Author Topic: False positive Win32:Evo-gen [Susp]  (Read 7280 times)

0 Members and 1 Guest are viewing this topic.

patrickkunz

  • Guest
False positive Win32:Evo-gen [Susp]
« on: September 25, 2013, 07:50:15 PM »
Hello,

We're getting a false positive report from Avast when trying do download our commercial software packages from our website (a zip file that includes different NSIS installers):

http://kunz.corrupt.ch/downloads/plugins/install_TAL-U-NO-LX-V2.zip
http://kunz.corrupt.ch/downloads/plugins/install_TAL-BassLine-101.zip

The installer does nothing else than copy the included dll's to the location the user has chosen. I scanned the same files on my local machine with AVAST and the files are clean. I can't understand why the scanner blocks clean installer files?!

Users can't download and install our software because of this. Any advice is welcome.

Best regards,
Patrick
« Last Edit: September 25, 2013, 07:51:46 PM by patrickkunz »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: False positive Win32:Evo-gen [Susp]
« Reply #1 on: September 25, 2013, 07:54:58 PM »
You can report this via mail as false positive: virus@avast.com password protected zip archive Password: infected

Or via this form: http://www.avast.com/contact-form.php (Choose report false alert in file as subject

Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33973
  • malware fighter
Re: False positive Win32:Evo-gen [Susp]
« Reply #2 on: September 25, 2013, 08:29:05 PM »
This is supporting the FP: http://quttera.com/detailed_report/kunz.corrupt.ch
as here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fkunz.corrupt.ch%2Fdownloads%2Fplugins%2Finstall_TAL-U-NO-LX-V2.zip
Some corruption delivered: The connection timed out before all (any?) content was returned! (Note: As a part of their security measures some shared hosting services will block this type of tool from scanning the sites they host. )

http://kunz.corrupt.ch cannot be scanned here: https://asafaweb.com/ while powered by asp.net, strange...
also consider: http://urlquery.net/report.php?id=5946020  (for the IP)

polonus
« Last Edit: September 25, 2013, 08:41:03 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

patrickkunz

  • Guest
Re: False positive Win32:Evo-gen [Susp]
« Reply #3 on: September 26, 2013, 08:25:21 AM »
Hi polunus,

this is interesting stuff and it shows me some improvements. The sitecheck worked and it tells me the file is ok as expected.

I really can't understand that a company like avast blocks download files without any virus! My download is still blocked like the downloads of other peoples that that are using NSIS.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33973
  • malware fighter
Re: False positive Win32:Evo-gen [Susp]
« Reply #4 on: September 26, 2013, 11:20:13 AM »
Contact them via virus AT avast dot com and point out the problem and give a link to the discussion here.
This is an interesting report from Asafaweb for the top-level-domain uri:
Custom errors: Fail
Requested URL: http://kunz.corrupt.ch/< | Response URL: http://kunz.corrupt.ch/< | Page title: Runtime Error | HTTP status code: 400 (Bad request) | Response size: 3,420 bytes | Duration: 113 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".

Custom errors are easy to enable, just configure the web.config to ensure the mode is either "On" or "RemoteOnly" and ensure there is a valid "defaultRedirect" defined for a custom error page as follows:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error" />

Then there is this:
Excessive headers: Warning
Requested URL: http://kunz.corrupt.ch/ | Response URL: http://kunz.corrupt.ch/ | Page title: TAL- Togu Audio Line: Home | HTTP status code: 200 (OK) | Response size: 13,498 bytes | Duration: 760 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
Shhh… don’t let your response headers talk too loudly

And Clickjacking: Warning
Requested URL: http://kunz.corrupt.ch/ | Response URL: http://kunz.corrupt.ch/ | Page title: TAL- Togu Audio Line: Home | HTTP status code: 200 (OK) | Response size: 13,498 bytes | Duration: 760 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site  (info from recent Asafaweb scan)

For the download I get a 502 Bad Gateway -
For the Anubis report on one of the downloads see: http://anubis.iseclab.org/?action=result&task_id=12ba3e987e5c1d894e1a01630acbceabf
Gonna comment more on that later, the main conclusion I give further down!*

Response Header:
HTTP Response Header
Name   Value   Delim
Status: HTTP/1.1 200 OK
Content-Type:   application/x-zip-compressed   
Last-Modified:   Wed, 25 Sep 2013 08:11:12 GMT   
Accept-Ranges:   bytes   
ETag:   "4c2f66ccc6b9ce1:0"   
Server:   Microsoft-IIS/7.5   
X-Powered-By:   ASP.NET   
Date:   Thu, 26 Sep 2013 09:07:29 GMT   
Connection:   close   
Content-Length:   17075783

From that Anubis report the most important conslusion   is:
Highly suspicious network connections: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info     SavedLegacySettings      0x3c0000001600000001000000000000000000000000000000040000000000 
Blacklisted Malicious Spam Spoofing

My personal likely verdict is a "File Splitting Misinterpretation", so false positive,

polonus


« Last Edit: September 26, 2013, 11:48:16 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

patrickkunz

  • Guest
Re: False positive Win32:Evo-gen [Susp]
« Reply #5 on: September 26, 2013, 12:57:00 PM »
Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".
I will have a look at this in the next days and fix those errors. I finally replaced the NSIS installer with a WiX installer that produces "msi" files and AVAST is happy. If i look at this forum, i see that a lot of people have the same issue. It seems that AVAST has a general problem with NSIS installers since the last updates.

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6674
  • volunteer
Re: False positive Win32:Evo-gen [Susp]
« Reply #6 on: September 26, 2013, 04:13:48 PM »

We're getting a false positive report from Avast when trying do download our commercial software packages from our website (a zip file that includes different NSIS installers):

http://kunz.corrupt.ch/downloads/plugins/install_TAL-U-NO-LX-V2.zip
http://kunz.corrupt.ch/downloads/plugins/install_TAL-BassLine-101.zip

The installer does nothing else than copy the included dll's to the location the user has chosen. I scanned the same files on my local machine with AVAST and the files are clean. I can't understand why the scanner blocks clean installer files?!

Users can't download and install our software because of this. Any advice is welcome.

Best regards,
Patrick

there's no warning related to avast.
was fixed in the update vps 130926-0.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33973
  • malware fighter
Re: False positive Win32:Evo-gen [Susp]
« Reply #7 on: September 26, 2013, 09:14:26 PM »
Conclusion: now we are all happy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!