Rootkit Win32:Evo-gen [Susp]

[manakin85]

Back in 2006 I was learning to program C++ in college. I had all of my old source code and executables backed up on a flash drive and later on a remote Linux server at my new university. When cleaning out my space on the server, I pulled them in and Avast flagged all of the executables as Win32 Evo-gen [Susp].

The code is nothing more than an exploration of the functionality of C++, but each program contains one or more system() lines for clearing the console and pausing execution to view and gather the output (the school I attended only had Windows environments for us to program in). I believe these are the root of the positive detection in my case.

Strangely, though, the same technique was used in a previous course I took for learning C, but those executables were not flagged. I don't know enough about C and C++ compilers to know the difference between the resulting compiled machine instructions.

[BaluBig]

Evo Gen is a new system which helps avast! to identify new unknown malwares even if they have never been seen.
See here it's clearly explained : https://blog.avast.com/2012/12/03/new-toy-research-lab/
It may cause some FP but generally avast! team are really fast to fix them.

Kinda cool. But this thing pops up too often when I work using Delphi. What about making this check optional? How many FP files should I send? Do I need an antivirus product behaving like that?

Best regards - Serge

[Grinin Leonid Efimovich]

Dear forum members,

I write hoping that maybe here someone will pay attention to the problem.
We work with a commercial software developer who works in Delphi. Recently, we have faced a problem in operation of the product with the avast antivirus. Some versions of antivirus when executed would define our program as Win32:Evo-gen [Susp], other would block the access of the program to Internet (more precisely, they pass the request-out but cut the answer to 0 byte) in spite of our adding the program to all possible exception lists of the antivirus. And avast 2014, when the program is installed, often brings the system to BSOD with errors SYSTEM_SERVICE_EXCEPTION and KMODE_EXCEPTION_NOT_HANDLED (besides in the system logs the cause is defined as the service aswSnx.sys: avast! virtualization driver, group of FSFilter Virtualization). We have an antivirus license and contacted the avast support team (ticket #KVP-583-26762). The support team specialist Tomáš Zajíc concluded that the only way to prevent the blocking of access to Internet is to switch off the web-shield ("Unfortunately there will be solution to turn off avast web shield only.").
After that message, the support team keeps silence and would not answer any our questions.
Early this year the program developer himself addressed the avast support team (https://support.avast.com/index.php?_m=tickets&_a=viewticket&ticketid=3093443, ticket LSS-733822). But they would first define it as a spam and then delete the account and all messages.
We are filled with indignation! Why having paid for the license we must turn off the antivirus to work with the program? Is it right that the application continues to ignore the programs added to its exception list? We have been using the avast antivirus since 2008 as it has been really the best. But in the last two years the quality has drastically gone down and there appeared a lot of needless (and even harmful) innovations (like the sandbox which prevents operation of all exe-files compiled in Delphi). If there are developers here, please, get involved in the solution of the problem. We would rather not change the antivirus.

[LEOMICHAO]

Win32:Evo-gen [Susp]: Its very simli: Who use Total commander whic has some viruses then have all you see above. By the way destroy yours ifecteded programs and
 stands it use only explorer. I repeted it more the two once in my practik. And you will have happineses/