tomb4.exe false positive(Win32:Evo-gen)

  1. It was detected when moving the tomb4.exe file to another folder.

http://i.imgur.com/dnc6ZLX.png

  1. The file is included in a modificated version of Tomb Raider Level Editor caled Next Generation Tomb Raider Level Editor. It’s a modification to Tomb Raider IV engine to allow more features and better performance. It can be downloaded from http://skribblerz.com/editortools.htm
  2. It was downloaded 23/03/2011 and until recently there was no problem with it.
  3. tomb4.exe
  4. The last pop-up message was overwrited by another one, so I can’t tell exactly. It said it found a suspicious program and deleted it immediately.
  5. The message says the file is safe, there is no danger.
  6. https://www.virustotal.com/pl/file/2e07f27c7631aecad3bb7ec250b3daef6a2df93f0a3cb347805b7f646f27fce0/analysis/1371629048/
    MD5: c502e39546c807afc58838d20952fedb
    Detection ratio: 2/47
  7. There is no information about Win32:Evo-gen on any of the two sites.
  8. The file is widely used by Tomb Raider Custom Level Community and there have never been any problem with it. The person who have made the file has a good reputation on Tomb Raider community. I have used it myself for several years without problems until recently. Virustotal out of forty seven found only two antiviruses that think of it as a dangerous file. When scanned, Avast says it’s a harmless file. The evidence provided by the above questions let me judge the file is safe.

You can report a possible FP here: http://www.avast.com/contact-form.php

I’ve already sent it several days ago but I thought maybe it’d be good to make a thread about it on forums as well.

For that potentially suspicious detection, see the discussion here: http://www.wilderssecurity.com/showthread.php?p=2241914
and Vlk’s postings in that thread #8, #11, #19 about that heuristic detection.
Good you filed up a FP report, because heuristic detections come FP-prone by nature,
and here because there are variations on the exact executable, dependant on the settings in the patcher.
That is why we have seen FPs earlier for this file with MBAM…(Trojan.FakeAlert),

polonus