Win32:Evo-gen [Susp] on NSIS is Getting Ridiculous...

Eddy · 2014-08-06T12:11:18.000Z

https://www.metascan-online.com/en/scanresult/file/a010e365e4414b9ea17649192abdccdc

What version of NSIS are you using ?

system · 2014-08-06T19:24:40.000Z

Hi,
I’m using the latest version of NSIS (3.0 b0)

I contacted F-prot (their DB is shared with Commtouch) and they have confirmed they have removed the FP from their db.

Also I’m not spending $500+ for a digital signature, I distribute free software!

Eddy · 2014-08-06T19:39:21.000Z

If you haven’t done so already, report it to avast too.
Tested things and have the same problem with everything created with nsis.

jeffersonsant · 2014-08-07T22:45:13.000Z

sompaypal post:1:

I am really starting to get frustrated. Many of my users use Avast AV and I keep getting complaints that avast is marking my installer with this absurd detection.

Why are you guys detecting NSIS?! Do you even bother to make sure that you’re not detecting legitimate code?

Seriously, avast needs to step it up, stop being lazy, and make more targeted detections.

I can’t sit for hours and explain how to add exclusions in Avast. You need to be more careful with your detections.

Sincerely,
annoyed

examples: https://www.sendspace.com/file/0de9hv
password: falsepositive

Detection was fixed in the latest update VPS.

system · 2014-08-10T08:54:42.000Z

Hi,
I see that Avast has removed the detections I reported; thank you, it’s nice to know Avast acknowledges false positives.

Here’s 3 more samples from NSIS which were reported to me by a friend that Avast is tagging with Evo-gen

https://www.sendspace.com/file/3d8bbo
pass: falsepositive

Virustotals of them (note Evo-gen does not show on VT):

https://www.virustotal.com/en/file/71173992479d756dcfed0eeb747bdf946ddbbb67fcb4b85fbf39cd613f5bfd75/analysis/1407660082/
https://www.virustotal.com/en/file/736ed2e8006868b78bb218e5c282b0feb314a719a7c9b617e87ad960143f2054/analysis/
https://www.virustotal.com/en/file/d894715d1a1bba219994a21978b537416caadcfe02c504af981908883213db26/analysis/ (<- I already contacted Ahnlab about this and they are removing it)

Eddy · 2014-08-10T09:07:22.000Z

Please keep reporting any false positive you run into.
Things can’t be fixed if they don’t know if something is broken

But as you have noticed, avast (our big brother) is listening ;D

jeffersonsant · 2014-08-11T11:54:21.000Z

sompaypal post:13:

Hi,
I see that Avast has removed the detections I reported; thank you, it’s nice to know Avast acknowledges false positives.

Here’s 3 more samples from NSIS which were reported to me by a friend that Avast is tagging with Evo-gen

https://www.sendspace.com/file/3d8bbo
pass: falsepositive

Virustotals of them (note Evo-gen does not show on VT):

https://www.virustotal.com/en/file/71173992479d756dcfed0eeb747bdf946ddbbb67fcb4b85fbf39cd613f5bfd75/analysis/1407660082/
https://www.virustotal.com/en/file/736ed2e8006868b78bb218e5c282b0feb314a719a7c9b617e87ad960143f2054/analysis/
https://www.virustotal.com/en/file/d894715d1a1bba219994a21978b537416caadcfe02c504af981908883213db26/analysis/ (<- I already contacted Ahnlab about this and they are removing it)

Reported to /virus analyst

HonzaZ · 2014-08-11T15:14:22.000Z

All fixed, thanks for the report :-D!

system · 2014-08-15T21:09:41.000Z

I am also having this issue! Needs to be fixed asap.

Eddy · 2014-08-15T21:28:05.000Z

As HonzaZ, the problem is already fixed.
I tested it and it is.

system · 2014-08-15T21:31:52.000Z

This is a different, but similar problem. Read my post, thanks.

jeffersonsant · 2014-08-15T21:33:56.000Z

a733540 post:19:

This is a different, but similar problem. Read my post, thanks.

unfortunately (I do not report again)
please,use the support ticket

https://support.avast.com/Tickets/Submit

see the title topic
(awaiting approval by a moderator)

https://forum.avast.com/index.php?topic=153530.msg1116034#msg1116034

system · 2014-08-16T21:08:22.000Z

Nope, the user above is 100% correct. Despite my detailed reports, Avast manages to do it again!

samples: https://www.sendspace.com/file/c1p7ie
pass: falsepositive

I don’t have time to do the virustotals, but I installed Avast in a virtual machine and it’s 100% tagging 5/6 of NSIS’s compression stubs as Evo-gen

I’ll be submitting this via your system, but people should be aware of how careless you guys are with detecting legitimate software

jeffersonsant · 2014-08-17T00:28:45.000Z

sompaypal post:21:

Nope, the user above is 100% correct. Despite my detailed reports, Avast manages to do it again!

samples: https://www.sendspace.com/file/c1p7ie
pass: falsepositive

I don’t have time to do the virustotals, but I installed Avast in a virtual machine and it’s 100% tagging 5/6 of NSIS’s compression stubs as Evo-gen

I’ll be submitting this via your system, but people should be aware of how careless you guys are with detecting legitimate software

probably you will get an answer on Tuesday
wait for the next days

sompaypal post:21:

but people should be aware of how careless you guys are with detecting legitimate software

