Avast! not detecting PUP.SmsPay.PGen

[avastira]

Hello,

I'm using Avast Internet Security (the latest version). Today I was running an secundair scan trough Malware Bytes, which found PUP.SmsPay.PGen 2 times in:

d:\downloads\installer_java_runtime_environment_jre_6_update_24_32bits_dutch.exe
d:\downloads\installer_java_se_development_kit_jdk_7_build_119_32_bits_dutch.exe

Can someone look into this?

Thank you.

[DavidR]

Two things:
First, PUP (potentially Unwanted Program) it depends on the avast scan that you did and if you had it set to scan for PUPs ?
I don't believe that is a default option.

Second the PGen part to me I believe means Generic detection and as such more prone to FP.

So you can run the scan again with PUPs enabled and see if they are detected. Next you ought to confirm if the original detections are correct.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.

~~~~
Presumably you downloaded these java runtime and developer kit installation/update files from a legit source ?

[avastira]

Two things:
First, PUP (potentially Unwanted Program) it depends on the avast scan that you did and if you had it set to scan for PUPs ?
I don't believe that is a default option.

Second the PGen part to me I believe means Generic detection and as such more prone to FP.

So you can run the scan again with PUPs enabled and see if they are detected. Next you ought to confirm if the original detections are correct.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.

~~~~
Presumably you downloaded these java runtime and developer kit installation/update files from a legit source ?

I've set Avast! to scan for PUPS, set sensitivity and priority to high. But Avast! didnt see it.

I can't upload the files to a site, i've already deleted them. And I always download software from a legit source, no exceptions.

regards,
Avastira

[DavidR]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send them to Quarantine (in MBAM, the Remove should send them there) and leave them there whilst investigating.

With the files gone there really is no way to proceed further with this as the detection can't be confirmed one way or another. Plus there is no sample to send to avast if confirmed a good detection by MBAM, which I have my doubts on if from a legit source for the Dutch version of these JAVA installation/update files.

[avastira]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send them to Quarantine (in MBAM, the Remove should send them there) and leave them there whilst investigating.

With the files gone there really is no way to proceed further with this as the detection can't be confirmed one way or another. Plus there is no sample to send to avast if confirmed a good detection by MBAM, which I have my doubts on if from a legit source for the Dutch version of these JAVA installation/update files.

Normally, I always send the viruses to the quarantaine, but in Mbam I've clicked the 'remove' button, and I can see the files in the Quarantaine, so they aren't gone.
It is realy, I know for 100% sure from a legit source, I only download files from a non-official source when there realy isn't another option, in this case it was from the official website, no doubt about it.

[DavidR]

So they can be Restored from the MBAM Quarantine, that would send them back to the original location, which is generally a good idea. I much prefer the avast chest option to Extract, which allows you to send them to a temporary location (not original).

However, since these are installation files rather than proper executable files that when in the original location would be active (if any associated registry entry was active) and present a limited risk. This isn't the case for these, so you could restore these and upload to virustotal as suggested for scanning and post the results.

[avastira]

I've just uploaded the files, these are the results:

File name:
installer_java_runtime_environment_jre_6_update_24_32bits[...].exe

Result:
2/ 43 (4.7%)

DrWeb   5.0.2.03300   2011.07.07   Adware.Toolbar
eSafe   7.0.17.0   2011.07.06   Virus in password protected archive


File name:
installer_java_se_development_kit_jdk_7_build_119_32_bits[...].exe

Result:
2/ 43 (4.7%)

DrWeb   5.0.2.03300   2011.07.07   Adware.Toolbar
eSafe   7.0.17.0   2011.07.06   Virus in password protected archive

Regards,
Avastira

[DavidR]

If you can post the virus total URL to the results pages, thanks.

To me it is looking more like an FP by the other AV (what was it ?), as only one detection in the VT info you posted could be even slightly plausible, adware.toolbar; that is such a low key affair/risk as to be dismissed as toolbars if in an installer can usually be opted out of.

The other detection is quite frankly a joke, if the virus is in a password protected archive, how would it be possible to extract the file from the password protected archive to be able to scan it, essentially it can't, so that detection really could be discounted.

[avastira]

If you can post the virus total URL to the results pages, thanks.

To me it is looking more like an FP by the other AV (what was it ?), as only one detection in the VT info you posted could be even slightly plausible, adware.toolbar; that is such a low key affair/risk as to be dismissed as toolbars if in an installer can usually be opted out of.

The other detection is quite frankly a joke, if the virus is in a password protected archive, how would it be possible to extract the file from the password protected archive to be able to scan it, essentially it can't, so that detection really could be discounted.

Hello,

These are the links:

http://www.virustotal.com/file-scan/report.html?id=abe699c556ca65d3c9f0bdd6eec4e06c1b5789ee878ed6074174d0077f4bcc72-1310036033

http://www.virustotal.com/file-scan/report.html?id=6e30e712e537af69fcda32b70cb8fd1a130df8c7f696099dd9b84bc568951278-1310028649

Regards,

Avastira

[DavidR]

Unfortunately there is no additional information at the bottom of the page that I was hoping for. Often there is supplementary information.

However too me this is looking more like a false positive by whatever security application that detected it  ?

[Nesivos]

The comments below do not address why avast! did not detect this PUP.  That could be due to your PUP settings in avast!

It appears that on some download sights for Google Earth the installer is infected with this PUP.  If you downloaded and installed Google Earth you could be the victim of a phishing scan

Files Infected:
d:\firefox-downloads-2011\installer_google_earth_english.exe (PUP.SmsPay.PGen)

PC Talk
Thread      Malware Bytes finds nasty in Google Earth installer.
Started by      Fotonut 
Date/Time      9:35:27 AM, Monday, July 04, 2011 (GMT)

For more see link

http://forums.dpreview.com/forums/readflat.asp?forum=1004&message=38818009&changemode=1

[DavidR]

What has this to do with 'this topic' this isn't the file being detected on the OPs system

d:\downloads\installer_java_runtime_environment_jre_6_update_24_32bits_dutch.exe
d:\downloads\installer_java_se_development_kit_jdk_7_build_119_32_bits_dutch.exe

Not to mention nothing on VT detects this as a PUP or anything close.

So other than all of this is nothing more than an MBAM FP on these (PUP.SmsPay.PGen generic signature) and the example you quoted and has nothing to do with the avast PUP settings.