Win32:Swizzor [Trj] possible FP

When performing a screensaver activated scan this Trojan was detected; Win32:Swizzor [Trj]
The strange part about this is it is in a cleaner program for EA.com [Electronic Arts] gaming website and the program has been in program files since December of 2000. The file has been moved to the Chest where it has been scanned again and detected again. I also check this file named [eanse] at VirusTotal and only two AV programs out of the group detect it; Avast and Gdata. Is it possibly a False Positive? :-\

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

If you have the URL to the VT Results page, you could post that.

If it is indeed a false positive (and it seems so), send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

  • Or you can send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Most probably. The GData detection is due to the avast engine/definitions of GData.
Can you send the file to virus (at) avast (dot) com and post a link to this thread, alerting the false positive?

Oopss… David was faster.

the best way (in this case) will be a sending directly from the warning dialog… i’ll take care of it tomorrow and the regular VPS update will fix this issue (there’s not enough time to include the update to the VPS, which will be released in few minutes)…

That was a quick response :slight_smile:
The filename is [eanse.exe] and it resided in C:\Program Files\EACom\eanse\bin\eanse
It apparently means CL eanse at EA.com
The VirusTotal report is: https://www.virustotal.com/analisis/34396380d35c84a828a0d1078833f6716140a8f08d93825c498d56b20a152884-1251217499

Thank-you, :wink: and I will try to send it to you all via the upload technique described above.

Hi all,
It has been a few days since I uploaded the suspect file [eanse.exe] from Electronic Arts. I ran another scan from the Chest and this file is still activating the alarm. Is this a FP or not? ???

Obviously it is

i’ll check it… i thought, that it was already processed… maybe it was a different version…

the sample did not arrive to our system, that’s strange… can you send it once again?

okay. ::slight_smile:

Sorry about that error, I did not have the email feature enabled in Avast. It is now enabled. :slight_smile:

The file is no longer triggering the alarm. :slight_smile:
I was fairly certain that Electronic Arts was a legitimate website and the file was clean. Did you find what was the cause of the FP alert? ::slight_smile:
The file was dated December 2000, so it had been in the program files for sometime and had been scanned by Avast 4.8 before this FP alert several times without triggering the alarm. ???
Thank-you, 8)

the detection for Swizzor is a bit heuristic, false positives are possible in these cases…

Thank-you Maxx for clarifying that detection issue. :slight_smile: