... ) Does it mean anything important that now C:\Program Files\Avira\Antivir Desktop\aegen.dll is listed eight times in Immunet's exclusion list? And (if you don't mind me asking here instead of Avira's forum) I think Avira is ok again after manually udating (seems so, aegen.dll is back in the Antivir folder)?

 

There may be 8 aegen.dll, you should check your folder of Avira, but I do not think, however, if you update Avira normally and Immunet does not detect anything, the problem is solved. If all Avira folders are in the exclusions there will be no more problems. The real incompatibility is with the program files and not running simultaneously. There may be future updates mistaken for FP, but I think the way we are working on, is the right one.

 

Regards,

Let me know if I did not understand something or if you want more information

Orlando

[Ceb65]

There may be 8 aegen.dll, you should check your folder of Avira, but I do not think, however, if you update Avira normally and Immunet does not detect anything, the problem is solved. If all Avira folders are in the exclusions there will be no more problems. The real incompatibility is with the program files and not running simultaneously. There may be future updates mistaken for FP, but I think the way we are working on, is the right one.

 

Regards,

Let me know if I did not understand something or if you want more information

Orlando

 

Thanks again. I think everything is all right now. Just for fun and safety: The attached image shows my Immunet's file exclusion list, including the eight entries of the same file, "aegen.dll". I don't think that this is the list's default appearance, however, it wasn't me who made these entries. Regards Ceb65

[sythetron]

haha i have the same thing in exclusions list, the same number and the same look exactly as you

 

 

Thanks again. I think everything is all right now. Just for fun and safety: The attached image shows my Immunet's file extension list, including the eight entries of the same file, "aegen.dll". I don't think that this is the list's default appearance, however, it wasn't me who made these entries. Regards Ceb65

[sythetron]

i also am interested in how it happened to fail from being restored from quarantine. I am afraid if some important system file gets false positived and auto quarantined being unable to be restored resulting in a corrupt system. I tried to change the default action of auto quarantining files but the other setting also auto quarantines just with a dialog box after to see if you want to restore it.

[alfred]

just got an auto quarantine message from immunet protect free while avira antivir personal 10 was attempting to update to latest definition v7.10.11.157, 9/13/2010.

file aegen.dll was detected as W32.Jeefo, file was located at D:\Program Files\Avira\AntiVir Desktop\

 

I tried to submit the file through the false positive form but was unable to zip the file because restoring it from quarantine failed and the form does not take the file in quarantine just by itself. I tried manually updating avira again but it would not re-download the file so i am unable to attain the original file.

 

I am attaching the quarantined file here hoping you can receive and determine whether it is a false positive or not.

 

I am currently using Immunet version 2.0.15.12

 

Gents,

 

This is definitely an FP and I've since white-listed the file.

 

Cheers,

al