Author Topic: Double Trouble  (Read 10476 times)

0 Members and 1 Guest are viewing this topic.

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Double Trouble
« on: September 09, 2014, 12:11:22 AM »
I don't seem to be able to find a board for False Positives and I also don't know where to post bug reports. Anyway here are the troubles I'm having.

Firstly: The Grime Removal program is behaving oddly. It's a bug. After informing me of five apps that were not needed, I decided to investigate. I couldn't find information about what they were. I thought perhaps I missed something and clicked a button saying analyse again. I did this a couple of times and then all of a sudden it found nothing. I have no idea what happened or whether the apps were removed. That is annoying.

Secondly - and this is pretty bad: I have to disable Avast to download the file CheckSumVerify.au3 at the following link.

http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/?p=1196863

Once Avast finished doing whatever it did, I couldn't find a way to reverse the blocked URL. How do I do that please?

Thirdly: why on Earth is the file download being blocked in the first place? What is actually triggering the FP? The code can't be run unless you accidentally download and install AutoIt, and that's extremely far-fetched. Even so, the code is related to security and intended to prevent unauthorized tampering with compiled scripts. Blocking the download is contrary to the objective of keeping computer users safe because injecting code into compiled scripts is both unacceptable and undesirable.

Edit: modified the forum link above to point to the exact forum post containing the blocked download.
« Last Edit: September 09, 2014, 12:55:27 AM by czardas »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 84755
  • No support PMs thanks
Re: Double Trouble
« Reply #1 on: September 09, 2014, 01:10:58 AM »
The virus and worms forum can also be used for reporting of a suspect FP.

However, you can send it to the avast virus labs from the virus chest for analysis and correction of the signature as required.

Or you can use the contact form http://www.avast.com/contact-form.php?loadStyles for:  Report false virus alert in file; or Report false virus alert on website, issues.

No one can really say why it was detected, that requires analysis, but one thing the autoit stuff is regularly used by some script kiddies for malware and some of the routines could well look suspect.

Links to suspect files/sites should be modified so they aren't active to avoid accidental exposure - change the http to hXXp in the URL.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #2 on: September 09, 2014, 01:22:05 AM »
Well I wasn't sure if that I could copy the URL. I normally copy from the address bar in Firefox. I'll try it now and post it here:

http://www.autoitscript.com/forum/index.php?app=core&module=attach&section=attach&attach_id=45061

It seems to work. We'll see when I post the responce. The point I was trying to make was that the file is simply plain text. There are two dead giveaways - the file extension is .au3 and the encoding (although I haven't tested it) is likely to be UTF-8. Avast is flagging a text file which would require a specific interpreter to become a threat.

Anyway, I want to know how to unblock the URL I posted here. I would also like to know what is AutoItInjector [tri]? I might have mispelled that, the Avast Threat Dectected message wasn't visible for very long.

Edit: I meant what is AutoIt:Injector-G [Trj] ?
« Last Edit: September 09, 2014, 01:28:01 AM by czardas »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992

Offline czardas

  • Jr. Member
  • **
  • Posts: 81

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: Double Trouble
« Reply #5 on: September 09, 2014, 01:28:07 AM »
No security program have 100% detection
No security program have zero False Positives


Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #6 on: September 09, 2014, 01:40:27 AM »
No security program have 100% detection
No security program have zero False Positives

I know and I also understand it's important to the developers. I suppose au3 files could represent a threat, but only to someone who decides to run code from an author they don't trust (or if they don't understand it) through the afore-mentioned interpreter. That person would not likely be an average user and also should be aware that running code in that way will always involve a degree of risk. That's part and parcel of learning how to become a programmer.

