Malware indicated in Encrypted Video EXE

After speaking with Support, I was told to send information to you so that you could explain more precisely to me what the specific “Win32:Malware-gen” signature is that is triggering AVAST to block the use of this file.

I’ve narrowed down the questions in this post here:
http://forum.avast.com/index.php?topic=63188.msg533808

I’ve sent a 2.5meg zip file in to Virus@avast.com with this info. Maybe someone here can look over the explanation, and clue me in as to whether this is something to worry about or not. Or at least give some additional info re what Avast means when it tags something with the term “Malware” (and no other info).

The Zip that I sent contains two files. The AVI is clean, and is the “starting point” … a short fishtank video. The EXE is a file that is created by the Golden Shield Encryption tool (which I have purchased from Protect-File.com). That program wraps a shell around the AVI so that:

  1. Its playback can be dependent upon entering an unlock key
  2. It can be locked to a specific machine’s Bios or Disk or MacID
  3. It can have a watermark overlaid on the video
  4. The playback can be set to expire after a given date or number of plays
    5. It will block the operation of screen-recording software during playback

Number five is the only factor that has been activated in the particular EXE I sent … no PW is needed. It’s the “simplest” form.

This EXE is trapped by an AVAST scan as a “Malware” item. I’m not sure if that means it has a specific known virus, or whether a heuristic scan simply found a fingerprint of some sort that MIGHT be a virus.

Also, I have doc’s to show that Norton’s “Sonar” catches it … but that is a heuristic guess, and I’m less concerned about it since it clearly is a “guess”. ESET NOD32 does not trap it at all, even at the highest settings.

I am NOT clear on whether AVAST’s term “Malware” is simply a flag for heuristics, or whether it indicates a true, known virus was found. I also don’t know how to tell AVAST to “ignore” those items in the future … please note … each new locked-video EXE will have a DIFFERENT filename.

Since I send out these encrypted videos to many customers, and since some of them use AVAST, this has created a huge problem for me. I might have to rebuild a large amount of website ASP code, and pricing+methodology because of it.

So, I would very much appreciate it if you could test this file, and give me MORE information about what is triggering the “Malware”. The author of the Golden Shield encryption software has simply stated it is a “false positive” … not at all comforting, especially to my customers!

However, if you can somehow isolate the portion of the code that is triggering a “false positive” … if it IS false! … and pass that along, then the author (hopefully) will modify the code to prevent the hit from showing up.

Please let me know anything you can … this is very important to me.

Thank you!

You can upload the file to www.virustotal.com and have it tested by 42 malware scanners
when you have the result, copy the URL in the address bar and post it here…

Thanks for the reply!

Here is the link:
http://www.virustotal.com/file-scan/report.html?id=519f1ffefea4581b28791c23a76e4a9783032096d4edea7ea27f5aa6ed56efbb-1282761331

I’ve attached a snapshot of the screen also … slightly chopped off on the left to get under the 191kb boundary.

This EXE is trapped by an AVAST scan as a "Malware" item. I'm not sure if that means it has a specific known virus, or whether a heuristic scan simply found a fingerprint of some sort that MIGHT be a virus.
Win32:Malware-gen

quote: Virus Bulletine
Generic detection

Recognising malware by its similarity to known items

Generic detection is a form of heuristics commonly implemented in anti-malware software. Items not identified exactly by means of a signature can sometimes be considered to be similar enough to a known item to merit an alert, and in many cases even a class identification.

Products alerting on generic detection will often use broader naming than with exact detection, perhaps classing something as ‘fam’ or ‘.gen’ to indicate that it belong to the same family or genus but cannot be labelled as a specific variant.

Win32:Malware-gen

quote F-secure http://www.f-secure.com/en_EMEA/security/virus-removal/virus-information/encyclopedia/encyclopedia_genericdetection.html
Generic Detections are named in a different manner from normal signatures, as they are used to indicate group features, rather than those of specific variants

Generic detection
http://www.securelist.com/en/glossary?glossid=189210517

Thank you for the info and the links … pretty much what I expected.

Since this program is designed specifically to block the use of some other video-capture software, my guess is that MAYBE that blocking-code, which is sort of “tricksy” to write, might be triggering the hit.

Question: what’s the general probability for these “-gen” hits to be FALSE? 50/50?

Question: is there some way that Avast can provide signature info to me or to the vendor, so that they can either find and elim the virus, or modify their legit code to elim a false hit?

Thanks!

Question: is there some way that Avast can provide signature info to me or to the vendor, so that they can either find and elim the virus, or modify their legit code to elim a false hit?
If you have sendt the sample to avast, ( and they monitor the forum and may see this ) If this is a False Positive it is probably fixed in one of the updates tomorrow.....

you can also upload the file to Avira http://analysis.avira.com/samples/index.php
they will do a manual analysis and you will get an answer within 48 hour of the file status, Clean or Malware

Thank you again. I had not known about Avira before. I’ve submitted it as a potential “false positive”.

Does AVAST usually respond by email to the email submissions, so I know what the determination is?

Does AVAST usually respond by email to the email submissions, so I know what the determination is?
Usually not, that is why i use Norman or Avira if i want a double check and they always responde...

“Norman” ??

Could you please tell me where to go to submit this to them? Thanks!

No worries … I found it. Thanks

you can use support@norman.no or analysis@norman.no

and you tell them what you want, and want/need a response