threat win32:crypt-rvm

I downloaded the following icon set from sourceforge: https://sourceforge.net/projects/openiconlibrary/

When I scan it, I get the above alert. How would I know if it’s a false positive? Should I unzip it and re-scan the unzipped contents, or is that ill-advised?

Thanks.

Suspicious files can be uploaded and tested at virustotal.com

Should I unzip it and re-scan the unzipped contents, or is that ill-advised?
It is best to scan unzipped at virustotal. If you are scared of doing that, you may use metadefender.com it will unpack and show file inside, click details for result

File is 196Mb compressed, Virustotal support up to 128Mb.

Then there are other options / avast lab >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Or unpack everything and create two zip files which each about half of the files and submit both to VT

Hi

The file compressed is only detected on the scan
When unpacking there is no detection, there is no executable application.File has been submitted to FTP
Let’s wait for someone else will look at this.

See attached

One could also scan it online like here: https://malwr.com/analysis/MDljZjA0MGM1ZjQzNGVjOTllYTJkOWM3Mzc2ZWZkN2Y/

It is an error in configuring the Ruby implementation - An unhandled win32 exception occurred in UE4Editor.exe and we have VectorVM.dll D:\Team6\EngineT6\Engine\Binaries\Win64\UE4Editor-VectorVM.dll in Cryptbase detected. Something to do with svhost.exe trying to access the aplication.

Somehow I have a hunch it could be a false positive. But scan, better safe than sorry.

polonus

Hi,

I’ve downloaded the open_icon_library-standard-0.11.zip file from the website and then scanned it with an on-demand scan and it came out clean. So either the file changed or I got served a different one from a different mirror (hash of the downloaded file is 3FA5229C3C84711B3B67026B20E180FB7BFAEC396445C7E473E7D2A245F83078).

Just to be sure I’ve manually checked the file I downloaded and it looks OK.

Regards,
Jiri

open_icon_library-standard-0.11.tar.bz2 same file. Changed the extension Size compressed 194 MB.

Strange I’m still seeing the detection ? I tried to write a detection dump unp238546806.tmp,but it is not possible due to file size.

Good there is another link that is clean,mirror is netix and directs to sourceforge

https://osdn.net/projects/sfnet_openiconlibrary/downloads/0.11/open_icon_library-standard-0.11.zip/

The file has 256 MB compressed and no threat found.

Link pointing to file 194MB compressed,I now tested the interface program and the button right mouse and detection is here

attached

I see, I’ve scanned the .tar file and it does trigger. And as mentioned earlier, there are no executable files so this is definitely a false positive. I’ve already updated the detection, it should stop triggering after next VPS update.

Thanks for reporting.
Jiri

Detection is signaled with only the change variant in VPS 170420-10.

Unfortunately the fix was not released yet, it got delayed in QA. If everything goes well ti should get released tomorrow.

Jiri

[i]Thank you !

Detection has been removed in VPS 170423-0
Mark this thread with resolved[/i]