I am helping a friend install OneNote 2013 64-bit on their system. I went to the official Microsoft OneNote website, www.onenote.com, clicked on ‘Windows’ (just to the right of ‘Get OneNote for free on all your devices’), then clicked on ‘Other download options’ towards the bottom of the page. This displays a ‘Free Download’ link, which downloads the MS installer for the 64-bit version.

I scanned the downloaded file, and there were no problems reported by Avast 2015. I then ran the installer, and Avast brings up its big alert stating that a process within that object contains ‘Win64:Malware-gen’.

Can other people try this out and see what happens? Not sure how to proceed at this point.

Who has enough confidence in Avast to try it out?

You can report a possible FP here: http://www.avast.com/contact-form.php

Thank you. Report has been sent. Can someone else please try it so we have more data? If it’s a false positive, it’s a pretty serious one.

You’re welcome.

Always best to never try out unknown or even known software (even with Avast running) as no a/v will catch all malware. There are alternative (safer) ways to find out if there are potential issues with a site or a file download, (even if that site is Microsoft.)

Any site can be compromised without notice. A clean site can be hacked at any time and provide malicious files because it was attacked and compromised and the webmaster is unaware.

To wit:
http://wepawet.iseclab.org/view.php?hash=d104ed9817e3c89405e67b238e078790&t=1414918973&type=js
http://wepawet.iseclab.org/domain.php?hash=d104ed9817e3c89405e67b238e078790&type=js
There is Jsand 2.3.6 marked as suspicious in Detection Results
At the bottom of the page there is Additional (Potential) Malware noted: One entry noted.

In comparison, the main site, wxw.onenote.com shows no anomalies:
http://wepawet.iseclab.org/view.php?hash=b61808e05abe83ee3cf62e6187006f7b&t=1414919723&type=js

Use this site to check out any downloads before visiting: http://scanurl.net/ Within this page are all kinds of useful webscanning tools to check out the current status of any website you wish to visit before you go there. But, use only those tools provided there that give you real-time scanning and always use a sandbox to protect your system from harm. Do not visit links/sites listed within scanurl that contain links to live and virulent malware. These sites are for professional malware research purposes only.

@mchain Thank you for all the good information.

The Microsoft installer is downloaded directly from the aforementioned site, and Avast scans the installer as clean.

Once the installer runs, it downloads Microsoft OneNote. Although scanning the site from where the installer came can be helpful, it does not provide any scan of what the Microsoft OneNote installer actually downloads. The Avast realtime shields should be able to scan that data, and they report the malware previously mentioned (Avast calls it a “virus”, but that seems to be inaccurate terminology by Avast, as I think they really mean “some type of malware”).

So the possibilities are:

1. Someone has broken into the Microsoft servers and placed malware on their servers that download executable software onto potentially millions of computers. This would be a huge discovery.
2. MITM attack.
3. Avast is in error.

After hours of deliberation, and not receiving enough feedback here or from Avast, we went ahead and let the installation continue. Afterwards, we performed a full scan with Avast. It did not turn up anything. We then performed a boot time scan with Avast. That did not turn up anything either. We then performed a full scan with Windows Defender. That did not find anything wrong either.

We made full system images before and after, as well as a complete copy of the registry and file structure. We may do some comparisons to see what changed during the install.

It looks like it is an Avast false positive, but there really is no way to know without more data. Feedback directly from Avast will be greatly appreciated. If some other people give it a try, it will provide more useful data. Of course, if Avast figures out it was their error, they will update the definitions. For this reason, it is best if anyone willing to give it a try does so sooner rather than later.

The sad part of all this is that a simple install of a popular Microsoft Office application has now taken over 7 hours of time for two people, likely due to an error in the Avast definitions. I suppose it is inevitable to have false positives, but the cost in wasted time is significant and, honestly, frustrating.

On the other hand, it is possible that there is a serious virus threat from downloading this popular Microsoft product, and that this threat is so advanced that Avast was only able to detect it initially, and does not have the ability to detect it once it is installed.

@ Techknow,

Only team members marked as avast team members actually work for avast. Others, such as myself, are volunteers, and are not paid by avast on this forum. We provide help matching our level of expertise, and help where needed.

The descriptive -gen refers to a general detection that does not perfectly match known malware families. Thus, it can generate a false-positive detection as well as true-positive detections. More of a heuristic detection-based upon certain file properties and characteristics than anything else. Site wepawet did find suspicious elements with the downloaded file which is why the comparison between the normal site and the download link itself was inspected and compared.

False-positive detections do happen, unfortunately.

I did download the file and checked the digital signature and countersign; all seemed well there. As I do not have a virtual machine I did not run the file to see what it would do inside that environment.

Your query here might help if you notify Microsoft of your issue, especially if it turns out it is not a false-positive.

One thing one does not want is a false-negative detection where avast does not detect a malicious file at all. Which is why it is risky for others to run a file on request without the proper precautions in place.

Since we can’t see your pop-up notification when it happens, maybe attach a screenshot of the pop-up box next time? Click the ‘More Details’ box in the dialog box to get the full path and detection name and take a snapshot of that so we can see it. A new box will pop in the desktop when you click more details and remain there until you close it, so there will be more than enough time to get to it.

@mchain Thank you for all the great info, especially about the meaning of that particular “virus” warning.

The Avast “Virus Alert” only came up during the Microsoft OneNote 2013 64-bit install process, so it is not easy to get a screenshot anymore. But we did write down everything that we saw on his computer. The Object was …\Microsoft Office 15\root\office15\ONENOTE.EXE and the Process was …\Microsoft Office 15\ClientX64\officeclicktorun.exe. The alleged infection name was “Win64:Malware-gen”.

If we hear back from Avast, and they claim it’s not a false positive, we’ll definitely let MS know. All feedback and testing by forum members and Avast staff is appreciated.

As a quick side note, after all the work and hassle, it turns out the free version of Microsoft Office OneNote is somewhat crippled by design. This was not mentioned anywhere he could find. The free version is missing several key features. So after all the trouble, my friend is not sure it will work for him which just adds to the frustration of the virus or false positive.

NP.

Keep us updated.

Will do. I haven’t heard anything back from Avast yet.

I hope someone here tries to install Microsoft OneNote 2013 64-bit so Avast gets more data. It has literally millions of users, so people are either (1) experiencing tons of Avast false positives, or (2) getting malware, or (3) unable to install it.

I agree, it does that.

Keep in mind it’s intended to protect non-technical people who may not understand the term malware.

-Noel

Hi all

this indeed was a false positive and it has been already fixed few hours ago. Check for new virus database (141103-1)

thanks for reporting!

Hi denics. You’re welcome. Thank you so much for your post as well. I appreciate it. Thank you also for updating the definitions.

BTW, researching the issue on these forums shows that this false positive was first reported here over 100 days ago. See https://forum.avast.com/index.php?topic=152101.0 Maybe Avast can monitor these forums a little more closely, like you did here (great job! ). It would have saved at least two people quite a few hours of frustration!