Tried downloading hxxp://www.trickytruck.com/Tricky_Truck_Setup.exe Avast is detecting Win32:Malware-gen. I’m faily certain this is a false positive since VirusTotal and Jotti are both reporting the file as clean.
Well this one is strange it doesn’t appear that VT have updated the avast signatures (23/2/2011) as it wasn’t detected, but the GDATA detection is form the avast engine (one of its two AVs).
The other AV Jiangmin, who knows.
So I would say there is a high likelihood it is an FP:
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
I did try to submit to the Virus lab but nothing happens. I don’t get any form to fill in and nothing seemed to be uploaded when I did a manual update. Am I doing something wrong?
It used to have a form to complete, but that doesn’t seem to be required now. Though if you do a manual update and actually watch the update process you will see the upload take place.
Thanks Scott, I didn’t realised that it was larger than they max size to send. The new size is much larger (16MB as opposed to the old one, 4MB) and I though there wouldn’t be anything bigger than that you would need to send ;D
I only remembered this because I saw this a while ago, with an older version (maybe 4) and the form wouldn’t appear if it was over the limit…
One thing I will say is that it needs changing somwhat…the sizes are in different formats all over the place.
The chest properties give it in Bytes (but doesn’t say that) then the settings are in MB and KB…
I am used to switching between mega/kilo etc. easily because I do it almost daily in physics but some will have trouble and find it really confusing…
It looks like the file has been submitted although it seemed to indicate finished when the upload progres bar was only about half-way through. File can be downloaded directly from the URL in my first post if the upload didn’t work.
BTW, it would be a good idea for the “submit to virus lab…” action to say that a file is not going to be submitted if it’s too large. If you don’t get any message, it’s easy to assume that the file has been submitted.
…and just read spg SCOTT’s last post. Yes - it would be a good idea to have the file sizes in Mb or Kb, but not both!
I have some more information. Not sure if this is helpful, but…
I have just re-scanned previous versions of this file (I keep them for reference just in case). All versions are now showing the same infection with the current virus definitions, however no problems were detected when the file was originally downloaded. The most recent version was downloaded on 4th Jan 2011, so I suspect something has changed in the detection signatures (or whatever is used by Avast) since then.
Avast Auto-update is enabled so I should have been using the “latest and greatest” virus definitions when these files were downloaded.
I explained to you that the line between “obfuscation to protect” and "obfuscation to infect"can be a very thin line, and so could easily lead to initial FP’s,