Need help submitting false positive -- pls see explanation

avast! Home free v 4.8.1129 / Xtreme Toolkit v 1.9.4.0 / Windows XP Home

I use an application called FlexCrypt Folder (http://www.flexcrypt.com/flexcryptfolder.html) which encrypts files into password-protected executables. I have been using this for a while and I have every reason to believe it is legit and clean.

Each time it’s run, Flexcrypt generates variably-named .DAT files, and avast! is flagging these files as containing “Win32: Trojan-gen{Other}” --Flexcrypt cannot be run, nor the resulting executable files opened or accessed, while Standard Shield is running, it must be paused to run Flexcrypt and generate or access the resulting executables.

Since avast! is flagging multiple, individually-generated files, I’m not sure how to submit this to VirusTotal and/or avast! directly for consideration. Any advice appreciated.

THX JLJ

You can only upload individual files to VT, so I would suggest you upload a couple and post the link to the results here.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, send a couple of the sample to avast these can be grouped into one password protected archive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic and VT results might help and false positive/undetected malware in the subject.

Thanks, I’ve followed your instructions to the letter. Here is the VirusTotal result of one of three flagged Flexcrypt files:


File 00000010 received on 10.24.2008 02:57:49 (CET)
Result: 0/36 (0%)

AhnLab-V3 2008.10.22.0 2008.10.23 -
AntiVir 7.9.0.5 2008.10.23 -
Authentium 5.1.0.4 2008.10.23 -
Avast 4.8.1248.0 2008.10.23 -
AVG 8.0.0.161 2008.10.23 -
BitDefender 7.2 2008.10.24 -
CAT-QuickHeal 9.50 2008.10.23 -
ClamAV 0.93.1 2008.10.24 -
DrWeb 4.44.0.09170 2008.10.24 -
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6164 2008.10.22 -
Ewido 4.0 2008.10.23 -
F-Prot 4.4.4.56 2008.10.23 -
F-Secure 8.0.14332.0 2008.10.24 -
Fortinet 3.113.0.0 2008.10.23 -
GData 19 2008.10.24 -
Ikarus T3.1.1.44.0 2008.10.24 -
K7AntiVirus 7.10.505 2008.10.23 -
Kaspersky 7.0.0.125 2008.10.24 -
McAfee 5413 2008.10.23 -
Microsoft 1.4005 2008.10.24 -
NOD32 3550 2008.10.23 -
Norman 5.80.02 2008.10.23 -
Panda 9.0.0.4 2008.10.23 -
PCTools 4.4.2.0 2008.10.23 -
Prevx1 V2 2008.10.24 -
Rising 21.00.32.00 2008.10.23 -
SecureWeb-Gateway 6.7.6 2008.10.23 -
Sophos 4.34.0 2008.10.24 -
Sunbelt 3.1.1749.1 2008.10.23 -
Symantec 10 2008.10.24 -
TheHacker 6.3.1.0.126 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.24 -
VBA32 3.12.8.8 2008.10.22 -
ViRobot 2008.10.23.1434 2008.10.23 -
VirusBuster 4.5.11.0 2008.10.23 -

Additional information
File size: 634888 bytes
MD5…: 118c95c2f7e9d14a001c2efea3a4221e
SHA1…: 744305ab324c21b80327308f706b9e45818b02f4
SHA256: 249740a2e1a4837e8a23ff200cd1437ab1c4ca51dad2642c9608fb9f2ce8b6dd
SHA512: fbec2296dc9f7c5bd0d5d6ba2677f3698c638f94752adac786be75d3a06d4ba6
04876e5be32a6434622b7afe7a6faaac7d500752c4c2ba98adbff41c30a52b49
PEiD…: -
TrID…: File type identification
Unknown!
PEInfo: -


I’ll submit a zip with three files as noted. THANKS

JLJ

You’re welcome, lets hope there is a speedy correction.

You could exclude the *.dat files if they are in the one folder e.g. c:\foldername*.dat that * wildcard means all .dat files in the folder would be excluded from scans, so if you chose to do that you would have to exercise care or you could leave a big security hole.

Periodically scan the suspect files in the chest and when they are no lomger detected restore the files and remove the exclusions.