False-Positive: "Win32:Trojan-gen {Other}" detected on our own software!

Hi,

As of this week, the software we deploy keeps getting flagged as “Win32:Trojan-gen {Other}” infected. We deploy 7 binaries, all deployed via MSI package, with 5 of these binaries coming up as false-positive. Our deployment environment is sterile and these binaries have been available from our site for the past several weeks without issue. You can see the results of this scan here:

http://www.virustotal.com/analisis/39ab17c883922fea2cfddb82c0b5f2be
  • How do we go about getting our software taken off your virus list and more importantly how did it get on there?
  • What is the actual trojan you are trying to target?
  • Can you produce a more “specific” virus signature that actually targets your trojan, rather than a more “generic” one which seems to encompass our applications?

This “false-positive” by your company has adverse effects on our software deployment and users who rely on us.

Thanks,

Is there a download link for the files?
If not, please pack the files into a password-protected ZIP or RAR and send them to virus@avast.com - together with the password.
Thanks.

Hi,

Already done. I’ve sent a sample file, otherwise would you like a link to the download installation EXE which contains all the binaries?

Thanks,

Hi,

What’s the usual turn-around or SLA for responses to these type of queries?

Thanks,

Not entirely sure what it is you are asking (not aware of the acronym SLA).

Here is my best guess - You don’t normally get a reply to the submission of samples unless they need more information.

For false positive detections that have been identified and submitted the correction of the VPS is normally quite quick. Periodically scan the copy in the chest after VPS updates you can see when it is no longer detected.

You can post broken links (not live) here, something like:
hxxp://server.com/file.exe

Hi,

Thanks for the link tip. You can download the installer from here …

hxxp://forum.epgstream.net/download/file.php?id=208

… or visit the download page here …

hxxp://forum.epgstream.net/viewtopic.php?f=56&t=500

We’re still waiting for a response from avast! support regarding the ZIP archive sent to them on Monday. We’d also still like to get some of our original questions answered if possible:

  • How do we go about getting our software taken off your virus list and more importantly how did it get on there?
  • What is the actual trojan you are trying to target?
  • Can you produce a more “specific” virus signature that actually targets your trojan, rather than a more “generic” one which seems to encompass our applications?

Thanks,

They usually does not answer automatically… only if they need more information.
The answer comes with the virus database update.

Probably a wrong detection of the generic algorithms while scanning the exe strings…

Seems a generic signature, not a specific one.

They can, but the advantage of generic signatures is to caught new viruses/malware by an heuristic algorithm of detection. A lot of people need this detection as it improves avast reliability a lot… of course, sometimes, false positives are caught also. Sorry.

Hi,

Thanks for your response. It’s still strange that avast! still can’t give you information in their online virus database about this trojan and what its origins are (toolkits, PE compressors, etc).

It would be interesting to see the the statistical detection rates of new viruses caught by heuristic algorithm detection vs. false-positives.

The bad new for avast! is that the majority of emails we are getting indicate that our users are uninstalling their copy of avast! or AVG to get our software working. For most entry-level users they grasp the concept of turning their anti-virus software on and off, but not necessarily how to add exceptions to handle these false-positives.

Thanks,

I think they won’t share this with us… seems a commercial info.
Anyway, the number of good detections by this method compensates the false positives…

The price to pay for having a greater detection rate…