I am not do part software development
much less employees,through the ticket you can discuss this question.

jeffersonsant · 2014-08-19T02:43:41.000Z

sompaypal post:21:

Nope, the user above is 100% correct. Despite my detailed reports, Avast manages to do it again!

samples: https://www.sendspace.com/file/c1p7ie
pass: falsepositive

a733540 post:19:

This is a different, but similar problem. Read my post, thanks.

all now is fixed in update VPS 140818-0

COBKA · 2014-08-19T19:53:42.000Z

I have noticed a lot of *tmp files in the Virus Chest quarantined from C:\Windows\SoftwareDistribution\Download\ which I understand is the windows update folder, initially with this virus detection and I assume these are false positives as I have scanned again in the chest and they are now listed “no virus”. These files however, will not restore back to the original folder for some reason. Any suggestions as to why this is and if these files not being in their original position will cause problems?

Edit: I have now managed to restore all 92 files by re-creating the target folders

I see this problem is referred to in this thread:-

https://forum.avast.com/index.php?topic=153395.30

jeffersonsant · 2014-08-20T11:59:22.000Z

COBKA post:24:

I have noticed a lot of *tmp files in the Virus Chest quarantined from C:\Windows\SoftwareDistribution\Download\ which I understand is the windows update folder, initially with this virus detection and I assume these are false positives as I have scanned again in the chest and they are now listed “no virus”. These files however, will not restore back to the original folder for some reason. Any suggestions as to why this is and if these files not being in their original position will cause problems?

Edit: I have now managed to restore all 92 files by re-creating the target folders

I see this problem is referred to in this thread:-

https://forum.avast.com/index.php?topic=153395.30

when a change in a system file or dll change (any even if it is insignificant)is inevitable that the system does not work the same way as it was before, is important that everything is put in local original.you can restore without problems,a window is shown just overwrite what is already there.problem has been solved.

system · 2014-09-13T06:11:48.000Z

Hi,
Avast tags NSIS again…
Samples: https://www.sendspace.com/file/m4gjw7
Pass: falsepositive

Virustotals (remember, evo-gen does not show on VT):
https://www.virustotal.com/en/file/5e4427b7a5d5b8372221e37def59c83ec31c706e26f162b75cbda681545e936a/analysis/1410588371/
https://www.virustotal.com/en/file/64d65dfc59cbf096fa3518f5741cc4b84b12333404967e04927e9216feebc6c5/analysis/1410588416/
https://www.virustotal.com/en/file/7a840c5282336a6d9b94a1d11091af0f30c6aaeb93650a34cf070284d60375a6/analysis/1410588455/
https://www.virustotal.com/en/file/7e5948070db3658d2ebea66697b2a2ecf867195ef3dafd20708f804ee576e0c3/analysis/1410588659/ (contacted clamav about their FP already)

Third time telling Avast of the NSIS false positives and they still continue … Maybe lack of communication ?

Anyway,
kind regards

jeffersonsant · 2014-09-13T22:08:01.000Z

sompaypal post:26:

Hi,
Avast tags NSIS again…
Samples: https://www.sendspace.com/file/m4gjw7
Pass: falsepositive

Virustotals (remember, evo-gen does not show on VT):
https://www.virustotal.com/en/file/5e4427b7a5d5b8372221e37def59c83ec31c706e26f162b75cbda681545e936a/analysis/1410588371/
https://www.virustotal.com/en/file/64d65dfc59cbf096fa3518f5741cc4b84b12333404967e04927e9216feebc6c5/analysis/1410588416/
https://www.virustotal.com/en/file/7a840c5282336a6d9b94a1d11091af0f30c6aaeb93650a34cf070284d60375a6/analysis/1410588455/
https://www.virustotal.com/en/file/7e5948070db3658d2ebea66697b2a2ecf867195ef3dafd20708f804ee576e0c3/analysis/1410588659/ (contacted clamav about their FP already)

Any application you make in Delphi or Dev C ++, or another programming language
have no other way but to wait for the avast 2015 version and see if things improve,avast detects with Evo-Gen [susp],wait during the week today not how to solve this problem.

jeffersonsant · 2014-09-16T11:29:00.000Z

sompaypal post:26:

Hi,
Avast tags NSIS again…
Samples: https://www.sendspace.com/file/m4gjw7
Pass: falsepositive

Virustotals (remember, evo-gen does not show on VT):
https://www.virustotal.com/en/file/5e4427b7a5d5b8372221e37def59c83ec31c706e26f162b75cbda681545e936a/analysis/1410588371/
https://www.virustotal.com/en/file/64d65dfc59cbf096fa3518f5741cc4b84b12333404967e04927e9216feebc6c5/analysis/1410588416/
https://www.virustotal.com/en/file/7a840c5282336a6d9b94a1d11091af0f30c6aaeb93650a34cf070284d60375a6/analysis/1410588455/
https://www.virustotal.com/en/file/7e5948070db3658d2ebea66697b2a2ecf867195ef3dafd20708f804ee576e0c3/analysis/1410588659/ (contacted clamav about their FP already)

Third time telling Avast of the NSIS false positives and they still continue … Maybe lack of communication ?

problem was fixed in update VPS 140915-1
where will not detect by avast.

Announcements