Signed executable triggering Cybercapture

Avast Cybercapture has recently started blocking our product despite the executable (and installer) being signed by a trusted certificate (issued by Comodo).
This does not seem like it would be intended behavior, since the only criteria for this seems to be “file is rare”.

Report it to avast.
https://www.avast.com/false-positive-file-form.php

Submitted already, but that doesn’t help much as we have constant updates.

I’m looking at the whitelisting process, but it’s a bit unclear if just the main executable has to be submitted, or dependencies as well.
There’s also a mention that it’s possible to whitelist our digital signature, but I failed to find any information on how to actually do that.

https://www.avast.com/faq.php?article=AVKB228
https://www.avast.com/faq.php?article=AVKB229

Hello,
can you post sha256 of the signed file, which goes to CyberCapture to verify it, please?

Milos

We’re seeing similar issues here. All of our produced software (installers and executables) are now constantly being scanned by CycberCapture, despite being signed (sha-1 and sha-256). Similarly, our cert is issued by Comodo.

This wasn’t happening until the last week or so, and is really annoying us in development and testing. We’re hoping that our customers aren’t having similar issues if they’re running Avast.

It’s frustrating, and we’ve already started to remove Avast from some of our computers so that we can get our work done.

Hello,
please provide sha256 of the signed file (or link to download the file), which goes to CyberCapture to verify it.

Milos

Milos: You can download an example of one of our installers at https://www.minemax.com/customer-care/downloads/MinemaxSoftwareManager.exe

Hello,
thank you for the link. I set this certificate as clean and it should stop triggering CyberCapture on files signed by this certificate from next VPS release. Sorry for any inconvenience.

Milos

Info on the executable in question:
Name: InteractioBroadcaster.exe
Size: 2350272 bytes (2 MB)
SHA256: B2A4CE8C72BC9EDD863606E5C5C2370BD432AAFCEFF4BDC3DC2BDCF6165F4E05

Link to the whole signed executable:
https://drive.google.com/file/d/0B2t4jTiPaZWzLW9hdHVVSTNuV28/view?usp=sharing

Hello Bug Fairy,
I have checked the file and certificate and both are marked as clean since 05-12-2017 so it should not trigger CyberCapture. Do you have updated VPS?

Milos

I’ve submitted it as false positive at 11th I believe. Was assuming it’d whitelist only the file. But if the certificate is whitelisted as well, then the issue is solved. Thank you for timely responses.

Hello,
Same problem with our applications signed with the same certificate from DigiCert
http://engarde-escrime.com/signe/DiapoEngardeS.exe
http://engarde-escrime.com/signe/Engarde9646S.exe
http://engarde-escrime.com/signe/ShowPisteS.exe

Coud you help please ?

Hello,
all the 3 files are using different certificates. Two of them are now expired and samples signed with the expired certificates are missing signing date so this might be a reason why it cannot be verified.

I will set the files to clean state so it should fix it.

Milos

Sorry for the mistake we will signe the two files with expired certificate with the new certificate we used for the third.

Many thanks for the quick and efficient help :slight_smile: