Avast False Positive Quarantining ConnectWise Tray Executable

Avast Business Pro, Virus Definitions 231012-4, using both cloud and on-premises consoles (and cloud is a LOT slower to issue alert emails, BTW).

Detection does NOT occur with Virus Definitions 231012-2.

I’ve filed a false positive report on this. VirusTotal finds nothing:

https://www.virustotal.com/gui/file/8315a57771a3696a8350a646b597ddf6437cbaea6d221b370056effb931936de?nocache=1

My main reason for posting is that these files are now being quarantined all over my network. I don’t see any way to make either console push an automated removal from quarantine, so now we’re going to have to touch every machine to fix this after Avast corrects the detection. GRRRRR.

Thanks for listening.

And very suspiciously, only a few minutes after I sent the false-positive report and posted this message here, I received an alleged email from Avast informing me that they had received my request to “cancel my contract and request a refund”.

I would say this is obviously bogus, except that several years ago there was a situation in which Avast sent out false “Thank you for leaving” messages to customers by mistake. I don’t see how some criminal reading this forum would have my email address, but who knows?

So attached is a copy of the email message I received. I will also send that to the false-positive portal since I know of no other place to send it.

So I sent that email to the Avast false positive upload site and immediately got another copy of this same message about cancelling my contract.

Either somebody has hacked the Avast false positive upload site or something over there has gotten extremely hosed. ;D :o

Did you send it here - Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php ?

There have been a couple of instances in the forums of getting the wrong email response when reporting a false positive,

Yes, that’s where I sent it. This morning I got a response email from them that was entirely blank. But I also got another response acknowledging the specific problem with the response emails.

Meanwhile, I was asked to submit a screen shot of the Avast alert concerning the ConnectWise file. I just happened to have one–but that’s not always the case. These alerts don’t necessarily happen on my computer; they happen on one of many on the network and all I usually get is the notification in the console. I was also asked, in a separate email, to upload the file to VirusTotal and send a link to the results. Now, I had uploaded that file when I made the first false positive report via the portal. Can’t the Avast techs send it to VirusTotal themselves? It seems like several hours of time were wasted in sending me emails and waiting for me to reply with information that Avast either didn’t need or already had.

Oh well, they are working on it. It’s not clear whether applying an exclusion to the file via the cloud portal actually works. I’m still getting occasional alerts from the cloud hub on this after we did that. We’re in a hybrid cloud/on-premises situation here as we migrate our workstations to the cloud. I’ve seen the alert recur on machines controlled by the on-premises console after the user tells Avast to make an exception for the file. Most users can’t actually restore the file from quarantine because it requires local admin rights. And even if it is restored, the functionality is gone, so probably a reinstall of the ConnectWise agent is going to be required.

It’s just a little program that causes an icon to appear in the system tray and, perhaps, respond to clicks on that icon. It’s not an essential part of the system, but this is still extremely annoying.

Whilst this is a virus/malware related issue, since you are a Business User.
I believe it may be better in the relevant section of the Avast for Business section of the forums - https://forum.avast.com/index.php?board=77.0 - on how best to manage this. As an Avast Free user I’m totally unfamiliar with the business product range and their workings. There is no doubt about reporting a Possible FP to avast, it is just the interaction with the product I don’t know about.

“We’re in a hybrid cloud/on-premises situation here as we migrate our workstations to the cloud.”

Hopefully the mess up with receiving the wrong response to a reported FP will get actioned quickly.