Avast WEBforum

Business Products => Avast Business => Topic started by: REDACTED on May 09, 2017, 04:13:25 PM

Title: Signed executable triggering Cybercapture
Post by: REDACTED on May 09, 2017, 04:13:25 PM: Avast Cybercapture has recently started blocking our product despite the executable (and installer) being signed by a trusted certificate (issued by Comodo).
This does not seem like it would be intended behavior, since the only criteria for this seems to be "file is rare".
Title: Re: Signed executable triggering Cybercapture
Post by: Eddy on May 09, 2017, 04:14:22 PM: Report it to avast.
https://www.avast.com/false-positive-file-form.php
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on May 11, 2017, 01:50:41 PM: Submitted already, but that doesn't help much as we have constant updates.

I'm looking at the whitelisting process, but it's a bit unclear if just the main executable has to be submitted, or dependencies as well.
There's also a mention that it's possible to whitelist our digital signature, but I failed to find any information on how to actually do that.
Title: Re: Signed executable triggering Cybercapture
Post by: Eddy on May 11, 2017, 01:52:38 PM: https://www.avast.com/faq.php?article=AVKB228
https://www.avast.com/faq.php?article=AVKB229
Title: Re: Signed executable triggering Cybercapture
Post by: Milos on May 12, 2017, 07:34:34 AM: Hello,
can you post sha256 of the signed file, which goes to CyberCapture to verify it, please?

Milos
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on May 12, 2017, 08:00:07 AM: We're seeing similar issues here. All of our produced software (installers and executables) are now constantly being scanned by CycberCapture, despite being signed (sha-1 and sha-256). Similarly, our cert is issued by Comodo.

This wasn't happening until the last week or so, and is really annoying us in development and testing. We're hoping that our customers aren't having similar issues if they're running Avast.

It's frustrating, and we've already started to remove Avast from some of our computers so that we can get our work done.
Title: Re: Signed executable triggering Cybercapture
Post by: Milos on May 12, 2017, 08:02:48 AM: Quote from: Leon@Minemax on May 12, 2017, 08:00:07 AM
We're seeing similar issues here. All of our produced software (installers and executables) are now constantly being scanned by CycberCapture, despite being signed (sha-1 and sha-256). Similarly, our cert is issued by Comodo.

This wasn't happening until the last week or so, and is really annoying us in development and testing. We're hoping that our customers aren't having similar issues if they're running Avast.

It's frustrating, and we've already started to remove Avast from some of our computers so that we can get our work done.
Hello,
please provide sha256 of the signed file (or link to download the file), which goes to CyberCapture to verify it.

Milos
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on May 12, 2017, 09:21:14 AM: Milos: You can download an example of one of our installers at https://www.minemax.com/customer-care/downloads/MinemaxSoftwareManager.exe
Title: Re: Signed executable triggering Cybercapture
Post by: Milos on May 12, 2017, 11:09:16 AM: Quote from: Leon@Minemax on May 12, 2017, 09:21:14 AM
Milos: You can download an example of one of our installers at https://www.minemax.com/customer-care/downloads/MinemaxSoftwareManager.exe
Hello,
thank you for the link. I set this certificate as clean and it should stop triggering CyberCapture on files signed by this certificate from next VPS release. Sorry for any inconvenience.

Milos
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on May 16, 2017, 06:18:56 PM: Quote from: Milos on May 12, 2017, 07:34:34 AM
Hello,
can you post sha256 of the signed file, which goes to CyberCapture to verify it, please?

Milos

Info on the executable in question:
Name: InteractioBroadcaster.exe
Size: 2350272 bytes (2 MB)
SHA256: B2A4CE8C72BC9EDD863606E5C5C2370BD432AAFCEFF4BDC3DC2BDCF6165F4E05

Link to the whole signed executable:
https://drive.google.com/file/d/0B2t4jTiPaZWzLW9hdHVVSTNuV28/view?usp=sharing
Title: Re: Signed executable triggering Cybercapture
Post by: Milos on May 17, 2017, 07:01:41 AM: Hello Bug Fairy,
I have checked the file and certificate and both are marked as clean since 05-12-2017 so it should not trigger CyberCapture. Do you have updated VPS?

Milos
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on May 17, 2017, 01:32:10 PM: Quote from: Milos on May 17, 2017, 07:01:41 AM
Hello Bug Fairy,
I have checked the file and certificate and both are marked as clean since 05-12-2017 so it should not trigger CyberCapture. Do you have updated VPS?

Milos
I've submitted it as false positive at 11th I believe. Was assuming it'd whitelist only the file. But if the certificate is whitelisted as well, then the issue is solved. Thank you for timely responses.
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on June 06, 2017, 02:20:36 PM: Hello,
Same problem with our applications signed with the same certificate from DigiCert
http://engarde-escrime.com/signe/DiapoEngardeS.exe (http://engarde-escrime.com/signe/DiapoEngardeS.exe)
http://engarde-escrime.com/signe/Engarde9646S.exe (http://engarde-escrime.com/signe/Engarde9646S.exe)
http://engarde-escrime.com/signe/ShowPisteS.exe (http://engarde-escrime.com/signe/ShowPisteS.exe)

Coud you help please ?
Title: Re: Signed executable triggering Cybercapture
Post by: Milos on June 06, 2017, 03:05:05 PM: Hello,
all the 3 files are using different certificates. Two of them are now expired and samples signed with the expired certificates are missing signing date so this might be a reason why it cannot be verified.

I will set the files to clean state so it should fix it.

Milos
Title: Re: Signed executable triggering Cybercapture
Post by: REDACTED on June 06, 2017, 03:16:13 PM: Sorry for the mistake we will signe the two files with expired certificate with the new certificate we used for the third.

Many thanks for the quick and efficient help :)