False Positive detection on the AIR installer

Hi ,

When we install the file downloaded from the URL Specified below, then avast detects a threat which says :“A potentially suspicious file’stublogic.exe’ was blocked while installation.”

We used the following version of Avast for execution:

Product version:8.0.1489
Database version:130724-1

The file can be downloaded from http://trk.airinstaller.com/get/click/08d96588/

Can you please fix this issue.

You can report a possible FP here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply

Thanks Pondus…

I tried that but every time i tried submitting this 1 mb file it says file entity too large.

Can you please help me with this issue.

then try with mail

send to virus@avast.com in a password protected zip file
mail subject: false positive
zip password: infected

you can also send files from avast chest
howcto use the chest. http://www.avast.com/faq.php?article=AVKB21

maybe not a false positive.

http://urlquery.net/report.php?id=4214557

VT scan of setup.exe file @ link provided: https://www.virustotal.com/en/file/699c6d7de1cf4743c3882e71ec4212210941d9974750a33dd8aa1152a513e7c0/analysis/1375184105/

well, seems avast is correct…detected as pup, and a google search indicate that this contain adware

Yes, and I noted that the actual download itself took about 25-30 seconds or so to complete, so some agent or other was interfering or was coming along with the download, even tho the file itself is only about 1 meg in size. A 1 meg file should normally only take one sec or so to download with current internet connection.

It appears that whatever it was failed to run in sandboxed environment (many malicious files automatically detect a sandboxed environment and will not run to evade detection by a/v vendors), hence the delay in completing the download.

Looks like urlquery.com detection is correct as well. This is a malicious file, IMO, but it is not necessarily the file itself, other than it is a PUP, but the unknown other stuff that is attached or linked to it, that is the real malicious stuff. Avoided that issue by running in a sandbox.