Hi
This is probably one of the weirdest experiences I have had with Avast:
I downloaded a zip-file here: https://www.antshares.org/Download
It contained the executable AntSharesUI.exe.
First when I tried running it, Avast moved it into quarantine. Now (2 days later?) when I run it again, Avast doesn’t care. That’s weird!?
I also tried scanning it with https://www.virustotal.com/da/ , but 0 virus were found.
Henrik R.
How is that weird?
There is something called false positives (clean file detected as malicious) it may have been the case here.
All AV vendors fix false positives evry day
Still be aware, because of this: http://www.scamaider.com/is-antshares.com-safe-legal.html
Problems with the blockchain crypto, and IDP.Generic detection.
Wait for Avast Team to give a final verdict here, and if this is a FP.
polonus
File is clean.
It’s getting weirder… Yesterday I ran AntSharesUI.exe again without problems (except that I had to disable my COMODO firewall to start it).
But today suddenly Avast quarantined it again while it was running. But when I do a https://www.virustotal.com/da/ scan there are still 0 detections. Even Avast (through virustotal) says it is clean. So Avast is saying both ‘good’ and ‘not good’ at the same time…!?
When avast detect there should be a popup warning … post a screenshot
Hi heroxx,
Could be that IDP.Generic detection, but what make that detection appear as not absolute and consistent?
It is a detection not for the software, it is a detection for a new installer .
Check you get a unique detection while or after installing.
It could be Rundll.exe for instance, but it could be another executable for the installer flagged.
Was your homepage in the browser compromised?
That could also lead to such detections and would also declare the off-on’’ detection/non-detection pattern,
as that isn’t unique after visiting a malicious url or hacked legit website. 
polonus
I tried to save a screen shot, but it’s not perfect. I have attached it.
Yes, it is “IDP.Generic”.
AntSharesUI.exe is not an installer. You don’t install it in the traditional sense. You download a zip-file, and AntSharesUI.exe along with over 100 other files are inside. But I should mention that it is a crypto-currency blockchain wallet which need to run for about 50 hours to load the whole blockchain. Quite a cumbersome arrangement…
What homepage? I have a lot of pages on tabs in my Firefox browser.
Think I worked it down to
script src=“/Scripts/qrcode.min.js”>
kicking up the following errors
found JavaScript error: undefined variable $ error: undefined function $see the dom: https://urlscan.io/result/506cf78e-0e3c-49af-b416-246f30020216/dom/
See script attached as a txt file (where Mal_Hifrm is detected in “//hm.baidu dot com/hm.js?a7cb0c1e1d3715e67d44b75b9d8ce5ba”), see how -//platform-api.sharethis.com/js/sharethis.js#product=ga
is affected by this Number of sources found: 41 ; Number of sinks found: 17.
polonus (volunteer website security analyst and website error-hunter)
What does that script have to do with the virus Avast claims has infected ‘AntSharesUI.exe’, which I copied from AntSharesCore-GUI-v1.6.6354.35073.zip, which I downloaded from https://www.antshares.org/Download ?
New information:
Last night, when I tried running ‘AntSharesUI.exe’ again, I forgot to disable COMODO firewall and auto-containment, so it got contained and couldn’t do any real work. Then when I closed it, Avast quarantined it again. This time I managed to get a screen shot (attached).
By the way: My other copies of ‘AntSharesUI.exe’ now has been blocked (by Avast?) so that I can’t even copy it from one place to another. I either get the error “error when writing” or “access denied”.
Well I did not do anything else than checking that download page (website) and third party scripts running there and then stumbled on such error(s).
The impact is not clear as an Avast Team Member stated earlier here,
that is not that particular executable that should kick up that detection. 
Let us check the download uri with Comodo’s Site Inspector and what do we get “An Inconclusive”.
And also a warning for Transaction Transport?
So there certainly is room for suspicion, isn’t there? See also: http://www.d-analyse.com/a/neochain.org.html
Custom errors: Fail (results from asafaweb scan) → https://asafaweb.com/Scan?Url=www.antshares.org
Requested URL: -https://www.antshares.org/< | Response URL:-https://www.antshares.org/< | Page title: è¿è¡Œæ—¶é”™è¯¯ | HTTP status code: 400 (Bad request) | Response size: 3,297 bytes | Duration: 805 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.
Result
It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.
Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page as follows:
HTTP to HTTPS redirect: Warning
Requested URL: -http://www.antshares.org/ | Response URL: -https://www.antshares.org/ | Page title: å°èš Antshares | HTTP status code: 200 (OK) | Response size: 50,889 bytes | Duration: 2,987 ms
Overview
When a website redirects the user from an HTTP address to an HTTPS one, there is a risk that an attacker could launch a man in the middle attack by intercepting the original HTTP request and returning a malicious response. (Do we have HSTS to protect us?).
Result
The address you entered makes a request using the HTTP scheme but is then redirected by the server to an HTTPS address. Consider user education to ensure the HTTPS address is entered directly into the browser when requesting the site.
Excessive headers: Warning
Requested URL: -http://www.antshares.org/ | Response URL: -https://www.antshares.org/ | Page title: å°èš Antshares | HTTP status code: 200 (OK) | Response size: 50,889 bytes | Duration: 2,987 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.
Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 5.2
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
Clickjacking: Warning
Requested URL: -http://www.antshares.org/ | Response URL: -https://www.antshares.org/ | Page title: å°èš Antshares | HTTP status code: 200 (OK) | Response size: 50,889 bytes | Duration: 2,987 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
So all is not hug and snug for these services from Fuxin, Mainland China, and now you see the problems of a general Microsoft-IIS/8.5
server mono-culture there. These bitcoin chain services were brought to China by KPMG.
polonus
Just to short-circuit this. I find with Comodo Site Inspector that the given particular download link = uri is not to be trusted, e.g.
-[i][b]https://www.antshares.org/Download[/b][/i]
So that could mean the very download is not to be trusted either. That is all I try to communicate. 8)
polonus
A little addition :
But today suddenly Avast quarantined it again while it was running. But when I do a https://www.virustotal.com/da/ scan there are still 0 detections. Even Avast (through virustotal) says it is clean.Virustotal only does a on-demand scan and does not have all the other detection options avast has on a users system.
All files from archive is now clean.
Great. But Avast (I presume) is still preventing me from doing anything with the file. Do I have to ask Avast to release it from quarantine before I can copy/move/run it?
have you tried a manual update and rebooted?
That solved it - thank you! Now I can run AntSharesUI.exe again - if I disable COMODO firewall and auto-containment first!
Very interesting website! But what should I try to verify?