The most recent update is suddenly tagging WRAR280.EXE as infected with Win32:Trojan-gen {other}.
This is not a new file, has been scanned numerous times before, and has never triggered an alert in the past.
Can someone confirm that this is a false positive?
Thanks.
Hi benjybite,
Here is a possible reason why this was flagged as suspicious: http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HCFC04358834
And here is the all green for this file here: http://www.threatexpert.com/files/wrar280.exe.html
So the truth must be somewhere in between these two, and it sure is.
As we are growing away from an obsolete OS like Win98 SE, we see files that stem from there suddenly flagged, while they could also be apparent FPs. But because they escape scrutiny there, they are again being used in malware: http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453090792
Upload to www.virustotal.com and see how many scanners flag it, to see whether your version of the file is not malicious,
polonus
Is it a RAR setup file?
Can you send it to www.virustotal.com to be sure it’s clean?
The nature of the file is an installer for WinRAR v2.8 .
I ULed it to Virustotal and got 3 positive warnings (7.89%) out of 38 scanners.
What’s very unusual is that on the Virustotal form, it was NOT flagged by Avast (with an update date of 12/18/08).
So an update in the last week (when I last ran a full scan and had no warnings) has suddenly started triggering this alert…
It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.
DavidR,
Yes, I realize that. One of the Avast updates in this past week is what has started flagging this file.
But the question remains: has Avast “discovered” something new in this file in the last week that it didn’t detect previously or has one of the new updates started generating a false positive?
The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
These generic signatures are constantly updated/tweaked to try to trap more malware without raising possible false positives and in some cases to correct false positives.
Since you didn’t post the URL to the VT results page so I cant see what the other scanners were or what they called it nor any other information on that page to do anything other than speculate, which isn’t good.
Sorry, David.
Here’s the link to what Virustotal returned:
http://www.virustotal.com/analisis/6317edcafd4a360ebc0401875f544d36
So this file, undetected on VirusTotal, is detected by avast! on your computer? That’s indeed strange…
If yes, can you please upload the file to ftp://ftp.avast.com/incoming ?
Thanks.
It isn’t so strange as the VT results are from 12.18.2008 so the file had been previously scanned and benjybyte didn’t have the file re-analysed.
@ benjybyte
If you can rescan it, you will probably find that avast detects it, but two of those are heuristic detections which can be prone to FP.
igor,
It’s been so long since I’ve used FTP I’m not sure I even have the software any more.
Can I ZIP it and email it to you?
Hi DavidR,
You know as do I that virustotal scanning does not take in account the heuristic scanning of the scanners they use (so also avast heuristic scanning), so like you said this is a find through avast scanning heuristically, and so also prone to being an FP. So I am on the side of benjybite here… and he can certainly send it to avast for further analysis, this can only help to get their heuristics a tiny bit more specific.
This is scanning through virustotal in that respect can be taken two ways (repeat here - it is always minus heuristics),
polonus
It isn’t a case of tacking sides only the posting of the latest information from VT which I would think will show the avast and no doubt GData detecting on the generic signature. That was Igor’s concern if it were a current set of VT scan results, e,g, why it wasn’t detcted by VT.
However I do feel there is a high likelihood it is an FP.
@ benjybyte
Open IE or an IE clone and past the ftp://ftp.avast.com/incoming into the address bar - Connect to the link and drag the file (from windows explorer) into the Right pane and drop it, that starts the upload, you don’t have read access to this folder.
Let me try to clarify things here…
I DID scan it through Virustotal TODAY. The Avast scan through Virustotal did NOT detect infection, but the definitions date that VT is using when running an Avast scan is from Dec. 18.
The LOCAL Avast scan I ran today DID detect it but it was not flagged in any previous local scans. My gut tells me that it is a false positive generated by a definitions update pumped out sometime in the last week (because the local Avast scan that I ran last Friday did NOT flag the file).
I’m just going to delete the file but I do think that something in an update this week is creating a false positive, which is something that Avast should look into.
David:
Thanks for the help. Worked like a charm.
Igor:
The suspect file has been uploaded to the FTP site.
Hi benjybite,
So all of us are happy here, and glad this will be clarified. Thanks for your reporting this issue here, and stay safe and secure through avast,
polonus
You’re welcome.
You have however pre-empted what we would have suggested to submit the file to avast for analysis as a probable false positive, to send/allow it to be sent to the chest, that way you have a copy which you can periodically scan from within the chest.
If you scanned it every two days or so and when it is no longer detected you would know that the VPS signatures have been corrected you could then restore the file to its original location.
David,
Procrastinator (not to mention packrat) that I am, I still have the file and HAVE submitted it to Avast for analysis (by ULing it to the FTP site).
If and when the false flag disappears, I’ll post an update here.
Happy weekend.
b.
Thanks for helping improving detection.
Thanks for the update, have a good weekend yourself.