Win32:Evo-gen [Susp] false positive (suspected)

[KeiserSoze]

Hi guys,

I have a web pages and there goes download page.
When I try to download file from my webpages avast is reporting Win32:Evo-gen [Susp] virus detection on the file being downloaded (it might be download process also or something).
My first though was that server is infected/hacked (not excluded it is really like that) so took ftp and downloaded files locally to my box (the same ones being reported infected on the very same box also). After ftp download, I ran avast virus check on those files and then files were being reported as clean.
Files being downloaded are .rar and .zip format.

How can I help you to check and sort this out? What might be different with desktop scan and browser plugin scan? How can i change download process not to trigger named virus detection.

Best regards,
K.

P.S. I don't want to scare my customers that they are downloading virus infected files!

[Pondus]

Win32:Evo-gen [Susp]

susp = suspicious  .....so not virus yet




You can upload files and report issues to avast  here : http://www.avast.com/contact-form.php  (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject:  False Positive / undetected sample (select subject according to your case)
zip password:  infected

or you can send files from avast chest
how to use the chest.    http://www.avast.com/faq.php?article=AVKB21

[Michael (alan1998)]

Also, can I have the URL and the file in a zipped format via wikisend?

Please PASSWORD PROTECT the file and pm me the password you used. Thanks!

[Eddy]

What exact version of avast are you using?
What vps version?
What os/service pack?
What is the website? (Please make the link not clickable!)

[Pondus]

Also, can I have the URL and the file in a zipped format via wikisend?

Please PASSWORD PROTECT the file and pm me the password you used. Thanks!

he cant PM as he only have 1 post 

[KeiserSoze]

sorry for delay.. i'll try to do all above in a few days from now on..

Cheers,
K.

[KeiserSoze]

here is the link for download

Code: [Select]

www.cting.hr/eng/download.aspx?cid=8765E9A5-5A0D-457D-A67F-E4EB9265D3C4&v=3.1&t=zip
www.cting.hr/eng/download.aspx?cid=8765E9A5-5A0D-457D-A67F-E4EB9265D3C4&v=3.1&t=rar
you just need to hit download button.

Avast I use is free home edition, the latest version. Application I made is .NET application and the web is asp.net 2.0. Download process is not direct download link, so I suppose this is something that is triggering FireFox Avast plugin detecting above mentioned thing. As for zip/rar file being downloaded I'm 99% sure it's not infected and desktop virus scan is reporting them both clean.

Cheers,
K.

[Eddy]

The real problem is that you don't use a dedicated/own server.
You are using a hosting service where they put multiple domains/sites on the sam IP.
http://zulu.zscaler.com/submission/show/e5540bdb273e54b4e0a1ed7d11f3fd61-1387675223

[Milos]

here is the link for download

Code: [Select]

www.cting.hr/eng/download.aspx?cid=8765E9A5-5A0D-457D-A67F-E4EB9265D3C4&v=3.1&t=zip
www.cting.hr/eng/download.aspx?cid=8765E9A5-5A0D-457D-A67F-E4EB9265D3C4&v=3.1&t=rar
you just need to hit download button.

Avast I use is free home edition, the latest version. Application I made is .NET application and the web is asp.net 2.0. Download process is not direct download link, so I suppose this is something that is triggering FireFox Avast plugin detecting above mentioned thing. As for zip/rar file being downloaded I'm 99% sure it's not infected and desktop virus scan is reporting them both clean.

Cheers,
K.

Hello,
thanks for the samples, false positive will be fixed in next stream update.

Milos

[KeiserSoze]

The real problem is that you don't use a dedicated/own server.
You are using a hosting service where they put multiple domains/sites on the same IP.
http://zulu.zscaler.com/submission/show/e5540bdb273e54b4e0a1ed7d11f3fd61-1387675223

but this is the most common case of hosting, and thus shouldn't be triggered as maleware site imo.

K.

[KeiserSoze]

Hello,
thanks for the samples, false positive will be fixed in next stream update.

Milos

tnx for the update.

K.

[Eddy]

It is not that site that is blocked for malware, it is the IP that is because some other site on the same IP is malicious.

[KeiserSoze]

It is not that site that is blocked for malware, it is the IP that is because some other site on the same IP is malicious.

So in other words if IP is being recorded to be potential malicious source, then host header name can be recorded also, isn't it? Could that be resolution to all the problems filtering out not malicious sites on the IP. Personally I cannot force my ISP to filter out malicious sites (especially if I don't know which of them are the ones causing problems), and on the other hand switching to another ISP could result with  the same problem.

K.

[KeiserSoze]

For security reasons, can this thread be PURGED or set as PRIVATE?

K.