I sent a message about the URL. I still don't know how to reverse or override Avast URL blocking. This feature seems to be missing from the program.
« Last Edit: September 09, 2014, 01:59:19 AM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #7 on: September 09, 2014, 10:23:49 AM »
So is there a way to undo/override the blocked URL or not? For someone who uses the Internet a lot, this is a serious concern.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: Double Trouble
« Reply #8 on: September 09, 2014, 10:33:32 AM »
you report it here  http://www.avast.com/contact-form.php?   and upload that file and they will fix it
you may give a link to this topic


Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #9 on: September 09, 2014, 10:38:02 AM »
I did all those things. It isn't everything I want though. I want to have control over what web links I click when I know I can trust the author/s. I would like to be able to tell Avast to ignore safe URLs if it flags them as harmful when they are not.

Having to disable shields is less secure than adding a single exception. Having to tell others to disable their AV is also pretty bad. I am all for better security, and I see being forced to take such actions as a big security risk. I feel it is necessary to point this out. The risk comes from all the malicious stuff that might occur with web based scripts, not with au3 files containing code that browsers can't even run.
« Last Edit: September 09, 2014, 11:16:07 AM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #10 on: September 09, 2014, 11:08:58 AM »
This post was an accident (I meant to modify the above post), but I might as well add to it now. I have tried to discover what AutoIt:Injector-G is. On Google I find a few references, mainly from AV scans which say it is a trojan. There isn't much detailed information. Is it written in AutoIt, or simply a general category detected by heuristics?

At some point I will be releasing a program that will become unstable if illegally decompiled. I'm wondering what AV detection tools will make of that. I will not be able to predict the result if someone breaks the EULA and tries to reverse engineer my program - I can only say that it will become unstable. The binary itself will most likely be extremely difficult to interpret (almost impossible if I do a good job).
« Last Edit: September 09, 2014, 12:08:33 PM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #11 on: September 10, 2014, 02:02:31 AM »
I don't quite know what the problem is but I'm getting more FP results. The 7zip download on this page is not malicious. I have had an older version on my computer for a while now and it appears the sha-1 hash has not altered on the earlier version but that is also throwing a FP right now. Here's the URL where the download for the current version of this file can be found.

http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609

I have a feeling that this is just the tip of the FP iceberg. Something is seriously broken. The one thing I can't do is download these files without disabling Avast - that makes me a little nervous. I will delete the files on my computer (I don't need them anyway) and report this latest version.

UPDATE

I changed my mind and also sent the older 7zip file on my computer for analysis. When I tried to remove the file to the Virus Chest, Fix Automatically or Repair, I get the following error:

The operation is not supported for this type of archive. (42111)

I can delete the file manually but I didn't try this with Avast - I guess Avast can delete the file. Malwarebytes considers the file to be clean. I have never come across this error before.

After a little searching I found another person who had the same error with a false positive, so I'll just wait and see.

Now I'll delete the file because I have a backup.
« Last Edit: September 10, 2014, 03:15:15 AM by czardas »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: Double Trouble
« Reply #12 on: September 10, 2014, 03:31:15 AM »
Quote
The operation is not supported for this type of archive. (42111)
it will not rip out the infection from a zip archive

virustotal
https://www.virustotal.com/nb/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/


Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #13 on: September 10, 2014, 03:43:33 AM »
Quote
The operation is not supported for this type of archive. (42111)
it will not rip out the infection from a zip archive
Gotcha!

virustotal
https://www.virustotal.com/nb/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/

OMG, what a set of results. "Suspicious_Gen2.VXSQX" doesn't appear to even exist - at all. Not even "Gen2.VXSQX" exists. Really Norman.  ::)

Well I can't be 100% certain, but it seems a bizarre coincidence that two different versions of the same program, separated by about two years, on computers thousand miles apart both get infected by the same virus without anyone noticing, unless it was there all along and has been dormant until now, or maybe someone is actually targeting the AutoIt community - also possible.
« Last Edit: September 10, 2014, 10:54:57 PM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #14 on: September 10, 2014, 10:51:30 PM »
How long would it normally take for a False Positive to be removed once a report has been sent? Still unable to access:

http://www.autoitscript.com/forum/index.php?app=core&module=attach&section=attach&attach_id=45061