Win32:Bundlore-B (PUP) false positives

[Lisandro]

Sumo (http://www.kcsoftwares.com/?home) and other program are being flagged as infected.
It is only Avast. Seems a false positive.
Although the executables are detected for much more AV.
Is there something fishy in theses files or they're just fp?

https://www.virustotal.com/en/file/4a116acf36ecdc874a431f526e92b21b42b138aaf89eb19d03cdb68f31a63740/analysis/1420492053/
https://www.virustotal.com/en/file/a4d90d97978facdc7e65370a5f202ca6af2e22d8f6a2607f3509f1f5a24bd4da/analysis/1420491941/
https://www.virustotal.com/en/file/532d373d59634652f3ae210e4bbf06eb529dcb504e3ad61462d0bb02d818397e/analysis/1420491637/
https://www.virustotal.com/en/file/99a5fdfafb95d0c6bcb67040b28ed7d337ff50cfa01eaba0ede3f2b38cdf6c08/analysis/1420491278/

Files were also submitted within Chest.
Man... This gave me a lot of work 

[REDACTED]

Isn't this thread the same as https://forum.avast.com/index.php?topic=163929?

[Lisandro]

Yes  and no, as there is another program being detected with Win32:Bundlore-B (PUP).
It will be good an explanation about what "suspicious" behavior is flagging the PUP warning.

[polonus]

Hi Lisandro,

These PUP detections (no malware. no virus in the stricter sense) are found up as to come bundled with custom installers. A new way of earning "easy" money in a time when bundling adware crap becomes more of a rule than the exemption and users should do a custom intstall not to be "overrun" by the bundling aspirations of marketing folks, share holders, and developers alike. Sometimes as in the case of SUMO the software as such is completely and utterly OK but the installer comes with bundled potential unwanted programs.
This variant known as  PUP.Downware comes from the main "perpretators" in this field which are downloaders like Softonic, Brothersoft and Cnet. So end-users should do a lot of effort to get a download without such added "goodies". The main problem with bundling is the uninstall problem of some of the more persistent bundling-"presents" that land on our machines. Sometimes to such an extent yjay the adware crap or Browser Helper Object etc. can only be cleansed with the help of a qualified remover.

Good that in such a situation a responsible av solution flags such an "unwanted surprise". On the other hand it could be understood that the bundlers want this stuff to go under the detection radar. But I think the end-user should at least have a choice to end up with a custom install of the very program he/she/it wants without any additional adware/crapware/nagware. And when this is no longer possible I would look for a bundle free alternative of the program or tool at hand.

polonus

[Giony]

now a another antivirus detects sumo_lite.exe as malware by heuristic  https://www.virustotal.com/it/file/66dd2428a6b40a0bf703071211dd129204445c4228e1830a2b845d1c511efbff/analysis/1420531170/

[Milos]

Sumo (http://www.kcsoftwares.com/?home) and other program are being flagged as infected.
It is only Avast. Seems a false positive.
Although the executables are detected for much more AV.
Is there something fishy in theses files or they're just fp?

https://www.virustotal.com/en/file/4a116acf36ecdc874a431f526e92b21b42b138aaf89eb19d03cdb68f31a63740/analysis/1420492053/
https://www.virustotal.com/en/file/a4d90d97978facdc7e65370a5f202ca6af2e22d8f6a2607f3509f1f5a24bd4da/analysis/1420491941/
https://www.virustotal.com/en/file/532d373d59634652f3ae210e4bbf06eb529dcb504e3ad61462d0bb02d818397e/analysis/1420491637/
https://www.virustotal.com/en/file/99a5fdfafb95d0c6bcb67040b28ed7d337ff50cfa01eaba0ede3f2b38cdf6c08/analysis/1420491278/

Files were also submitted within Chest.
Man... This gave me a lot of work 

Hello,
https://www.virustotal.com/en/file/4a116acf36ecdc874a431f526e92b21b42b138aaf89eb19d03cdb68f31a63740/analysis/1420492053/
Only inno setup log -- we need whole installer to analyze

https://www.virustotal.com/en/file/a4d90d97978facdc7e65370a5f202ca6af2e22d8f6a2607f3509f1f5a24bd4da/analysis/1420491941/
This is FP and will be fixed in next stream

https://www.virustotal.com/en/file/532d373d59634652f3ae210e4bbf06eb529dcb504e3ad61462d0bb02d818397e/analysis/1420491637/
Downloads Relevant knowledge without user conset -- PUP

https://www.virustotal.com/en/file/99a5fdfafb95d0c6bcb67040b28ed7d337ff50cfa01eaba0ede3f2b38cdf6c08/analysis/1420491278/
Only inno setup log -- we need whole installer to analyze

