Author Topic: Signed executable triggering Cybercapture  (Read 8962 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Signed executable triggering Cybercapture
« on: May 09, 2017, 04:13:25 PM »
Avast Cybercapture has recently started blocking our product despite the executable (and installer) being signed by a trusted certificate (issued by Comodo).
This does not seem like it would be intended behavior, since the only criteria for this seems to be "file is rare".

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Signed executable triggering Cybercapture
« Reply #1 on: May 09, 2017, 04:14:22 PM »

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #2 on: May 11, 2017, 01:50:41 PM »
Submitted already, but that doesn't help much as we have constant updates.

I'm looking at the whitelisting process, but it's a bit unclear if just the main executable has to be submitted, or dependencies as well.
There's also a mention that it's possible to whitelist our digital signature, but I failed to find any information on how to actually do that.


Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Signed executable triggering Cybercapture
« Reply #4 on: May 12, 2017, 07:34:34 AM »
Hello,
can you post sha256 of the signed file, which goes to CyberCapture to verify it, please?

Milos

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #5 on: May 12, 2017, 08:00:07 AM »
We're seeing similar issues here.  All of our produced software (installers and executables) are now constantly being scanned by CycberCapture, despite being signed (sha-1 and sha-256).  Similarly, our cert is issued by Comodo.

This wasn't happening until the last week or so, and is really annoying us in development and testing.  We're hoping that our customers aren't having similar issues if they're running Avast.

It's frustrating, and we've already started to remove Avast from some of our computers so that we can get our work done.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Signed executable triggering Cybercapture
« Reply #6 on: May 12, 2017, 08:02:48 AM »
We're seeing similar issues here.  All of our produced software (installers and executables) are now constantly being scanned by CycberCapture, despite being signed (sha-1 and sha-256).  Similarly, our cert is issued by Comodo.

This wasn't happening until the last week or so, and is really annoying us in development and testing.  We're hoping that our customers aren't having similar issues if they're running Avast.

It's frustrating, and we've already started to remove Avast from some of our computers so that we can get our work done.
Hello,
please provide sha256 of the signed file (or link to download the file), which goes to CyberCapture to verify it.

Milos

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #7 on: May 12, 2017, 09:21:14 AM »
Milos: You can download an example of one of our installers at https://www.minemax.com/customer-care/downloads/MinemaxSoftwareManager.exe

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Signed executable triggering Cybercapture
« Reply #8 on: May 12, 2017, 11:09:16 AM »
Milos: You can download an example of one of our installers at https://www.minemax.com/customer-care/downloads/MinemaxSoftwareManager.exe
Hello,
thank you for the link. I set this certificate as clean and it should stop triggering CyberCapture on files signed by this certificate from next VPS release. Sorry for any inconvenience.

Milos

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #9 on: May 16, 2017, 06:18:56 PM »
Hello,
can you post sha256 of the signed file, which goes to CyberCapture to verify it, please?

Milos

Info on the executable in question:
Name: InteractioBroadcaster.exe
Size: 2350272 bytes (2 MB)
SHA256: B2A4CE8C72BC9EDD863606E5C5C2370BD432AAFCEFF4BDC3DC2BDCF6165F4E05

Link to the whole signed executable:
https://drive.google.com/file/d/0B2t4jTiPaZWzLW9hdHVVSTNuV28/view?usp=sharing

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Signed executable triggering Cybercapture
« Reply #10 on: May 17, 2017, 07:01:41 AM »
Hello Bug Fairy,
I have checked the file and certificate and both are marked as clean since 05-12-2017 so it should not trigger CyberCapture. Do you have updated VPS?

Milos

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #11 on: May 17, 2017, 01:32:10 PM »
Hello Bug Fairy,
I have checked the file and certificate and both are marked as clean since 05-12-2017 so it should not trigger CyberCapture. Do you have updated VPS?

Milos
I've submitted it as false positive at 11th I believe. Was assuming it'd whitelist only the file. But if the certificate is whitelisted as well, then the issue is solved. Thank you for timely responses.

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #12 on: June 06, 2017, 02:20:36 PM »
Hello,
Same problem with our applications signed with the same certificate from DigiCert
http://engarde-escrime.com/signe/DiapoEngardeS.exe
http://engarde-escrime.com/signe/Engarde9646S.exe
http://engarde-escrime.com/signe/ShowPisteS.exe

Coud you help please ?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Signed executable triggering Cybercapture
« Reply #13 on: June 06, 2017, 03:05:05 PM »
Hello,
all the 3 files are using different certificates. Two of them are now expired and samples signed with the expired certificates are missing signing date so this might be a reason why it cannot be verified.

I will set the files to clean state so it should fix it.

Milos

REDACTED

  • Guest
Re: Signed executable triggering Cybercapture
« Reply #14 on: June 06, 2017, 03:16:13 PM »
Sorry for the mistake we will signe the two files with expired certificate with the new certificate we used for the third.

Many thanks for the quick and efficient help  :)