Hi we are a software company and our new soft 2018 are detected by avast like a virus Win32-EvoGen or FileRepmalware. We have now a huge quantity of call from our clients.
We have declare our soft like false positive (Thursday 05/07) but we dont’ any news from avast.
What do we have to do ? When can we expect a correction?
For information, all installations are digitally signed with an EV certificate sha256 and we had so far protected from these problems.
By example, you can find some download url :
http://tele5.index-education.com/telechargement/edt/v2018.0/exe/Install_EDTserveur_IT_2018.0.1.1_win32.exe
http://tele5.index-education.com/telechargement/edt/v2018.0/exe/Install_EDTmonoposte_FR_2018.0.1.0_win64.exe
http://tele5.index-education.com/telechargement/edt/v2017.0/exe/Install_EDTmonoposte_FR_2017.0.2.10_win32_maj.exe
What do you recommend as action in general before publishing a version?
Here, a report from virus total site : https://www.virustotal.com/fr/file/81ad44ae35c6283df717efdc878992d88b4d4f644f151794a9ce4e21e0759022/analysis/1530959483/
Only AVG detect our software like a virus.
Do something quickly please, a year’s work of a hundred people is being ruined!
Best regards
Laurent ESPARIAT
Thanks Adam for your quick reply.
system
July 8, 2018, 10:43am
6
Thanks Adam !
When you say “And I make whole certificate clean which should suppress a new false positives.”, it means that all installations signed by our certificate would never be considered like a virus ?
Publishing a version of our software includes 200 installations and we are likely to release a new version at any time. I am therefore very worried about these abusive detections.
Other question, when do you think your transaction will take effect on client computers ?
In any case, I thank you for your responsiveness.
Best regards
Laurent
Pondus
July 8, 2018, 11:38am
7
Other question, when do you think your transaction will take effect on client computers ?
If this was released by stream updates (evry 5-15 minutes) it is already out
You may run manual update and reboot
system
July 8, 2018, 11:50am
8
hello everybody,
on “https://support.avast.com/en-ww/article/Threat-Lab-file-whitelist ”, i can read “Vendors who sign their applications with digital signatures can apply for whitelisting via their digital signature. This type of whitelisting is provided to a limited number of digital signatures, and only if the software developer has a clean track record.”.
It’s very interesting for us ! How can i submit our digital signature ?
Thanks
Best regards
Laurent ESPARIAT
Pondus
July 8, 2018, 12:01pm
9
It's very interesting for us ! How can i submit our digital signature ?
Click and read chapter > How can I submit a file?
system
July 8, 2018, 1:07pm
10
hello
Good news ! All installations aren’t detected as a virus anymore.
Last problem, our update servers urls are blacklisted :
maj1.index-education.com
maj2.index-education.com
and perhaps our official download servers url :
tele3.index-education.com
tele5.index-education.com
Perhaps an other whitelisting form ? I’m searching …
Hi,
yes, files signed by your certificate would never be considered like a virus. Only if we see very suspicious activity, but this is not the case.
Detections were disabled via stream update so it’s few minutes how was said.
Glad to help,
Adam
system
July 8, 2018, 1:20pm
12
Thanks Adam !
Latest problems with our download urls exposed in my last message.
Logically, with the false positives and the number of our customers, the urls have been blacklisted.
maj1.index-education.com
maj2.index-education.com
and perhaps our official download servers url :
tele3.index-education.com
tele5.index-education.com
Thanks again.
Laurent
I’am disabling all urlblocks which were created because they were registered as the source of false positive exe files, which were clean.
URL mask: *.index-education.com
Give me a few minutes.
Adam
system
July 8, 2018, 2:17pm
14
Hi Adam,
url seems good.
But now, avast detects setup.exe as a virus !
Let’s me explain.
With Installshield, we can do a setup (setup.exe and some data files) and we can package these files in a single exe (package for the web) which is signed by our certificate. Setup.exe isn’t signed. It’s an internal process of installshield.
This setup.exe is the same for months and now it’s detected !
I am completely disappointed.
What can I do now ?
Laurent
Can you please send me the sha or the link to https://www.virustotal.com ?
system
July 8, 2018, 2:57pm
16
I’m analysing Installshield project and I see that I can sign setup.exe.
Building installation makes a new setup.exe (installshield compiler).
I will change installations tomorrow for next releases.
Just for now, I can analyse setup.exe with virustotal if you want.
→ https://www.virustotal.com/fr/file/2824b5d61b41cb040a3bf1c8cfb4d17f47aecf4d0bd24a38bcafcf669d7cc811/analysis/1531061627/
But, in fact, i think that our 200 differents installations have 200 differents setup.exe (Slightly different with differents properties for example).
Can we hope that these setup.exe aren’t detected right now ?
Hi,
detection disabled, thanks for signing the setup.
Adam
system
July 8, 2018, 3:53pm
18
Hi I can t test right now.
But is your last operation impacts all my setup.exe ?
Without signing for the moment …
Thanks
Interesting,
I was digging in the submit DB and found these samples by name of parent process and the location on a customer machine:
04433D326B4E14A380CDC8BFA27394D178744A19061EF31817823BE8E918D90C
26DADB77345E830258BC20BE11A1437B8451E6D670BD4C2F091A0DD0B0A65CFE
2824B5D61B41CB040A3BF1C8CFB4D17F47AECF4D0BD24A38BCAFCF669D7CC811
4355DDA03F4C8B9A913502FE232BA6BD161D3E7838840B87982A0158F2AD2E49
5B32673833D34D689EBB8422B07D0086987FDFD65C4AA1F96F6447944B7FD61F
666B63E9C252D49C63D0A3002514E14BA5C2BC659CFDF203CB6B4DD87C9B981A
8269C75C2107AA354525C75BFBFF2D0DA5D143F7485EB1C614A9CA4F751E1C42
8F5FA05821818207558ABC8631B5BC267CE176D6A58930EA07E822917F32E76C
915DE05DA7BC6C74AB149120BE2525D917885EA82F0402D4AB932E47A87B0B7B
ABDA5CD8818924E08F21BB6A6638C7D3C78ECB99B0D64FF5B8EED1A998D16B3A
B85C02E7EBEFD8F50349F977F4CD139A5AC830A36BB610E2BF557646D4C42FCE
C1646F9BFF2F50E0CE10043DD6FEFC3AC16C716D6110B6C77DC1B0BB703D1E34
CA5B5879910941ECFF0E1F311B54DDD37F1A7D954F74B106A45D7F5DEE732F7A
CA993685813010F0405136C5392FFE7DDDA774F9905F46315FED1D4E73C02C89
CB36DCA652DB6027C7FAEE4F8A3A40D89FE47334957057260512D7F4FBC69025
CC3AA9C7B6C133431E2289C3F5B8463DA775AF0B2F760A2F9F35936554DF69FE
F4B33C8EB06FFAC0591303FB56FDB02E720FDD5974AC35272602A1F58D42F6D4
There was about 5 detections on them. I disable them and whitelisted samples, but this is not the generic solution.
Adam
system
July 8, 2018, 9:06pm
20
Hi
Perhaps i can give you all sha256 thumbprint of setup.exe.
200 thumbpront for 2018 installations version
200 for 2017
In a simple text file ?