My self written text editor being treated as malware

Viruses and worms
1

My open source editor “GreenPad-nt350” was being treated as Win32:Paleworm-B [Wrm].

Sources: http://rtoss.googlecode.com/svn/GreenPad-nt350/
Binary: http://roy.orz.hm/gpc/files1.rt/GreenPad-nt350.rar

VirusTotal report: http://www.virustotal.com/file-scan/report.html?id=bb280ad13679c9857f27e434ff1b3cd288bc8f3b719389f3341c9b2de88c3117-1315725035

2

Send “False Positive” as subject:
virus@avast.com

including the link to this topic and/or the relevant info/links (NOT the file itself).

You can report a false positive here:
http://www.avast.com/contact-form.php?loadStyles

3

Can you add the program to the exclusion list of the shield that is detecting it ? you would probably have to add the exe files to the behaviour shields trusted processes as well.

4

But then roytam1 is the only one that knows this is a FP. By providing the info to Avast Team, we all get the benefits, and the database is improved.

… Unless the program is only used by roytam1 only and not shared/distributed in any way to anyone.

5

That how i interpreted it as it was just his own custom program ???

6

Well, no according to the OP:

So, I was providing the “unless…” for:
A_ general info
B_ in case roytam1 is actually saying that the original open source program is not detected by Avast, but only a personal customization is. Since roytam1 is the original developer, the customization probably turns out to be the open source to public distribution version/build/edition.

Directly contacting Avast improves the database and the engine in any case. The “unless…” is just a possible workaround, that helps to only one user/system. In case that particular system is the one and only that has this file, then the effects are equivalent.

If roytam1 wants the tool to be used/downloaded with no “panics” from Avast’s users, it is better to send the info about the FP (or an unknown unconfirmed possible malware, if that would be the case). In addition, Avast engine gets smarter.

7

It doesn’t matter, essentially both actions should be carried out. A. if it is available for open source distribution and B. to allow roytam1 to use it.

I would also suggest that roytam1 upload the sample to virustotal and see if other AVs also alert on it.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

8

@DavidR,

Already done; see the first post. Avira also identifies it, but not the rest.

Either it is a FP, or it got recently hacked and the developer (roytam1) didn’t notice it.

9

Hi,

false positive alert will be fixed in next VPS update (110912-1).