Author Topic: False positive setupafriclock.exe  (Read 5691 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
False positive setupafriclock.exe
« on: September 29, 2013, 10:59:55 AM »
Hello folks - more than a week now, you are flagging http://www.clock.co.za (slash) setupafriclockminimal.exe as a Trojan. I have checked the file, it is electronically signed and unchanged from when uploaded. If I download the file with AVAST disabled and then scan it locally it is reported as CLEAN by the very same AVAST.

I have replaced it anyway and it is still flagged. http://www.clock.co.za (slash) setupafriclock.exe contains exactly the same stuff and more besides, and is NOT flagged. None of the other AV's do this. I have submitted the file to support more than once wtihout response.

Please do something about this, or explain to me if I am an idiot.

Daan Marais

PS: Edited to make links inactive.
« Last Edit: September 29, 2013, 12:51:40 PM by djmarais@clock.co.za »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: False positive setupafriclock.exe
« Reply #1 on: September 29, 2013, 11:02:33 AM »
Upload and test the file at www.virustotal.com  (if tested before, click new scan)
Post link to scan result in next reply

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: False positive setupafriclock.exe
« Reply #2 on: September 29, 2013, 11:06:40 AM »

You can upload files and send reports to avast  here:   http://www.avast.com/contact-form.php    (change subject to suite Your case)

you can use mail

send to virus@avast.com in a password protected zip file
mail subject:  False Positive / undetected sample (select subject according to your case)
zip password:  infected

or you can send files from avast chest
how to use the chest.   http://www.avast.com/faq.php?article=AVKB21






Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive setupafriclock.exe
« Reply #3 on: September 29, 2013, 11:33:54 AM »
Quote
I have submitted the file to support more than once wtihout response.
You will not get a response, unless they need to have more information. NEVER place links to infected flag links/files on this webboard. No matter if you think it is a false positive or not.
Please remove the links.

REDACTED

  • Guest
Re: False positive setupafriclock.exe
« Reply #4 on: September 29, 2013, 12:48:48 PM »

REDACTED

  • Guest
Re: False positive setupafriclock.exe
« Reply #5 on: September 29, 2013, 12:54:43 PM »
Follow-up: The reason I had to post the link, is because AVAST blocks the link but the VERY SAME FILE, downloaded with AVAST disabled, then checks out as clean BY THE VERY SAME AVAST.

I find this extremely frustrating, particularly because my previous submissions were simply ignored.

Daan Marais

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: False positive setupafriclock.exe
« Reply #6 on: September 29, 2013, 01:03:16 PM »
Hi djmaraisAT clock.co.za,

Do not post a live mail address as a nick, do you want to attract excessive spam abuse?
The file is also being examined here: http://www.prevx.com/filenames/X756762581599219555-X1/SETUPAFRICLOCKMINIMAL+(1).EXE.html
Avast flags the file executable as infested with Win32:Ransom[Trj] and here I get the IDS alerts for it:
http://urlquery.net/report.php?id=6075883
See: http://anubis.iseclab.org/?action=result&task_id=1f02a47657efbc3b449dfc68e77b4d59d

met vriendelijke groet,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive setupafriclock.exe
« Reply #7 on: September 29, 2013, 01:46:20 PM »
Quote
I find this extremely frustrating, particularly because my previous submissions were simply ignored.
No, submission are never ignored. Just because you don't get a response doesn't mean the submission is ignored. As I told you before, Alwill will only contact you if they need more information. They will look at all submissions and take action when/if needed.

Even if you believe that something is a false positive, never place a link to it on this webboard.
If it is not a false positive and people click on it, they may get their system(s) infected and that is something we don't want to happen ofcourse.

REDACTED

  • Guest
Re: False positive setupafriclock.exe
« Reply #8 on: September 29, 2013, 02:23:21 PM »
Thanks for the responses - I have changed my on-screen nick as suggested by Polonus and de-activated the links as suggested by Eddy so that point should be settled by now. I am new to this forum, so please forgive me if I do not understand the finer points.

My problem remains that our help-desk is swamped by customers blaming us for putting a virus on our website where I am pretty sure none exists. For those who have not understood what I am on about: The link is reported as containing a Trojan. When I deactivate AVAST and download the file, then re-activate AVAST and test the just-downloaded file, it is reported as CLEAN.... NO VIRUS.... SAFE.... get it? This means in simple terms that AVAST is doing damage to my company and I am not happy about it. Everybody OK with that? Unless I am proved wrong in which case I will do whatever is necessary to fix the problem.

Daan Marais

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive setupafriclock.exe
« Reply #9 on: September 29, 2013, 02:34:07 PM »
I just downloaded and tested the files.
There is no problem at all, everything worked like it should.

Since a scan tells you it is fine and you are getting the trojan message when clicking on the link, it looks like it is the webshield that is blocking it.
Disable the webshield and try it again.
Let us know if the problem is gone.
Also mention what version of avast and what vps version you are using.

Avast version 2014.9.0.2003
VPS version 130929-0

REDACTED

  • Guest
Re: False positive setupafriclock.exe
« Reply #10 on: September 29, 2013, 02:52:56 PM »
Thanks Eddy.

I stopped the Webshield, which allows the file to start downloading. About 10% of the way it stops and reports the same Trojan Win32:Ransom[Trj] in the temp file created by Firefox for storing the download.

Using Avast Free Version 8.0.1497, virus defs 130929-0

Regards

Daan

Offline redwolfe_98

  • Full Member
  • ***
  • Posts: 107
Re: False positive setupafriclock.exe
« Reply #11 on: September 29, 2013, 03:26:49 PM »
djmarais, i noticed the same thing.. the file is flagged by the avast program's "webshield" but not when doing a manual ondemand scan with the avast program..

that might be why the problem has not already been addressed, because the file is not flagged when doing a regular scan with the avast program..

it is strange that the file is flagged by "webshield" but not when doing a "manual ondemand scan"..

i submitted the file to avast as a "false positive".. hopefully they will get the issue resolved, somehow..

i also unloaded the file to "virustotal" and none of the av-programs there flagged the file, including the avast program..

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive setupafriclock.exe
« Reply #12 on: September 29, 2013, 03:28:20 PM »
As I suspected. It is the webshield that was blocking it. The problem is solved in the RC1 version.

REDACTED

  • Guest
Re: False positive setupafriclock.exe
« Reply #13 on: September 29, 2013, 03:52:10 PM »
Thanks everybody - nice to have a sanity check/confirmation once in a while.

Regards

Daan