Milos

[Lisandro]

Thanks Milos.
The setup files could be downloaded here:
http: //www.baixaki.com.br/download/duplicate-images-finder.htm
http: //www.kcsoftwares.com/files/sumo.exe

[Lisandro]

Hi Lisandro,

These PUP detections (no malware. no virus in the stricter sense) are found up as to come bundled with custom installers. A new way of earning "easy" money in a time when bundling adware crap becomes more of a rule than the exemption and users should do a custom intstall not to be "overrun" by the bundling aspirations of marketing folks, share holders, and developers alike. Sometimes as in the case of SUMO the software as such is completely and utterly OK but the installer comes with bundled potential unwanted programs.
This variant known as  PUP.Downware comes from the main "perpretators" in this field which are downloaders like Softonic, Brothersoft and Cnet. So end-users should do a lot of effort to get a download without such added "goodies". The main problem with bundling is the uninstall problem of some of the more persistent bundling-"presents" that land on our machines. Sometimes to such an extent yjay the adware crap or Browser Helper Object etc. can only be cleansed with the help of a qualified remover.

Good that in such a situation a responsible av solution flags such an "unwanted surprise". On the other hand it could be understood that the bundlers want this stuff to go under the detection radar. But I think the end-user should at least have a choice to end up with a custom install of the very program he/she/it wants without any additional adware/crapware/nagware. And when this is no longer possible I would look for a bundle free alternative of the program or tool at hand.

polonus

Thanks Polonus. I understand in the case of http: //www.baixaki.com.br/download/duplicate-images-finder.htm but I can't understand in case of SUMo, as it is being downloaded from the main site, unless to keep it free it is being shipped with these 'extras'.

[Milos]

Thanks Milos.
The setup files could be downloaded here:
http: //www.baixaki.com.br/download/duplicate-images-finder.htm
http: //www.kcsoftwares.com/files/sumo.exe

Hello,
http: //www.baixaki.com.br/download/duplicate-images-finder.htm
Downloads Relevant Knowledge without user consent -> PUP

http: //www.kcsoftwares.com/files/sumo.exe
Downloads Relevant Knowledge without user consent -> PUP

Milos

[Eddy]

I can't understand in case of SUMo, as it is being downloaded from the main site, unless to keep it free it is being shipped with these 'extras

If it comes with (unwanted) extra's it is not free. The developers are getting paid for including all that crap.

[Lisandro]

Thanks Milos.
Getting rid of the other one and thinking about SUMo right now.

[polonus]

@All.

Unchecky: http://unchecky.soft32.com/free-download/  and being very cautious,
is your best bet when looking for a "clean free" download.

Adware is becoming a problem like "ill weed" nowadays.
Commercial arrogance rules!.

polonus

[REDACTED]

... But I think the end-user should at least have a choice to end up with a custom install of the very program he/she/it wants without any additional adware/crapware/nagware. And when this is no longer possible I would look for a bundle free alternative of the program or tool at hand.

polonus

Today, I wanted to update my SUMo and thought I'd share the look of the download page, which, as before, seems quite clear what it contains. Few vendors of free products show the details such as these.

[polonus]

Yes, when these "optionals" are shown upfront and you have a possibility to opt out (untick) then the average av solution won't alert, but when these so-called optionals are being installed without any user opt-out option and moreover without any user consent, it should be a reason for every av solution to alert it.

I know these are grey blurred lines and the blurring goes on and on by the crapware pushers and relentless optional marketeers, but that is the situation we have now.

Of course unchecky and a decent anti adware tool like adware cleaner or junkware remover and could it be super anti spyware or MBAM should "sieve" these additional unwanted goodies out. Alas freeware without these added commercial added optional bundling software becomes more and more "rare and in between".

Therefore I would advise whenever you are not satisfied with what you have downloaded unto your machine and fear any bundling adware infestation (and this crap can be rather persistent indeed even making your browser cannot be updated to get it off of your machine), you should ask one of our qualified removers to help you to get it off of your computer or peripheral.

polonus