False positive on JBMail.exe

I like to use a little-known mail client named JBMail (http://jbmail.pc-tools.net/) since it is fast, free (for one account only), and compact, and requires no installation or registry BS for it to work properly.

However, when scanning my PC today, avast complained about the JBMail.exe (and its uninstaller) file, claiming it to be “Win32:Adware-gen. [Adw]”. This program is about as far from adware as it’s possible to be. There is no way that this is a correct listing. I have excluded it, but I worry that others might think they have an infection when they don’t.

I don’t recall seeing any complaints about JBMail before. Is this something new added to the virus DB? Is there another program with a similar name that IS adware? Either way, this probably should be addressed.

Thanks for an otherwise excellent product!

I would seek further confirmation.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Well, I have done a bit more research, and here’s what I’ve found:

There are two versions of JBMail.exe available at the above site - an .exe installer, and a .zip archive. I would have expected that both would have the same files, but the .exe installer installs an uninstaller program, and this apparently is what actually triggers the false positive response. Downloading the .exe installer causes Avast to complain immediately. Extract the files or run the installer, and it is the file “uninstal.exe” that Avast reports as malware.

The direct link to the file reported as malware:
http://www.pc-tools.net/files/win32/trialware/jbmail32.exe

At http://virusscan.jotti.org, only Avast reports this file as malware.
At http://www.virustotal.com, two other scanners (eSafe, Fortinet) report it as “suspicious”, but only Avast is sure that it is malware.

This installer is several years old and has not been recently modified. I have used it many times on many different machines and never seen any adware installed as a result. I am quite thoroughly convinced that it is very safe, and that these malware reports are false positives.

Also, this same file has been on my computer for years (as has Avast), but this is the first time that Avast has ever complained about it. This leads me to believe that it is a recent change to the database that is causing these false positives.

I would say adware is the lowest level when using the term malware, in the signature, Win32:Adware-gen. [Adw] the -gen indicates generic so it is looking at catching many different sources of adware so it may give an FP. So you could submit the uninstal.exe for analysis as a possible false positive.

If as you say the program is meant to be stand alone then the installer and un-installer shouldn’t be required, just for those who aren’t confident in creating a folder for it and extracting the files and running it stand alone.

UPDATE: 2008-April-22:

For what it’s worth, this false positive has reappeared. Avast’s latest virus signature update (080422-0) is apparently causing Avast to think this same file (from four years ago) is malware again. I think somehow, something old may have slipped back into the signature file recently (since I believe the first “new” report of this false positive was a few days ago).

Upload the file to VT to confirm and again to avast if VT confirms an FP, but again this trialware is ad supported so that again may be why it is getting the adware-gen ping.

So my post of a year ago above yours is still applicable I guess.

Huh? This program is most definitely not “ad-supported”, and never has been, so far as I know. I have no idea where you might have gotten the idea that it is.

This so-called “trial” version is completely free without expiration, without nags, and without ad support or any other shortcoming that I know of except for missing a few features (such as support for multiple accounts) that are only in the paid (“Plus”) version.

As for external multiscanners, the reports are identical to a year ago. At http://virusscan.jotti.org/, ONLY Avast reports this as being malware (exactly as reported a year ago). At http://www.virustotal.com, both eSafe and Fortinet report it as “suspicious”, but only Avast claims there’s definitely malware there. This is exactly what was reported a year ago.

I have been using this program for years and have never seen the slightest trace of adware from it. No other anti-virus program on any other machine I’ve used has any problem with it. It seems fairly clear to me that an erroneous definition from a year ago has snuck back into Avast’s database.

This is called false positive. It’s not a judgment from Alwil, just an error.

False positive alert Win32:Adware-gen [Adw] is trigged on file uninstal.exe. It will be fixed in next VPS update.

File jbmail32.exe is on our Cleanset, but Avast can’t unpack it. So we add files after installing jbmail to avoid this problem in future.

misak

thanks for your recent input to the forum - good to see your responsiveness here.