Dashlane - False positive reported by one of our users

Hi there!

One of our users reported that his Avast! blocked the last update of our application.
How could we prevent this from happening?

It can be downloaded right here:

Please keep me updated.
Kind regards,

it would help to know what avast say?
a screen shot of the avast warning?


ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/support/faq/pua.


Hi Pondus,

Here the status is “unknown”: http://www.isthisipsafe.com/company/Dashlane%20SAS_details.aspx



Thanks so much for your help.

I will ask the user to provide us with screenshots and more info about this, and I will keep you posted.

Also, thanks for checking on VirusTotal and Jotti!



Please find attached a screenshot of the warning (in French though, sorry.)
It says that a Trojan has been found.


Thanks so much for your help!




Hi Pondus,

Some additional information…
Issue here → automated exploiters (see IDS alerts) injecting malcode see ET Blackhole sigs…
Look here for a description of this injection attack: http://stackoverflow.com/questions/11235539/km0ae9gr6m-js-injection-hack-information
and also: http://stopmalvertising.com/tag/km0ae9gr6m/
Vulnerable outdated Plesk version through which the site might have become infested…through the so-called RunForestRun hack.
Sucuri-report mentions this: “Plesk version 8 outdated: Upgrade required”.
A security tool to predict the domain names to be generated by RunForestRun can be found here: http://sskblog.com/?p=771
free tool link courtesy of Security Street Knowledge, link provided by t0rh4cker


Awesome, thank you so much both of you :slight_smile:

I will think about checking that before posting next time.
Have a great week-end.

Malvertising site link infected.

hxxp://stopmalvertising.com/malware-reports/runforestrun-pseudo-random-domains-and-random-exploit-kits.html (Link made non-clickable to avoid exposure to unsuspecting users.) Link posted in first post result as tiny url. RunForestRun, Pseudo Random Domains and Random Exploit Kits Do not click when visiting Malvertising!

May be be an external link elsewhere.

:o ::slight_smile:

For info on that hack, see: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation-and-blackhole/
and the excellent write up here: http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/
To remedy go here: http://kb.parallels.com/en/114396 and do not forget to change all passwords:
Password changer (which you’ll need) http://kb.parallels.com/en/113391
This info thanks to poster Fariis at atomicorp.com forum…


Only ClamAv makes such clai,s; unfortunately the claims in ClamAv offers no appeal, and it is only supported by general public opinion without serious inspection of risks. Now that people see “Dashlane” somewhere they urgently rate it “bad” in ClamAV, without looking at it. Most contributors to ClamAv reutation system have absolutely no technicla skills, they just continue to repeat the opinion found elsewhere. And they cannot make the difference between a legitimate (and useful tool) that is clean of any infection (even if the tool has some usability problems in its UI and using it could be risky if you’re not experienced with it).

If you see a report in ClamAv only, against a software that is very common, and you find no bad claim in serious antivirus tools, ignore this alert. If Dasjlane was seriously a virus, it would have been blocked by almost all antivirus tools.

However Avast uses a separate “community cloud” based only on generic “reputation” on the web. The “WebRep” tool of Avast makes many false positive detections. Too many in fact. Unfortunately what it proposes to do is not helpful to try investigating the issue, as Avast only proposes to eradicate the software immediately without any supporting link (at least to an updated thread in this forum).

I hate the way WepRep works, and the fact that it constantly wants to erase a tool that I constantly need in order to login securely on sites (including this one!) with my strong passwords (that I cannot remember).

Please Avast, make a special attention to wellknown password managers that are known to be safe: your tool should check only check that this is an official installation.

Avast can detect digitally signed versions that are effectively coming from Dashlane.com (and that are not random “cracks” frequently posted on the web or proposed on P2P and crack sites: on those sites you’ll find “cracked” versions of Windows, or Acrobat, or many famous commercial applications, but all of them are infected, these cracks are effectively troyans, but should not be confused with the official versions supported by their legitimate producers).

So please before proposing to delete a software that has “bad reputation on Webrep”, first lookup in your database of signatures to see if this is an officially supported version and not a crack: you can have an online database to check digital signatures detected by your antivirus. Use the embedded digital certificate already in the Dashlane application and browser addon and whitelist this certificate as long as there’s no real issue after your investigations.

And then discard the bad reports coming from your WebRep users : don’t show the dialog to uninstall it without providing a link explaining why and showing the effective status of the software.
