Possible false positive in Macro program

Hello,

I wanted to report that Avast Antivirus reports "Win32-Trojan-gen (Other) in
_prog.exe, which is part of version 6.31 of the Macro Toolsworks macro program from Pirtinec at [url=http://www. pitrinec.com]www. pitrinec.com[/url]. I got this report for the file in the Toolsworks installation on my
computer and also a download of the file today from their website. I think this is probably a
false positive because I’ve been using the software without trouble for years. The Avast version is 4.8.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Thanks for reporting. Seems, indeed, a false positive.

Here is the report I got from Virus Total for the installation file I downloaded today that Avast identified as containing a trojan:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.10.24.3	2008.10.26	-
AntiVir	7.9.0.9	2008.10.25	-
Authentium	5.1.0.4	2008.10.26	-
Avast	4.8.1248.0	2008.10.25	-
AVG	8.0.0.161	2008.10.26	-
BitDefender	7.2	2008.10.26	-
CAT-QuickHeal	9.50	2008.10.25	-
ClamAV	0.93.1	2008.10.26	-
DrWeb	4.44.0.09170	2008.10.26	-
eSafe	7.0.17.0	2008.10.26	-
eTrust-Vet	31.6.6168	2008.10.25	-
Ewido	4.0	2008.10.26	-
F-Prot	4.4.4.56	2008.10.26	-
F-Secure	8.0.14332.0	2008.10.26	-
Fortinet	3.113.0.0	2008.10.26	-
GData	19	2008.10.26	-
Ikarus	T3.1.1.44.0	2008.10.26	-
K7AntiVirus	7.10.508	2008.10.26	-
Kaspersky	7.0.0.125	2008.10.26	-
McAfee	5415	2008.10.25	-
Microsoft	1.4005	2008.10.26	-
NOD32	3557	2008.10.26	-
Norman	5.80.02	2008.10.24	-
Panda	9.0.0.4	2008.10.26	Suspicious file
PCTools	4.4.2.0	2008.10.26	-
Prevx1	V2	2008.10.26	-
Rising	21.00.62.00	2008.10.26	-
SecureWeb-Gateway	6.7.6	2008.10.25	-
Sophos	4.35.0	2008.10.26	-
Sunbelt	3.1.1753.1	2008.10.25	-
Symantec	10	2008.10.26	-
TheHacker	6.3.1.1.129	2008.10.25	-
TrendMicro	8.700.0.1004	2008.10.24	-
VBA32	3.12.8.8	2008.10.25	-
ViRobot	2008.10.24.1436	2008.10.24	-
VirusBuster	4.5.11.0	2008.10.26	-
Additional information
File size: 1420871 bytes
MD5...: b8f3577c91bb270befb07e3d7f828111
SHA1..: 9e53ff8de48827ea448e0b457fba6934407c2b9a
SHA256: be7877df3d31b9ec2d16c3a02366e040bc18a721596225fdb30ce00d14ed8b9b
SHA512: 08edd33c7508b62d13a1e6483d51847c16a3c49f9980e6c3971a7145e7c999b0
cf90ef50a663d0ac0d5be6152cdebc9f9d3887c54a292ca6f6e4a8fc5fef5f1f
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4278cb
timedatestamp.....: 0x3f68a4de (Wed Sep 17 18:15:58 2003)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x314f5 0x32000 6.59 6bc6e9b9073df6efcf06f61ea9c82869
.rdata 0x33000 0x5052 0x6000 3.54 4f93ec0392eabc9e73103ba7508a69b8
.data 0x39000 0x3c1e8 0x13000 5.48 5a474b42d3cba5083c2ef3db47981a19
.rsrc 0x76000 0x2a7a40 0x2a8000 8.00 73a4c3df1e7631ce382bd6af67d307c7

