Win32:Malware-gen round in .exe created by gsplit

[dfoulkes]

First, that you ALL for lending an ear.

After reviewing various areas to try to find a solid/safe app. to split large files into small ones....

I downloaded and installed Gsplit from their home site and installed it.  No problem...
Then I ran it against a large data file I have splitting it into smaller files... No problem...

As part of the option of Gsplit it also creates a very small exe file so that when you give/send or ??
these files to a third party the Gsplit exe combines the split files back into the orig. large one.

As soon as Gsplit attempted the creation of that exe file avast brought up the waring screen that a virus has been
found (note the thread title)... and of course it wants to know what to do.  At first I performed blocking the exe from being
created and then noticed that the avast window stated that even if I allowed it- the infected file would not run so I performed
the file creation again and this time allowed it to go to completion by letting avast allow it... make sense?

Anyway, what ended up being created was this very small exe file.  I then ran malwarebytes to check it out... nothing.  I then ran avast against that exe file and "it did not find anything wrong with it".

So, does this look like a false/positive situation?

Thank you all.

[Tarq57]

Hi, dfoulkes, welcome to the forum.
What you've done is pretty much exactly how I would have proceeded, too.
It does rather look like a FP. Try uploading the .exe to www.virustotal.com . This is a multi-AV scanning site, basically a way of obtaining about 44 "second opinions" on the file.
It will take a minute or three to upload/scan the file depending on server load etc.
Expect G-data and Avast to detect it. They share AV engines.
Because it has an ID suffix of "-gen" there might be several more detect it. (Gen is basically generic, not exactly sure, but read: "Looks like it would behave like this family of malware" is probably a fair description of why it was detected.

I know of no issues with Gsplit, have seen it recommended on another forum.

Following the VT scan, you could try copying it to the chest (start Avast, open the chest, select "user files" from the left hand pane, right-click in the right hand area, select "add" - browse for the file and add it.) and then submit it to Alwil as a suspected FP. This will be done on the next VPS update, silently, or immediately if you manually update the database.

[Tarq57]

PS, after the virus total scan, please post the URL copied direct from the address bar from the scan results page.

[dfoulkes]

Thank you Tarq57... I'll follow your instructions as soon as I have enough coffee.

[dfoulkes]

OK... as you stated avast and Gdata report the virus but nothing else did.  Here's the link...
http://www.virustotal.com/analisis/c18e928e84a92f356a468642527c3672b892b1f76676b3642c96ab6e9e130670-1261328488

I'll hold off updating avast till I hear something back on this page.

Thanks for your help.

BTW... that's a nice test link you sent me to..  so much out there in the Net that people don't realize is there.

[DavidR]

Yes most certainly a false positive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

- In the meantime, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions (right click the avast ' a ' icon)
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.