Avast offline installers since 20.10.5824.0 scan INFECTED on VirusTotal

Version 20.10.5824.0 is the last Avast Free offline installer that tested Clean on VirusTotal. I’ve since tested ver 21.2.6096.0 and ver 21.3.6164.0 and they both scanned Infected. My 20.10.5824.0 has updated to ver 21.3.2459 build 21.3.6164.661 so I’m wondering if the update is infected as well as the offline installer. If these are False Positives, Avast needs to get this straightened out with those services that detected problems so these possible false positives quit coming up. I have been scanning Avast Offline Installers prior to installation for years and have Never come up with a detection until these two now. :frowning:

avast free 21.2.6096.0 offline
SHA-1: 8D2C67D87300C899707E34FF17723252359949DE
https://www.virustotal.com/gui/file/02bd43f368dda4b698702198c0ad4b42e6e5d0c591136c7e7653948b30ac041d/detection
Jiangmin: Trojan.Encoder.adn
NANO-Antivirus: Trojan.Win32.Encoder.itqnto
VBA32: TrojanRansom.Convagent
Zillya: Trojan.Convagent.Win32.2187

avast free 21.3.6164.0 offline
SHA-1: A559ED0FD4D1B94EDA299F7D6927502BF2D2CD9A
https://www.virustotal.com/gui/file/a836be086873b8b576c5213ca68d69f69d42fe61b7f5acd167d122972f97a68c/detection
Jiangmin: Trojan.Generic.gweqe
VBA32: TrojanRansom.Encoder
Yandex: Trojan.Encoder!PI2RWdVQ7v4
Zillya: Trojan.Encoder.Win32.2325

avast free 20.10.5824.0 offline
SHA-1: 13AE199C38B5693AC629E4C4DC4A8CE9648E20DF
https://www.virustotal.com/gui/file/5f13daadbff9afdc8c23de990d730c3c0c2bd0e549b93e2cb979bdfb049b3f04/detection
Clean

All Avast Offline Installers were downloaded from: https://www.avast.com/en-us/installation-files

I would suggest that given the small number and who found it, this is an FP.

These offline installation files should be digitally signed and as such untampered with.
Where did you get old version from (as they wouldn’t be supplied by Avast) only the latest version is downloaded from the link you gave ?

I just downloaded the offline installation file and that returns the latest version, which is as I said digitally signed.

These offline installation files should be [b]digitally signed[/b] and as such untampered with.
This info (and more) you find at VirusTotal behind the DETAILS tab

I’m saying that they ARE digitally signed, NOT that they should be.

I looked at the Details Tab.

DavidR all three versions came from the same link over a period of time as the new versions were made available. The 20.10.5824.0 was downloaded and scanned back in January. Prior to that I have a 19.1.4142.424 and a 17.5.2303 that were all downloaded from the very same link at Avast a year or so ago. Soon the next version will be what is downloaded from that link and the current 21.3.6164.0 will no longer be available. I save all my downloaded versions in case something ends up being screwed up on a newer version and downgrading is necessary until a newer version with the bug fixed is available.

DavidR yes they are all digitally signed. That is one of the first things I check in properties when I download an executable file and then that is verified again on VirusTotal on the Details page. I also run FileAlyzer by Safer-Networking (Spybot Search and Destroy) on the file to double check the SHA-1 Hash that comes up on VirusTotal, Kaspersky Threat Intelligence Portal, Jotti’s malware scan and Dr Web.

It is the missing “all three versions came from the same link over a period of time” from your first post was why I questioned the source.

Aside from what I have already said, other antivirus applications checking other antivirus applications, could consider files possibly suspect.

However, since the AVs making these detections I wouldn’t call first line (Yandex, I can’t recall whose AV they bought/use) and Kaspersky nor Dr Web see it as infected on any of the links you gave.

So I personally still consider it an FP.

A check on whose AV engine is used by Yandex returns

To detect malware, Yandex relies on two technologies: the Sophos antivirus software and the company's own proprietary antivirus technology. The Sophos antivirus software, based on a signature approach, uses predominately the database of already known virus signatures to identify the existing codes as malicious.

Yet Sophos doesn’t detect it in either of the VT results.

DavidR I was not able to test these last two versions of Avast Offline Installer at Kaspersky, Jotti’s or Dr Webb as the file size has exceeded maximum size at all three of those online scanner sites.

Hi,

Our virus specialists have confirmed that the installers you listed are safe, and we will resolve the FPs with the respective security vendors.

r@vast thank you for resolving this and taking care of the false positives.

Two months later and False Positives still not resolved…

These false positives from other AVs aren’t they ?

Avast can’t resolve their FPs, you have to report them to the AVs that are falsely detecting these signed installation files.
Unless you were able to send them the file (too large) I don’t know if they really aren’t going concerned in reanalysing old version of the offline installations flies.

I have rescanned those links you gave at VT and some have reduced, but the numbers are so low (2 of 64 on one and 4 of 64 on the other) as to have little confidence in the result (and the AVs that actually detected them), I certainly would consider them probable false positives.

Given that the latest off-line installation version is 21.5 and it won’t be that long I guess before 21.6 beta testing starts.

I just ran the latest avast free 21.5.6354.0 offline.exe through VirusTotal and it came back with False Positives also.
https://www.virustotal.com/gui/file/4db4c3b233cec9731d4a01a7e0a908a98b300a6799671795d5fa63697e9ca926/detection

Yes, the same two as involved with the others, you really have to take it up with them, Avast can’t fix other AV companies false positives.

When you have as few as 2 hits from 64 scans it has to fall heavily in the False Positive arena and move on (I now have) and use the file or not, that is your decision.

I have no idea what purpose you think this serves, avast can’t fix this directly only those involved in the detection can by modifying their virus detection signatures.

All software I download , not just security software I not only scan it from my pc with Avast, Malware Bytes and Spybot S&D but scan it online at VirusTotal and if its not bigger than allowed Jotts, Kaspersky and Dr Web before I run any of it. Occasionally software comes up flagged positive at which point I contact the publisher and inform them of the situation. 90% or better thank me for letting them know and say they are going to contact the vendor that flagged their product and submit a sample for False Positive. After a week or two I re-scan the product and almost all of them then come back clean. So the majority of the software publishers I contact actually submitted a sample to the flagging vendor and got the False Positive removed because FALSE POSITIVES MAKE A PRODUCT LOOK BAD. At that point I then use the software. So yes Avast is going to have to be the one to submit samples to the flagging vendor to get the False Positives fixed. As I said before Avast NEVER flagged positive by any vendor until after version 20.10.5824.0

Hi,

However when r@vast says:

Our virus specialists have confirmed that the installers you listed are safe, and [b]we will resolve the FPs with the respective security vendors[/b].
this means that avast would try to deal directly with antivirus programs that detect threats => respective security vendors. Obviously - 2 months later - this attempt was not successful

That isn’t Avast’s fault. It’s up to the individual vendors to correct their mistakes.

I know that, but what I meant was that avast (through r@vast) seemed to want to deal with those who detect these threats to make them remove the probable FPs … and obviously it did not succeed :-\ without really knowing if it is for a question of policy, business (most likely) or because it is not a FP in the eyes of these security organizations(In this case there is no reason for them to correct their mistakes since there is no mistake)

My emphasis in quote:
Which would speak volumes about said companies, if when contacted by another security based company, with a valid digitally signed file being detected.