( 5 imports ) 
> KERNEL32.dll: SetCurrentDirectoryA, GetCurrentDirectoryA, GetTickCount, GetTempPathA, GetTempFileNameA, DeleteFileA, SetEnvironmentVariableA, CompareStringW, CompareStringA, SetEndOfFile, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetProcAddress, GetStringTypeW, GetStringTypeA, FlushFileBuffers, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, CloseHandle, CreateFileA, MoveFileA, SystemTimeToFileTime, GetLocalTime, FileTimeToDosDateTime, DosDateTimeToFileTime, GetFileAttributesA, CompareFileTime, SetFileAttributesA, CreateFileW, SetFileTime, LocalFileTimeToFileTime, WriteFile, WideCharToMultiByte, MultiByteToWideChar, ReadFile, GetFileSize, GetLastError, LocalFree, FormatMessageA, GetFileTime, GetCurrentThreadId, IsBadReadPtr, MapViewOfFile, CreateFileMappingA, GetModuleFileNameA, SetFilePointer, UnmapViewOfFile, CreateDirectoryA, CreateDirectoryW, SetCurrentDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, GetSystemTime, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, GetTimeZoneInformation, HeapAlloc, HeapFree, HeapReAlloc, TerminateProcess, GetCurrentProcess, HeapSize, UnhandledExceptionFilter
> USER32.dll: SendMessageA, GetDlgItem, GetDlgItemTextA, DefWindowProcA, DestroyWindow, BeginPaint, EndPaint, CreateWindowExA, EndDialog, PostQuitMessage, PostMessageA, SetDlgItemTextA, SendDlgItemMessageA, SetTimer, LoadCursorA, RegisterClassExA, GetDesktopWindow, GetWindowRect, CopyRect, OffsetRect, SetWindowPos, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, DialogBoxParamA, MessageBoxA
> SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, ShellExecuteA, SHBrowseForFolderA
> ole32.dll: CoInitialize, CoCreateInstance, CoUninitialize
> OLEAUT32.dll: -, -

( 0 exports ) 

Thanks!

Certainly loks like an FP, see the link in my post, how to report and exclude from scans.

Periodically check it (scan it in the chest), there should still be a copy in the chest even if you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

I think I submitted a file that Avast prevented from fully downloading last time, and therefore, it wasn’t a true representative of the problem. This time, I turned off Avast before downloading the file, and resubmitted it to VirusTotal. This is the result I got:

`Antivirus	Version	Last Update	Result
AhnLab-V3	2008.10.27.3	2008.10.27	-
AntiVir	7.9.0.9	2008.10.27	-
Authentium	5.1.0.4	2008.10.27	-
Avast	4.8.1248.0	2008.10.27	Win32:Trojan-gen {Other}
AVG	8.0.0.161	2008.10.27	-
BitDefender	7.2	2008.10.27	-
CAT-QuickHeal	9.50	2008.10.27	-
ClamAV	0.93.1	2008.10.27	-
DrWeb	4.44.0.09170	2008.10.27	-
eSafe	7.0.17.0	2008.10.26	-
eTrust-Vet	31.6.6168	2008.10.25	-
Ewido	4.0	2008.10.27	-
F-Prot	4.4.4.56	2008.10.27	-
Fortinet	3.113.0.0	2008.10.27	-
GData	19	2008.10.27	Win32:Trojan-gen {Other}
Ikarus	T3.1.1.44.0	2008.10.27	-
K7AntiVirus	7.10.509	2008.10.27	-
Kaspersky	7.0.0.125	2008.10.27	-
McAfee	5415	2008.10.25	-
Microsoft	1.4005	2008.10.27	-
NOD32	3559	2008.10.27	-
Norman	5.80.02	2008.10.24	-
Panda	9.0.0.4	2008.10.27	Suspicious file
PCTools	4.4.2.0	2008.10.27	-
Prevx1	V2	2008.10.27	-
Rising	21.01.02.00	2008.10.27	-
SecureWeb-Gateway	6.7.6	2008.10.27	Trojan.Agent.1187840
Sophos	4.35.0	2008.10.27	-
Sunbelt	3.1.1753.1	2008.10.25	-
Symantec	10	2008.10.27	-
TheHacker	6.3.1.1.131	2008.10.27	-
TrendMicro	8.700.0.1004	2008.10.27	-
VBA32	3.12.8.8	2008.10.27	-
ViRobot	2008.10.27.1438	2008.10.27	-
VirusBuster	4.5.11.0	2008.10.27	-
Additional information
File size: 3096576 bytes
MD5...: 9b584bd0a289c8062096d3028b8f7aa3
SHA1..: 1c79471979c4b7ffb12baa3e5ebfd36afd20fc34
SHA256: 675cc8cef5a5cc1907cb6f7fd7a512f362056b62e77042871a1270a445e0d833
SHA512: 17d9b04d254c2159b69d2783dfe55072fea4d83e582a2b3f0d2c67710170a9c4
5a43448d3e406f6a4ab0b40835b4ddc082095ae09f2685cd92894d1f45e8a701
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4278cb
timedatestamp.....: 0x3f68a4de (Wed Sep 17 18:15:58 2003)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x314f5 0x32000 6.59 6bc6e9b9073df6efcf06f61ea9c82869
.rdata 0x33000 0x5052 0x6000 3.54 4f93ec0392eabc9e73103ba7508a69b8
.data 0x39000 0x3c1e8 0x13000 5.48 5a474b42d3cba5083c2ef3db47981a19
.rsrc 0x76000 0x2a7a40 0x2a8000 7.99 1813f91973e1f474255d07b597b9c65b

