is eftp3 a trojan or a false positive ?

[qfwfq]

avast home ed. is reporting a Trojan in eftp3, this encrypted FTP looks like a well established product  with home page at http://www.encrypted-ftp.com/ .
How can I check if this is a false positive or not ? A list exist somewhere?

[DavidR]

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

[Busara]

My Avast 4.6 Home Edition also found all of the EFTP3*.Exe (client, server and service) files to be containing the "Win32:Delf-ZT" trojan.

I checked the executables using the online malware scan at "http://virusscan.jotti.org/", and the following results appeared (only Avast and 'VBA32' are finding the executables infected):

AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found Win32:Delf-ZT 
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VirusBuster  Found nothing
VBA32  Found Trojan-Spy.Banker.17 (paranoid heuristics) (probable variant) 

Hopefully the Avast team can indicate whether this indeed is a false positive, or a genuine trojan?

[Lisandro]

Can you send an email with the file(s) (false positive or infected) to: virus@avast.com
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks. 

[CharleyO]

***

Welcome to the forums, qfwfq & Busara.   

I hope you both have followed DavidR's & Tech's advice on sending in these files to avast so that they can be analyzed. Your submissions will help improve the performance of avast by helping to eliminate possible false positives.

Please come back often, learn more, and maybe hep others.   


***

[Busara]

Dear Tech and CharleyO,

I have just sent an e-mail with a ZIP archive (no password) to the address you specified. I hope it will help the Avast team.

btw: the latest Windows Defender software also does not report any 'unwanted components' in the three mentioned executables.

I'm looking forward to hear the results.

Regardless, Avast is great software and I am a very happy user. Great work!

[DavidR]

The reason for using a password is to avoid the attachment being subjected to various email servers anti-virus tools on its way to avast.

Whilst it is unlikely in this case as it appears to be a false positive detection, if it were a real virus it is likely that it would be detected on route and possibly blocked/bounced/deleted and avast wouldn't receive it.

Welcome to the forums.

[Busara]

I forgot to thank you all for the warm welcome on these forums - thanks!

Regarding the password-protected zip archives - now I understand. If my e-mail to Avast bounces back to my mailclient I'll be happy to resend it.

Which makes me think: are you sure it won't bounce back from the Avast mail server? I'm sure Avast is running Avast software to protect their servers? 

[lesterclayton]

Thanking everybody for such tremendous effort and action.  EFTP3 Client, Server and Service uses UPX (the Ultimate Packer for eXecutables) version 1.25, and alot of other software, including virusses/trojans/spyware et cetera, will use this or similar technologies to make their software harder to detect.  UPX compresses and encrypts the executable in question, and when it is launched it is decrypted and inflated into memory.  EFTP uses UPX for security reasons, to make it harder to reverse engineer as well as to make it small enough to fit on floppy disks or memory cards. 

What's happened here is that the trojan W32:Delf-ZT has probably been UPX'ed, and by some chance there is a string of code which is the same in my product and the trojan, and this is the string that Avast is checking against.

This will be the third false positive we've had so far, and in my experience the reporting software is soon rectified.

Once again, thanks to everybody for your efforts so far, and especially to the various people who have taken it upon themselves report this on my behalf.

[Busara]

Thank you Lester for posting your extensive technical explanation.

As you must have noticed I also posted about Avast's trojan detection on your (wonderful) product's forum. I am quite certain that the trojan-detection described here is a false positive. I uploaded the EFT3Server.exe executable to an online malware scan, and most of the scanners there found your product to be perfectly clean, obviously.

If ALWIL agrees I'm sure they will change the way Avast interprets the code techniques you described. This will be beneficial to both Avast and EFTP3 users - which is why I also posted on your product's forum in the first place.

[DavidR]

Regarding the password-protected zip archives - now I understand. If my e-mail to Avast bounces back to my mailclient I'll be happy to resend it.

Which makes me think: are you sure it won't bounce back from the Avast mail server? I'm sure Avast is running Avast software to protect their servers? 

It is not so much the avast email servers protecting themselves, but the first link in the chain is your ISPs email server where it may well be scanned and the same is true of each server in the chain.

I don't expect it will bounce back from the avast servers as it is going to virus @ avast.com and they are expecting infected attachments, so I guess they have procedures in place to receive them. Hopefully it wouldn't bounce or be deleted from other servers as it is most likely to be a false positive detection, so I believe it should get through.

[Busara]

Today's new Avast definitions seem to have fixed the false positive. Avast no longers finds any unwanted content in the EFTP software. 

[DavidR]

Thanks for letting us know it is resolved.

You can remove it from any exclusions if you set them up.

[Busara]

I haven't gotten any e-mail back from ALWIL, but I'm sure they acted upon the reports in this topic.

So I guess there's no official statement yet, but it seems clear what has been going on.

[DavidR]

They would normally only contact you if they required some more information.