Zoiper software download was put in Virus Chest as IDP.Generic

Hello,
I downloaded the Zoiper software as it is required for my job when working from home. However, when I tried to run the program, an Avast notification appeared saying that Zoiper was blocked and put in the Virus Chest, because the IDP.Generic virus was detected.

In an old post in a forum for a different antivirus program, someone seems to have had a similar issue with Zoiper. But somehow it was resolved, although I’m not sure I understand how. I also am not sure if that case would relate to mine, especially as that old post is from 2013.

Is there someone who can advise me about this issue? Is there a way for someone to verify in a safe way whether or not the software is safe to use? I do need it for work.

In searching for info online about IDP.Generic, I see that it appears that there have been many issues about false-positives and this particular warning, often relating to telecommuting software, apparently.

I would greatly appreciate any help with this problem. I am letting the company which sent me the software download link know about it, but I’m not sure if they will be able to resolve it soon.

Thank you.

Hi rozr,

VirusTotal >> https://www.virustotal.com/gui/file/af19fbe89d3265a9dfba1e8db2adf748b32de92aff37b119eccb2e5e32e31d9f/detection

VT says safe. McAfee removed detection back in 2013. Interestingly, Sophos didn’t like it. Website scans came back clean. Generic detection, you’re likely fine honestly. Wait for Milos or another Avast! Employee to roll around though.

McAfee >> https://community.mcafee.com/t5/Malware/Possible-False-Positive-Artemis-25A165BB975D/td-p/357869
Sophos >> https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/ZoIPer.aspx
XFE (Website) >> https://exchange.xforce.ibmcloud.com/url/https://www.zoiper.com/
CheckPhish >> https://checkphish.ai/insights/url/1570416414972/bf3a39139b01224250f6b657552c8d098a12b801e370afdfb76902cef410e9a8
URLScan >> https://urlscan.io/result/f282f034-7e64-42d6-950e-080145e224cd
URLVoid >> https://www.urlvoid.com/scan/zoiper.com/
Outdated Software >> https://sitecheck.sucuri.net/results/https/www.zoiper.com
Zulu >> https://zulu.zscaler.com/submission/cd97fa71-f27e-47a5-a313-30f0c4ac0c4e

I’d be inclined to wait for an Avast! team member.

Hi rozr1,

Site normally opens up in avast secure browser.

Retire.js flags retirable jQuery code:
jquery 3.2.1.min Found in -https://www.zoiper.com/v3/js/jquery-3.2.1.min.js?fd640b23
Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution

Security on download link: hxtps://www.zoiper.com/en/voip-softphone/download/current
with http security headers, page meta security headers & form autocomplete setting issues (RECX scan info)

Nothing here: https://www.virustotal.com/gui/url/7ffb069b45c55339c58f6d13f0c8cfeac0c7db5a433f9a5767f8766e379ee6d9/details
For detections, see: https://www.virustotal.com/gui/ip-address/185.117.83.34/relations

Dr.Web has it detected: https://www.virustotal.com/gui/url/30203ec109f4b53b9dc5c5bc5113ee2b678ee92e69899319c333bed4008b64bb/detection

-http://www.zoiper.com/downloads/free/win/communicator/ZoiperCommunicatorFreeLatest.exe redirects to
-https://www.zoiper.com/downloads/free/win/communicator/ZoiperCommunicatorFreeLatest.exe

-http://www.zoiper.com/downloads/free/win/communicator/ZoiperCommunicatorFreeLatest.exe is in Dr.Web malicious sites list!

As Michael (alan1998) says, wait from a final verdict from some-one in avast’s team, they sit on the latest detection info.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Official Response:

Thank you so much for your advice, Michael(alan1998) and Polonus. The specific name of the file, as I took another look at it, is Zoiper_for_G1_Research_Windows_v3.60.exe. It is the free version of Zoiper, but I think that with the link that the company provided to me, they were able to make it specifically for G1 Research.

As I’m not a full employee of the company, I’m not 100% certain about them, and I’m somewhat worried about whether they might hold it against me if I question the safety of the software.

But your help so far is reassuring, and I hope that it is harmless. Thank you so much for taking time to help me with this!

Hi Rozr,

Sounds like it wasn’t downloaded through official means (by them)?

You can always upload your installer to virustotal yourself. It’s completely free to upload and get full scan results.

virustotal.com.

Hi rozr1,

the detection is generic and it can detect unknown files.

Could you provide us the file via our FTP ftp://ftp.avast.com/incoming or share the virustotal link to it? Otherwise we aren’t able to analyze it on our side with provided info correctly.

Thanks,
PDI

Hello,

I apologize for the delay in replying, as I had to be away from home all day yesterday, and wasn’t able to work on this. I uploaded the file to Virus Total, and here is the link to the results page: https://www.virustotal.com/gui/file/63fe044b86d7e7af72b1a1431e74d6905943d5fccaba32afbec7eab35a570ade/detection

Thank you again Michael(alan1998) and PDI for all of your help!

Also, the day before yesterday, I had called Avast Tech Support, and in the process of checking my computer remotely, the agent installed the program. But I have now uninstalled it, because I think the program or something related to the program may have been causing my computer to overheat.

Hi rozr,

As you can see from the VT scan results, it says there:
Signature Info
Signature Verification
File is not signed

Very important info for av scanning engines to avoid False Positives, certainly with part of such unsigned files,
that then could kick up generic detections, later found to be False Positive detections.

polonus

Hi Polonus,

Thank you so much for pointing this out to me, I hadn’t realized what it meant that the file is not signed, and that the detection was probably due to a false positive which is reassuring to know. I really appreciate your help!!

Re-scanned until a few moments ago:
https://www.virustotal.com/gui/file/63fe044b86d7e7af72b1a1431e74d6905943d5fccaba32afbec7eab35a570ade/detection :slight_smile:

pol

Hi,

it’d be fixed now.

Regards,
PDI