Author Topic: Automatic Flashplayer updater detected as malware  (Read 4200 times)

0 Members and 1 Guest are viewing this topic.

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 337
Automatic Flashplayer updater detected as malware
« on: January 21, 2020, 04:34:31 PM »
Hello,
my Behavior shield detected InstallFlashPlayer.exe as IDP generic. Is false positive of course. My Flash just automatically updated to 32.0.0.321.
When i told Avast restore that file from chest, file was not recovered, so i cannot send you. Remove this detection. Thank you.

Offline bryanh1231

  • Jr. Member
  • **
  • Posts: 26
Re: Automatic Flashplayer updater detected as malware
« Reply #1 on: January 21, 2020, 05:03:36 PM »
I received the same message just starting the Slotomania app on Win 10 Pro.

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 337
Re: Automatic Flashplayer updater detected as malware
« Reply #2 on: January 21, 2020, 05:17:57 PM »
I have bad experience with Behavior shield. It is not first time when Behavior shield break installation of my software. My flash seems ok even was blocked. But restored file from chest is nowhere.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37101
Re: Automatic Flashplayer updater detected as malware
« Reply #3 on: January 21, 2020, 05:18:19 PM »
Quote
When i told Avast restore that file from chest, file was not recovered, so i cannot send you.
You can send file and report as false positive from avast chest

see report options here  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438



Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 337
Re: Automatic Flashplayer updater detected as malware
« Reply #4 on: January 21, 2020, 05:20:15 PM »
Quote
When i told Avast restore that file from chest, file was not recovered, so i cannot send you.
You can send file and report as false positive from avast chest

see report options here  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Not now, when i hit restore button it was automatically deleted from chest. I want use virustotal first.

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 308
Re: Automatic Flashplayer updater detected as malware
« Reply #5 on: January 22, 2020, 12:52:32 AM »
Better not to use Flash Player unless you have too now. Always been a security weak link. I've one PC and a VM which have been without it for almost a year and never had a problem on any web site.

The updater, when downloaded manually direct from Adobe is a weird thing in that once it has initiated and installed the update its actually deleted automatically from wherever it is. Sounds like this is what has happened here and why it can't be restored from the AVAST virus chest.

What AVAST is doing is pretty pointless if that is correct because its done it after Flash Player has actually been updated. FP 32.0.0.321 is the latest version.

You could go to:-

https://www.adobe.com/software/flash/about/

Click on the Player Download Center link and get a copy of the current Flash Player installer manually (make sure you opt out of the other offers). Try sending that to VirusTotal.

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 337
Re: Automatic Flashplayer updater detected as malware
« Reply #6 on: January 22, 2020, 04:50:45 PM »
I know flash has no usage these days, i just have installed it from another era, where html5 video not exist. My Windows installation is very old but this is no reason why Behavior shield block legit software. For me Behavior shield can cause only problems, break software installations for no reason. It never detected real malware for me, only break software because false positive. I really think about remove this component from Avast installation.
« Last Edit: January 22, 2020, 04:54:56 PM by TheOwner »

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 308
Re: Automatic Flashplayer updater detected as malware
« Reply #7 on: January 22, 2020, 05:51:36 PM »
Yes, false positives are annoying and I'd bet in this case it is either a mistake or some AVAST IT bod has decided Flash Player is now a PUP and as such a potential threat as it modifies files in the Windows installation.

The solution, which I assume is possible in this case, is to go to the Behavior Shield > Settings and change the default action from whatever it is (Auto-Decide I think is the normal default setting) to "Ask" and/or the Flash Player updater to Trusted Processes.

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 337
Re: Automatic Flashplayer updater detected as malware
« Reply #8 on: January 22, 2020, 07:17:14 PM »
IDP Generic detection was detected on InstallFlashPlayer.exe, which is temporarily file under C:\Windows\SysWOW64\Macromed\Temp folder. This file is always deleted immediately after installation. So is nothing to do with FlashPlayerUpdateService.exe which trigger update. And because was detected by Behavior shield, FileSystem shield found that executable as clean. (FileSystem shield scan first, if file is clean then execute).

It is not PUP, Behavior shield not scan PUPS, only other shields do. Also PUP detection is marked as PUP not IDP Generic.

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 71853
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Automatic Flashplayer updater detected as malware
« Reply #9 on: January 23, 2020, 05:44:03 AM »
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Win 8.1 [x64] - Avast PremSec 21.9.6605.IBC [UI.666] - EEK - Firefox ESR 78.14 [NS/uBO/PB] - TB 91.1.1
Avast-Tools: Secure Browser 93.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 308
Re: Automatic Flashplayer updater detected as malware
« Reply #10 on: January 23, 2020, 01:33:27 PM »
IDP Generic detection was detected on InstallFlashPlayer.exe, which is temporarily file under C:\Windows\SysWOW64\Macromed\Temp folder. This file is always deleted immediately after installation. So is nothing to do with FlashPlayerUpdateService.exe which trigger update. And because was detected by Behavior shield, FileSystem shield found that executable as clean. (FileSystem shield scan first, if file is clean then execute).

It is not PUP, Behavior shield not scan PUPS, only other shields do. Also PUP detection is marked as PUP not IDP Generic.

I meant Flash Player itself may now be being treated as a PUP so, of course, its installer and the updater processes are now treated as IDP Generic detections ie. behaviour that appears to be malware.

The fact is your Flash Player still updated so whatever and why AVAST was doing what it did was late and ineffective.

https://appuals.com/what-is-idp-generic/

The interesting parts of that article are:-

"IDP generic means that the detection was detected by an Identity Protection Detection component of your antivirus and it is a generalized file that got detected. Your files will be flagged by this whenever the file does something identical to malware that triggers the flag."

"The most common cause of this false positive flag is usually an outdated definition of your antivirus program."

Another explanation is that the definitions have been changed and it is a false positive caused by the AV now, wrongly, detecting the normal behaviour of the Flash Player updater as suspicious.

What points to this being an obvious FP is that the Windows\SysWOW64\Macromed folder actually contains a FlashPlayerUpdateService.exe. Pretty pointless virus chesting just the updater EXE and not the EXE that has just downloaded it automatically and will continue to do so if the Flash Player Installation is not updated.