Win32:Vapsup-CX [Adw] in a DLL from my company : false-positive ?

Hi, I read something similar to my problem here : http://forum.avast.com/index.php?topic=34115.0

My company is writing video codecs and one of our customer had an alert from his AVAST software on one of our video decoding DLL.

=> I guess it’s a FP, what can I do ?
I can’t find any documentation about vapsup-cx.
I tested with several anti-virus, none is getting alarmed.

Thanks for you help.

Please send us falsely detected DLL to virus@avast.com in password protected archive (rar, zip). As password use “infected” without quotes. To email subject please write “false positive” (without quotes). Then will be false positive alert fixed in next VPS update.

Or post here URL where it could be downloaded…

Hi, I’m sending it right away.
Please, let me know what happens then or if you need more information.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.

I would also suggest you test the codec.dll at virustotal to see if there are any other AVs that detect it.

Check the file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. There are currently over 30 different scanners at virustotal.

0 alert out of 32 engines tested.
Thanks for the link, I didn’t knew this one.

(AVAST did not say anything, did you update it already ?)

Most probably. They’re very fast on false positive correction.

Your welcome, virustotal is a very handy resource.

I just updated to avast 4.8, and ran the scanner. It found a ts.dll in my klite codec program folder, and in my system restore folder. both are considered VAPSUP-bn adware. I used Virus Total, and got a 2 out of 32, one being avast 4.7 and icarus the other. It makes me think its safe if others don’t have a problem with it. I even checked it after Avast did an virus update. I have had KLite for awhile, and all my spware programs have had no problems with it.
Should I be worried!
Thanks in advance!

What was the malware name given by both detections ?
That would give a better indication of safety, etc. but it is likely (not definitely) to be an FP you should submit it for analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

The type of malware was a Win32:Vapsup-BN[Adw]. It supposedly resided in a filters folder for a K-Lite codec pack, which there was a ts.dll. A system restore folder also had this type of adware. I have emailed these files to Advast from the Virus Chest. It said that the files were sent with errors.

Maybe your SMTP settings into avast aren’t correct.
Try to send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.

I can’t compress the original file because as soon as I click on it avast throws up a warning, and my compression program says another program is using it. I don’t know my server address, I’m guessing it’s different than the one they showed in the help file. I put my email address, and hoped that was enough. If you feel I should exclude it from scans I will. Any suggestions on how to figure out my server address?

You need to use the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

You can use wildcards like * and ?.
But be careful, you should ‘exclude’ that many files that let your system in danger.

Generally is your email @server.com part.

You can also pause the standard shield so it doesn’t alarm whilst zipping and password protecting the file.