Recently, AVAST has started giving false positives for Win32:Trojan-gen {VC} on older Installer V.I.S.E. based content installers from DAZ3D http://www.daz3d.com a producer of content for 3d programs, in particular Poser. This occurs on installers that have been sitting on my computer for years or ones that have just been downloaded. The only connection is that they are all older installer V.I.S.E. based installers.
A partial list of files it claims are infected:
27/03/2008 23:33:08 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Characters_Maps\ps_mo108b-dayPoses.exe" file.
27/03/2008 23:33:36 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Characters_Maps\ps_bn039_M3Headmorph.exe" file.
27/03/2008 23:34:08 Andrew 3836 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Characters_Maps\ps_mo108b-dayPoses.exe" file.
27/03/2008 23:35:03 Andrew 3268 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Characters_Maps\ps_bn039_M3Headmorph.exe" file.
27/03/2008 23:35:12 Andrew 3268 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Characters_Maps\ps_mo108b-dayPoses.exe" file.
27/03/2008 23:35:46 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Clothing\ps_ac568b-M3casualcloth.exe" file.
27/03/2008 23:36:10 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Clothing\ps_ac556_M3HoodedCloak.exe" file.
27/03/2008 23:36:12 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Clothing\ps_ac526-M3Boots.exe" file.
27/03/2008 23:36:13 SYSTEM 1704 Sign of "Win32:Trojan-gen {VC}" has been found in "F:\scene\DAZ\PURCHASES\Clothing\ps_ac352b_Treadz.exe" file.
ClamAV finds no infection.
I cannot redistribute these files legally.
These are the contact details for DAZ3D, they might provide you with sample files if you need them.
TOLL FREE: 1(800)267-5170
Phone: 1(801)495-1777
12637 South 265 West #300, Draper, UT 84020
The support email support@daz3d.com is probably not a good idea, as they have switched to one of these automated support systems which are remarkably good at losing stuff.
EDIT: using the VirusTotal website is also not an option, as files have to be uploaded to analyse
EDIT: This has been fixed now in the new VPS’s, thanks
I have located another file from DAZ3d that shows the same resulsts as the above. Avast detects it as infected by a trojan, and when I try to download a new copy, Avast blocks the download because it claims it is infected. As this is a free download from DAZ3D and just contains texture templates it should be OK to snd you a copy of it.
I checked it at Virustotal, only Avast and one other consider it suspicious. Here are the results.
But checking file at VirusTotal is implicit violation of your DAZ3D EULA to redistribute their content due to VT should automatically resend problem file to virlabs if the number of positive detections will greater than some boundary value, isn’t it?
Yes I considered that, but as the file is free and contains only templates to assist creating textures, which are useless without the figure they are intended for, I don’t think DAZ3D will mind.
EDIT: I have also emailed the file in a password protected zip to AVAST.
EDIT 2: running AVAST version 4.7.1098 , VPS: 090329-0
If you want to Avast remove the false positives you need to send the files, it is illegal to distribute any paid program, your are not sending the whole program or installers only some files. Alwil will not benefit or will not use the program for them, only for removes the false positives.
If you bothered read my original message properly, you would realise that it is the older CONTENT INSTALLERS themselves from DAZ3D that AVAST incorrectly flags as infected. They all seem to date from 2002 to 2004, by the way. The one I submitted to AVAST is FREE and contains nothing that is useful without the figure it is intended to be used with. As to why DAZ3d insist on distributing their stuff as executable installers, they seem to think graphic artists are incapable of opening a zip file.
I sent a zipped copy of the file ps_pe041b_SaraT.exe , which as you see avove gets flagged as infected with Win32:Trojan-gen {VC} to virus@avast.com
The title of the email is:
ps_pe041b_SaraT.exe reported as trojan by Avast
If the email has gotton lost, here is a link to where you can download it from DAZ3D. You need to sign up at the forums first. This download also gets flagged as infected, which reinforces my belief that this is a false positive, as the file dates from 2003 or thereabouts:
The link in the first post saying “Sara Template (PC)” is the one you want.
As I mentioned above, it is these older executable installers from 2002 to 2004 that get marked as infected, not their contents. Old downloads or fresh downloads, it doesn’t matter. Avast will attempt to block the download with a warning that it is infected.
EDIT: Should I post this in the viruses and worms forum? Or is it OK here?
Thats not a direct link to the file That is a link to the post where the file is announced. Here is a direct link, but I have no idea if it works without being logged in to the forums.
Interesting, I paused the web shield to download the file and avast didn’t alert to it. I even did an ashQuick.exe scan and no detection.
Andrew, ensure you have the latest VPS 080331-0 and scan this file and your others that were detected. The VPS might have been corrected, certainly seems so for this one, I don’t know if that will be true for the others. Perhaps it will be OK if they were detected as having the same malware name.
I’m on my Linux machine at the moment, been using it since Sunday. Hopefully the updates since Saturday have cleared up the problem. I will have to boot up WinXP.
due to VT should automatically resend problem file to virlabs if the number of positive detections will greater than some boundary value, isn’t it?