After speaking with Support, I was told to send information to you so that you could explain more precisely to me what the specific “Win32:Malware-gen” signature is that is triggering AVAST to block the use of this file.
I’ve narrowed down the questions in this post here:
http://forum.avast.com/index.php?topic=63188.msg533808
I’ve sent a 2.5meg zip file in to Virus@avast.com with this info. Maybe someone here can look over the explanation, and clue me in as to whether this is something to worry about or not. Or at least give some additional info re what Avast means when it tags something with the term “Malware” (and no other info).
The Zip that I sent contains two files. The AVI is clean, and is the “starting point” … a short fishtank video. The EXE is a file that is created by the Golden Shield Encryption tool (which I have purchased from Protect-File.com). That program wraps a shell around the AVI so that:
- Its playback can be dependent upon entering an unlock key
- It can be locked to a specific machine’s Bios or Disk or MacID
- It can have a watermark overlaid on the video
- The playback can be set to expire after a given date or number of plays
5. It will block the operation of screen-recording software during playback
Number five is the only factor that has been activated in the particular EXE I sent … no PW is needed. It’s the “simplest” form.
This EXE is trapped by an AVAST scan as a “Malware” item. I’m not sure if that means it has a specific known virus, or whether a heuristic scan simply found a fingerprint of some sort that MIGHT be a virus.
Also, I have doc’s to show that Norton’s “Sonar” catches it … but that is a heuristic guess, and I’m less concerned about it since it clearly is a “guess”. ESET NOD32 does not trap it at all, even at the highest settings.
I am NOT clear on whether AVAST’s term “Malware” is simply a flag for heuristics, or whether it indicates a true, known virus was found. I also don’t know how to tell AVAST to “ignore” those items in the future … please note … each new locked-video EXE will have a DIFFERENT filename.
Since I send out these encrypted videos to many customers, and since some of them use AVAST, this has created a huge problem for me. I might have to rebuild a large amount of website ASP code, and pricing+methodology because of it.
So, I would very much appreciate it if you could test this file, and give me MORE information about what is triggering the “Malware”. The author of the Golden Shield encryption software has simply stated it is a “false positive” … not at all comforting, especially to my customers!
However, if you can somehow isolate the portion of the code that is triggering a “false positive” … if it IS false! … and pass that along, then the author (hopefully) will modify the code to prevent the hit from showing up.
Please let me know anything you can … this is very important to me.
Thank you!