inno setup - false positive?

I have a setup created by “Inno Setup” that has been used for some time without problems. But just now Avast is claiming “Win32 Trojan-Gen {other]” is in it. I’m virtually 100% certain that it is a false positive. The setup can be downloaded from this link http://www.box.net/shared/kfohrsi197

Can this be fixed in Avast. I’m using the free home edition. Otherwise I love AVAST!

Hi,

avast! also started detecting “Win32:Trojan-gen. {Other}” on my system in a few files that I know is clean since I scanned the “infected” files with 3 other up-to-date anti-virus products and it’s only avast! that “detects” this Trojan.

Sauron Reaver

Hello :slight_smile:

Please send the false detected files to virus[at]avast[dot]com in password protected archive , and for mail subject write “False Positive” , so that alwil team can fix the false positives :wink:

Till the false positives are fixed you can add the files to the Standard Shield exclusion list, so they won’t be scanned :wink:

My application is detected as a false positive too. This installer is build with InnoSetup.

download links http://www.teach2000.nl and http://teach2000.memtrain.com

VPS version 000750-0, 06/18/2007.

I will send the file to virus[at]avast[dot]com.

Best regards,
Bas Groot

I would say there is a possibility it could be an FP, I think by the malware name, plus there has also been a rather large VPS update 000750-0 which might be a possibility.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

It is not possible to send this file as an attachment, since it is marked as a virus.
The file can be downloaded here:
http://www.teach2000.nl/install_teach2000.php

Other antivirus tools don’t mark Teach2000 as a virus, so I say it must be fixed in Avast :slight_smile:
http://www.virustotal.com/vt/en/resultadox?dcff39d21b6a1590b5dd2777c9657bd4

Best regards,
Bas

I just did both Multi engine on-line virus scans, and avast! was the only one that detected the Inno Setup installer program as a Trojan on both the scanners.

Sauron Reaver

I create these Inno Setup’s often and I get the warnings even while creating the setups as well. So I sent an email to Avast with the example for them to try to fix the issue.
Thanks Everyone.

I originally posted over here: http://forum.avast.com/index.php?topic=28899.0 regarding the PhpEd 5.0 installer and then found this post. A moderator might want to go lock my other one.

As I write this, I am attempting to email the password protected inno setup installer to avast for analysis. It is 70+MB in size so I don’t know if any mail server along the way might dispose of the file simply by its size.

The wrong place, but this problem with false positives is reported here too:
http://news.jrsoftware.org/news/innosetup/msg65172.html

Bas regards,
Bas

I’m the one who originally posted this. I sent the file to Awil and they responded with an update. Now all is well. No more false warnings. Thank You Avast!

i also reported a false positive this morning, and within a few hours tech support responded with an update! that’s excellent work! :slight_smile: