Author Topic: Is Win32.Evo-gen(Susp) a False Positive?  (Read 37236 times)

0 Members and 1 Guest are viewing this topic.

Offline baschlo

  • Newbie
  • *
  • Posts: 13
Is Win32.Evo-gen(Susp) a False Positive?
« on: July 01, 2015, 11:06:15 PM »
I just ran a scan that said I had a Win32.Evo-gen(Susp) infection.  I placed it in the Virus Chest.  When I right-clicked on it to send it to Avast, the drop-down list for "Type" on the submission form said "False positive" and that was the only option in the list.  Does that mean that it IS a false positive?  I haven't sent it in yet -- thought I would check here first.  Also, why does the file show on the submission form as /tmp/@FA3DEEB.unp?  What does that mean.

One other thing, if something gets moved to the Virus Chest does that mean it's quarantined and not a threat anymore?  If not, what exactly should I do?

I obviously have no idea what to do when a scan finds an infection.

I'm using Avast Mac Security 2015 (free version)
Version 10.14(44414)
Definitions version 15070102


Offline baschlo

  • Newbie
  • *
  • Posts: 13
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #1 on: July 01, 2015, 11:08:25 PM »
Oops!  I meant to submit two screenshots.  Here's the other one.


Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 4959
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #2 on: July 01, 2015, 11:19:47 PM »
Welcome to the forums!

Yes files in the chest are quarantined. The option to submit to the lab is primarily to report as a False Positive, which would be a detection of a legitimate file as malware (Crying wolf).  The file in your screenshot looks to be an iOS application, so not likely malware and you can submit it to the lab for further analysis if you like.

Not sure on the weird path on the submission form, but this could simply be the quarantined location.
"People who are really serious about software should make their own hardware." - Alan Kay

Offline baschlo

  • Newbie
  • *
  • Posts: 13
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #3 on: July 02, 2015, 03:16:41 AM »
Thanks for your quick reply.  I have just a few more questions for you if you don't mind (since I really don't understand this stuff at all).

1) I only came across this "infection" through a full system scan that I do on occasion.  Wouldn't Avast's Filesystem Shield have caught this when it first showed up and blocked it?  Or would it only have blocked it if something malicious would have tried to execute?

2) I see that there is an option to delete things from the Virus Chest.  If I delete a file that is in there, is it gone from my MacBook completely (as in absolutely no threat whatsoever)?

3) Since the file I posted about was an iOS application in my iTunes library, should I be concerned about my iPad?  The application is actually one I use on the iPad.  Does Avast have a virus protection app for iPad?

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 350
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #4 on: July 02, 2015, 12:51:16 PM »
The 'Win32' in the malware denomination indicates that it's a malware that infects Windows machines, so, this should tell that even if the file does indeed have malware your Mac and your iPad are safe, this malware is not a threat to you, secondly, the Evo-gen part indicates a generic classification of files that might potentially be a trojan, but Avast isn't sure.

So, basically, it's a file Avast thinks might infect windows computers.

More about this threat here:
http://malwaretips.com/blogs/win32evo-gen-susp-virus/

If this file was downloaded from the iTunes store, which is curated by Apple personnel, I highly doubt they would let a virus pass through (not impossible, but improbable), that in conjunction with the fact that it is a generic detection, that Avast thinks is potentially malware that infects Windows machines, all these are indicators that it is indeed a false positive, submit it to the labs, don't delete it because the file is probably innocuous.

The reason why Avast has only flagged the file on a recent scan and not when you downloaded it, is, likely the virus definitions, the last time the file was accessed (on access scan, that's what the file shield does) before the scan, the virus definitions it had did not consider that file as a potential threat (or alternatively the scan engine was upgraded and started considering that file a potential threat).

In a posterior update to the virus definitions that file might be considered safe again.

My suggestion, submit the file to https://www.virustotal.com/en/ and see the results, how other AVs flag it.
« Last Edit: July 02, 2015, 01:04:36 PM by specimen9999 »

Offline baschlo

  • Newbie
  • *
  • Posts: 13
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #5 on: July 03, 2015, 01:17:13 AM »
Thanks for your feedback, specimen9999.  I assume that even if this file was a threat to PCs I wouldn't have to worry about unintentionally passing it on to my PC friends since I sent it to the Virus Chest, right?

I would follow your advice to send the file to VirusTotal.com, but, as I said earlier, I'm not very good at this stuff and I don't really know how to do that.  The thing that shows in the Virus Chest is just a path, and when I checked it to send to Avast it showed up as /tmp/2FA3DEEB.unp.  Is that actually the file?  Would I just copy and paste that into the VirusTotal submission form?  If not, how do I find the file to submit?

If you don't care to respond to my inane questions, that's okay.  I feel pretty safe now based on the replies to my post from you and Mac.

Thanks!

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 350
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #6 on: July 04, 2015, 01:36:08 PM »
The only way you could pass this file to your PC friends if it was not in quarantine would be if you actively send it, the file has absolutely no way or powers of attaching itself to email messages or usb drives. Sometimes the 'virus' metaphor is taken too literally and computers aren't anything like biology, if it can't infect your system then it works just like any other file in your system.

You can unquarantine the file (restore to its default location) and then submit to virustotal, after that you can run the scan over the file again and it will quarantine the file (again), or not, if in the latest definitions it's no longer considered suspicious.
« Last Edit: July 04, 2015, 01:40:35 PM by specimen9999 »

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 4959
Re: Is Win32.Evo-gen(Susp) a False Positive?
« Reply #7 on: July 08, 2015, 01:14:20 AM »
Specimen,  Im fairly sure this is a False Positive. Apple would not allow Malware to be in the App Store (I know, I know, its happened but USUALLY).

Thanks for your quick reply.  I have just a few more questions for you if you don't mind (since I really don't understand this stuff at all).

1) I only came across this "infection" through a full system scan that I do on occasion.  Wouldn't Avast's Filesystem Shield have caught this when it first showed up and blocked it?  Or would it only have blocked it if something malicious would have tried to execute?

2) I see that there is an option to delete things from the Virus Chest.  If I delete a file that is in there, is it gone from my MacBook completely (as in absolutely no threat whatsoever)?

3) Since the file I posted about was an iOS application in my iTunes library, should I be concerned about my iPad?  The application is actually one I use on the iPad.  Does Avast have a virus protection app for iPad?

1) Possible that some heuristic or generic  routine caught it (Especially if a false positive). Depending on the circumstances  you may have downloaded that file long before that heuristic/generic logic was added to the virus database

2)If deleted from chest then yes it would be gone from your computer. however, being an iOS application, you could always download again from iTunes

3)Not likely, as specimen said, this shows as a Win32 infection, which would not affect your mac and certainly not the iPad (Which uses a ARM Processor not compatible with Mac or Windows programs)
"People who are really serious about software should make their own hardware." - Alan Kay