Probable False Positive

Hi there,

I’m pretty sure the download on this page: http://nudua.blogspot.com/2010/01/skype-push-to-talk-10-final-released.html is a false positive. I don’t want to take the risk of installing it though just in case but I need to install that software. Any advice?

The detection is: Win32:Spyware-gen [Spy]

Cheers!

Just before downloading it Stop the Web Shield or it will stop the download, the file should then be able to be downloaded. Ensure that you Start the Mail Shield once the download is complete.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

So long as you don’t open the .rar file or extract the files in it or run any executable files extracted (the file system shield would probably alert anyway on extraction) then you are reasonably safe.

The results: http://www.virustotal.com/analisis/44e8aebf6b9f6f77d1e65e22cb806374ca89d80666221e27c0c28f86029dd0b3-1268266276

It’s quite a mixed picture but most don’t think it’s a virus.

I’d say that if 9 antiviruses(I do not count avast 4 and GData(it uses avast as one of its scanners)) detect it as virus, it IS most likely a virus. So be careful.

The VT result you have is from 11/3-2010 if you click rescan you get

VT 10/42 Symantec have removed detection ?
http://www.virustotal.com/analisis/44e8aebf6b9f6f77d1e65e22cb806374ca89d80666221e27c0c28f86029dd0b3-1268927310

Not quite as clear cut as that if only avast (and GData) detected it then it would be petty clear cut highly likely an FP. When you start getting more scanners detecting it then the likelihood of them all being wrong isn’t as certain.

Whilst the majority of those that detect it are using either heuristic or generic detections, which are more prone to mis-detection, there is room for doubt, but you should assume it is not infected. It requires further analysis.

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic, plus the VT results link Pondus gave might help and possible false positive in the subject.

Or

If using avast 4.8 - you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

If using avast 5.0 - from the UI, Maintenance, Virus Chest, right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

I submitted it via Avast 5. Thanks for the help. :slight_smile:

No problem, glad I could help.

Welcome to the forums.

Norman report
“Extracted Files from skypeptt1final.rar are not malicious.
Its a additional plugin created by unknown, no malicious behaviour found when analyzed, hence not added.”