Virustotal flags Security.JS in SRWareIron!

Hi malware fighters,

While doing a scan with a-squared Free the following file was flagged as high risk malware:
C;\Program Files\SRWareIron\resources\content\Security.JS
I scanned this favascript file at virustotals with the following results:
http://www.virustotal.com/nl/analisis/e2fcbb2330182eaa72b3317e2375f9a5668216c950d5b1026596b201d0fb4fa9-1243625864
Is this a genuine find or a FP, avast does not flag it as malware, MBAM thinks the file is clean,

polonus

I haven’t a great deal of faith in a-squared and based on the file name alone security.js this file might well be packed and or encrypted and that may be what is detected (seeing some on the VT results).

You can open it in notepad or other text editor and you would see it is packed/encrypted (weird) text rather than plain javascript.

Hi DavidR,

As you said packed and encrypted file. Other results:
Comodo Malware Scan results
• File Info
Name Value
Size 44950
MD5 1e3261612f743a261a96a6df3e7cc2c1
SHA1 faa1c8c27380adcdab4a1545c4b81074711f5dd0
SHA256 e2fcbb2330182eaa72b3317e2375f9a5668216c950d5b1026596b201d0fb4fa9
Process Failed
• Verdict
Auto Analysis Verdict
Not Rated as Suspicious

DrWeb online av sanner:
Checking: Security.JS
Engine version: 5.0.0.12182
Total virus-finding records: 557242
File size: 43.90 KB
File MD5: 1e3261612f743a261a96a6df3e7cc2c1

Security.JS - Ok

The code, some flag as JS.Wonka, contains a certain functionality for encrypting scripts that may have malicious intent. This does not necessarily mean that a virus has been found. It merely means that HTML code was found which attempts to activate additional executable code without the user’s express permission, but this code was not found in a temp file but in SRWare;s browser resources/content file,

polonus

Yes, I thought that would be what caught them out into thinking the ‘apparently obfuscated’ content was malicious…

Hi DavidR,

I gave you an online link to the original code that was flagged by a-squared, Fortinet, McAfee and Sophos, I did not want to give it here on the forums for obvious reasons, but I am curious if you also now consider this Security.JS a FP,

pol

Yes I saw it, but for us mere mortals, too difficult to contemplate it without the tools.

But given the file and application I too would lean towards an FP.