Likely False Positive "nanoPEG-Editor-hpg.exe"

Scanned last night. Avast Fully Updated just prior to scan. Got what I am pretty sure is a False Positive. It was a hit for nanoPEG-Editor-hpg.exe. AVAST! identifies this file as Win32:Hupigon-LQJ [trj].This is a compressed installation file for NanoPEG Editor, a Video Editing Program that was bundled with a Hauppauge WIN-TV HVR-1600 TV card I bought on sale. When I try to email it to you from the Virus Chest it says…

“The following file cannot be sent by email:
nanoPEG-Editor-hpg.exe (FileID: 6)
The file is bigger than the limit: 1024 kB”

You can increase the size in the Program Settings, Chest, Maximum size of file to be sent.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here (10MB upload limit). You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Thank you DavidR. I had surmised 1024mb was ALWIL’s Max acceptable file submission size. I increased my “limit” as you suggested and successfully emailed the likely FP to ALWIL.

Here are results from VirusTotal. Interesting to me, AVAST shows it clean at VT’s site.

| עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information…
File nanoPEG-Editor-hpg.exe received on 07.24.2008 19:41:14 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/35 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 45 and 64 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.25.0 2008.07.24 -
AntiVir 7.8.1.12 2008.07.24 -
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.24 -
AVG 8.0.0.130 2008.07.24 -
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.24 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.24 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5979 2008.07.24 -
Ewido 4.0 2008.07.24 -
F-Prot 4.4.4.56 2008.07.24 -
F-Secure 7.60.13501.0 2008.07.24 -
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.24 -
Ikarus T3.1.1.34.0 2008.07.24 -
Kaspersky 7.0.0.125 2008.07.24 -
McAfee 5346 2008.07.24 -
Microsoft 1.3704 2008.07.24 -
NOD32v2 3296 2008.07.24 -
Norman 5.80.02 2008.07.24 -
Panda 9.0.0.4 2008.07.24 -
PCTools 4.4.2.0 2008.07.24 -
Prevx1 V2 2008.07.24 -
Rising 20.54.32.00 2008.07.24 -
Sophos 4.31.0 2008.07.24 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 -
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.24 -
VBA32 3.12.8.1 2008.07.24 -
ViRobot 2008.7.24.1309 2008.07.24 -
VirusBuster 4.5.11.0 2008.07.24 -
Webwasher-Gateway 6.6.2 2008.07.24 -
Additional information
File size: 3512096 bytes
MD5…: 0b6e01e06256e5f33754c43597d8d570
SHA1…: 5dece842c3feea49172481b49033f1b1d138d178
SHA256: 3c7accaac3302eba4b25f2556ea93aef6b91eb08d88dc345e8213cf815b1a3bf
SHA512: 965be4ca526a249b8913eba5f08f785b5034e9879b35ca14241fd6ba3eb40ca5
f5eb4fea0dfb1ec1f99fe2b8b3300b0bd4f1f087cbcdce7dbfeee6a564c15eb2
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40991c
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x9040 0x9200 6.54 3fc23a57f6f12a4277db04cb09d7c497
DATA 0xb000 0x248 0x400 2.71 9981120c17987c8a6e66ed14ebd1c6dd
BSS 0xc000 0xe34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0x18 0x200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0x10000 0x8a4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x2800 0x2800 2.74 f284715303d6eb19a8a8c76b3f1cff30

( 8 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll: InitCommonControls
advapi32.dll: AdjustTokenPrivileges

( 0 exports )

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

You’re welcome.

It isn’t unusual to not have avast detect on VT when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

I would like to see an ‘official’ answer about why the detection on VirusTotal is different from avast resident one. Packers? VPS version only? ???

This has been covered before in the forums, VT has a problem where it can’t update in real time, we have asked before why the versions differ and that was the answer. Personally it really isn’t an issue as we are really only interested in what the other scanners find.

The packers would be the same as VT uses the windows version (Jotti the Linux version).

I doubt avast could give an ‘official’ answer as the problem lies with VT on why it can’t update in real time.

In their site is written exactly the opposite…

Yes, DavidR. All other scanners reported No Virus. : )

Yes, most certainly an FP as you have sent the sample, hopefully Alwil be on it quickly. In the meantime you can restore it from the chest, exclude the file from scans (as in that link in my first reply above) if you need to use this application.

Periodically scan the file in the chest (avast retains a copy even after the restore), when it is no longer detected remove it from the exclusions lists and delete from the chest (confirm it is in the original location first).