VirusTotal Report of a Suspected False-Positive

Per guidance from DavidR at http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, and not finding any items in this forum containing:

  • “C:\SRD\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT\INSTALL.EXE”
  • or either of the MD5/SHA1 hash checksums “66E361950C437C1F8DC3C731C9D2C950”/“BA2DF4DCC14E466B725FEAD01F65885DA87C199D”

I submit the following:

This file is from my “Symantec Backup Exec System Recovery” v8.01 application:
C:\SRD\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT\INSTALL.EXE

It has been on my system for the better part of a year now. It has not been found to be a problem from Avast until today. Last clean scan from my resident installed Avast was Sept 9, 2008. Therefore, your scanning engine was updated sometime since then to disposition this file as “Win32:Trojan-gen {Other}” virus infected.

======================================================================================
AVAST Evt Log Scan Reports:

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 9/30/2008
Time: 9:49:00 AM
User: N/A
Computer: DR-OFFICE
Description: Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Srd\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT\INSTALL.EXE%MOTIVE_DIR%\vendors\3Com\maps\wt\3com\maps\com\3Com\Reboot.mzp\reboot.exe” file.

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 9/30/2008
Time: 9:53:22 AM
User: N/A
Computer: DR-OFFICE
Description: Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Srd\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT\INSTALL.EXE%MOTIVE_DIR%\vendors\3Com\maps\wt\default\maps\com\3Com\Reboot.mzp\reboot.exe” file.

======================================================================================

I have queried VirusTotal’s database, and this file was indeed initially submitted for analysis at “09.27.2008 09:59:36”, with only the Avast and GData scanners snagging. Results: http://www.virustotal.com/analisis/bd5a5698f2163d271db4dadcba91208d

Does this file truly contain a virus or not? Thanks in advance for your efforts.

P.S. Thanks so much for the fine work all of you at Avast are providing to not only myself, but the entire computing world. It’s sincerely appreciated.

======================================================================================
Also, here’s a report generated from my Safer Networking Ltd.'s FileAlyzer v1.6.0:

File: C:\SRD\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT\INSTALL.EXE
Date: 9/30/2008 10:21:29 AM

***** General ******************************************************
Location: C:\Srd\DDB\3COM.3C2000X\ENGLISH\CONNECTION ASSISTANT
Size: 5990591
Version: 3.1.1.0
CRC-32: D5CD0B67
MD5: 66E361950C437C1F8DC3C731C9D2C950
SHA1: BA2DF4DCC14E466B725FEAD01F65885DA87C199D
Read only: No
Hidden: Yes
System file: No
Directory: No
Archive: No
Symbolic link: No
Time stamp: Saturday, February 02, 2008 1:16:01 PM
Creation: Thursday, June 19, 2008 11:09:28 PM
Last access: Thursday, June 19, 2008 11:09:28 PM
Last write: Saturday, February 02, 2008 1:16:02 PM

***** Version ******************************************************
— Version --------------------------------------------------------
:
:
:
:
:
:
:
:
:
:
:
:

***** Resources ****************************************************

***** PE Header ****************************************************
:
:
:
:
:
:
:
:
:
:
:
:

***** PE Sections **************************************************
CRC-32: ?
MD5: ?
----- PE Sections --------------------------------------------------
Section VirtSize VirtAddr PhysSize PhysAddr Flags
CRC32 MD5

***** Import/Export table ******************************************

***** Archive preview **********************************************
Modified Size Ratio CRC32 File name

======================================================================================

Seems a clean file. GData and avast detection are from the same virus signature.
Hope they correct this false positive soon.
As a workaround, add it to the Exclusion lists.

Good job, if only everyone used the forum search function and gave as much information ;D

Most certainly an FP - The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Send the sample to avast for analysis and correction as in the info you followed to upload to virustotal.