( 5 imports ) 
> KERNEL32.dll: SetCurrentDirectoryA, GetCurrentDirectoryA, GetTickCount, GetTempPathA, GetTempFileNameA, DeleteFileA, SetEnvironmentVariableA, CompareStringW, CompareStringA, SetEndOfFile, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetProcAddress, GetStringTypeW, GetStringTypeA, FlushFileBuffers, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, CloseHandle, CreateFileA, MoveFileA, SystemTimeToFileTime, GetLocalTime, FileTimeToDosDateTime, DosDateTimeToFileTime, GetFileAttributesA, CompareFileTime, SetFileAttributesA, CreateFileW, SetFileTime, LocalFileTimeToFileTime, WriteFile, WideCharToMultiByte, MultiByteToWideChar, ReadFile, GetFileSize, GetLastError, LocalFree, FormatMessageA, GetFileTime, GetCurrentThreadId, IsBadReadPtr, MapViewOfFile, CreateFileMappingA, GetModuleFileNameA, SetFilePointer, UnmapViewOfFile, CreateDirectoryA, CreateDirectoryW, SetCurrentDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, GetSystemTime, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, GetTimeZoneInformation, HeapAlloc, HeapFree, HeapReAlloc, TerminateProcess, GetCurrentProcess, HeapSize, UnhandledExceptionFilter
> USER32.dll: SendMessageA, GetDlgItem, GetDlgItemTextA, DefWindowProcA, DestroyWindow, BeginPaint, EndPaint, CreateWindowExA, EndDialog, PostQuitMessage, PostMessageA, SetDlgItemTextA, SendDlgItemMessageA, SetTimer, LoadCursorA, RegisterClassExA, GetDesktopWindow, GetWindowRect, CopyRect, OffsetRect, SetWindowPos, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, DialogBoxParamA, MessageBoxA
> SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, ShellExecuteA, SHBrowseForFolderA
> ole32.dll: CoInitialize, CoCreateInstance, CoUninitialize
> OLEAUT32.dll: -, -

( 0 exports ) 
packers (Kaspersky): Armadillo
packers (F-Prot): Armadillo`

It is identified as the same trojan by another service, and Panda considers it a “suspicious” file. I still think it is a false positive, but I wanted to hear a more expert opinion. It is part of a program for running macros, so perhaps it contains some code that operates at a low level on the computer that looks suspicious.

Thanks!

No, it’s not. GData uses avast engine and virus databases. So, the detection is the same.

I don’t think so. Seems a false positive. Hope they correct detection soon?
Did you send it for analysis?

Well the detections, such as they are seem either generic or suspicious (heuristic) which are more prone to FP, so you should send the sample for analysis and in the how to report and exclude link in my first reply.

I sent it in for analysis. Thank you for your help.

Thank you for helping improving detection and its accuracy :wink:

You’re welcome, thanks for taking the time to report it. Alwil are usually quick to correct reported FPs. Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.