Avast removing our agent we are losing our users by each minute!

system · April 15, 2014, 7:40am

Hi

Since 2 days ago Avast started removing our software from clients PCs, which is resulting in severe damage to our newly launched business(thanks for that BTW).
We reported false positive alert few times from avast directly from web form(which is not working well), filed ticket, but since then no one is responding?

What is more interesting, if you go to virus chest and right click on our agent and then click restore and add to exclusion list, agent is restored but soon as you try to run it avast removes it again and round we go again.
So even that is not working so we can’t help our clients in any way now.

Our agent exe is located here:
http://www.markething.me/mm/MM_Agent.exe

We really dont’ know where to turn now, who to ask for this now? We are losing clients every single minute.

For example BitDefender removed false positive warning in matter of hours from when we reported it.

Regards
Markething.Me

RejZoR · April 15, 2014, 8:28am

avast! is not detecting anything for me. Not even with PUP enabled. Either they already fixed it or it was some other glitch.

More info:
https://www.virustotal.com/en/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1397551149/
http://camas.comodo.com/cgi-bin/submit?file=803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e

system · April 15, 2014, 8:50am

Yes, it seems it is sorted now.
Thanks to anyone who sorted this quickly, we really appreciate it!

system · April 22, 2014, 10:06am

So again Avast is removing our agent.
This is just getting very frustrating now.

avastuser3796 · April 22, 2014, 10:08am

I don’t think it’s a FP lol…

https://www.virustotal.com/en/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1397928813/

Original name Bot.exe
Internal name Bot.exe (Lol, that doesn’t sound like a real file)

Even newer scan! Even Worse! https://www.virustotal.com/en/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1398161415/

Pondus · April 22, 2014, 10:10am

virustotal
https://www.virustotal.com/en/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1398161326/

Jotti
http://virusscan.jotti.org/en/scanresult/13eb6c07d728c584d4f165d8575b6547065a1ce0

metascan
https://www.metascan-online.com/en/scanresult/file/abe519cf8e714b0f9795f822e7aa111a

number is actually lower then it say as all (Gen:Variant.Barys.2099) detections are from Bitdefender engine

avastuser3796 · April 22, 2014, 10:14am

I’d say that’s ransomware actually. Given the long ass list of towns, cities and function you have in there. Holy shit.

https://malwr.com/analysis/NWQ1ZjcxZjM1N2FjNGE3Nzg1ZmEwNDRhOWNhMWYxZWE/

I find compressed data wierd… {u’size_of_data’: u’0x0060e200’, u’virtual_address’: u’0x00002000’, u’entropy’: 7.724500174986469, u’name’: u’.text’, u’virtual_size’: u’0x0060e1a7’}

system · April 22, 2014, 10:39am

Yes, yes, we saw all these…but the thing is that we already did filed false positive few times and everything was fine…now again it is showing same thing…
So my question is do we need to file this for every few days, because we will need to hire one person just to do this.

Eddy · April 22, 2014, 10:45am

I doubt it is a fp looking at the many software that detects it as a thread.
If you are sure it is not malware, it is time to reprogram your tool and make it decent.

http://urlquery.net/report.php?id=1397380617214

system · April 22, 2014, 10:46am

This is latest scan, downloaded from our website:
https://www.virustotal.com/en/file/e4441465e61d7be99f97266c0a03274ca4a80f48ffb5b7c85355e003695d7be9/analysis/1398163461/

system · April 22, 2014, 10:49am

And sure it is FP because we are not into spreading malware or viruses.
That said these “threats” reported are coming from the same not well know sites copying major anti vir companies…
Also as I said we already did filed FP with avast and bitdefener and it was removed, so now it is happening again.

Pondus · April 22, 2014, 10:53am

Hmmmm … different MD5 then the one i diwnloaded from here…

Our agent exe is located here:
http://www.markething.me/mm/MM_Agent.exe

And gave this result
https://www.virustotal.com/nb/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1398161326/

system · April 22, 2014, 10:54am

This is just strange here is another one:
https://www.virustotal.com/en/file/e4441465e61d7be99f97266c0a03274ca4a80f48ffb5b7c85355e003695d7be9/analysis/1398163617/

Yes the location of the exe is here:
http://www.markething.me/mm/MM_Agent.exe

Eddy · April 22, 2014, 10:59am

But it is not the same as the one I (and others) got from your first post.

Pondus · April 22, 2014, 11:04am

the one i downloaded MD5 7d5520c52a0ae2291f5e60ba755f9478
this is also the same as RejZoR downloaded and scanned in first post 15 April 2014

the one you got MD5 209ceaf97acaf10032c0779624a2ff20

did you just give out a new version?

system · April 22, 2014, 11:05am

This is because we updated it to new version.
First was v1.0, this one is v1.1

Pondus · April 22, 2014, 11:35am

Norman lab confirms False Positive on this version

https://www.virustotal.com/en/file/803b74de0d9edbccdd8b42d051b24555e2f2274015c142df75ed723549ba6e4e/analysis/1398161326/

Secondmineboy · April 22, 2014, 1:34pm

Avast blocks this as FileRepMalware when downloading.

Eddy · April 22, 2014, 2:44pm

Version 1.1? Eh, why is it showing version 4.0.0.0 then ?
And why is it compiled in 386 code ?

Secondmineboy · April 22, 2014, 2:55pm

Whats with these browser.exe processes running in the background from Roaming folder?

Avast removing our agent we are losing our users by each minute!

Announcements