Author Topic: False positive for installer that has 180 MB (Read 1569 times)

Marius80 · « **on:** March 29, 2021, 09:10:59 PM »

Hello,

We have an installer that is signed using EV certification and Avast is scanning the installer because "CyberCapture" detects it as suspicious.

Since our installer is bigger than 50MB how can we join the whitelist program as mentioned here https://support.avast.com/en-ww/article/229/
We release it frequently and would like to whitelist it each time.

Here is the virustotal scan: https://www.virustotal.com/gui/file/c026e2942579e24babd927640cb3072a284670a020318e4431fb9f43e15f9a05/detection

Thank you,
Marius.

polonus · « **Reply #1 on:** March 29, 2021, 10:01:43 PM »

Dear Marius80,

See the juju box alert:
htxps://vtbehaviour.commondatastorage.googleapis.com/c026e2942579e24babd927640cb3072a284670a020318e4431fb9f43e15f9a05_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1617048118&Signature=UiZ9HppiHn7Ly6wzVqNnDhf3NXoYNaq1uLS1AqfcygB5C1l0KTZK8MvMu1DwWzOXLZ7pbBG86%2FqI%0AuqfcpSLQgR0FHF4jUMGUfdIxoYLToHbv%2Bg6cuU4uD0AuZoQOvCcnTwCSLniwXH1S8pmHoDRlatK9%0Ah9n1LYupqjCaSKDCVu0%3D&response-content-type=text%2Fhtml; (I have made that link non-click for obvious reasons, but it does not take rocket technology to see what it reports)

Wait for an avast team member to comment and give a final verdict.
It is their definitions, so they are the ones to come up with an explanation,
and then are the only ones to come and unblock. Did you report there?

Yours respectfully,

polonus (error-hunter)

Milos · « **Reply #2 on:** March 30, 2021, 05:44:13 PM »

Hello,
this happen for new unknown files. I have marked it clean so it should be OK now.

Milos

Marius80 · « **Reply #3 on:** March 31, 2021, 02:40:14 PM »

Thank you,

Will the clean mark persist on future releases, or do we have to do a manual process on each release?

Marius.

polonus · « **Reply #4 on:** April 01, 2021, 12:56:12 AM »

Hi Marius80,

It is not a bad idea to report new signed future releases to avast team,
so eventual avast whitelisting and/or an eventual undesirable FP would cross-interfere.
Pre-armed is the best way to go.

polonus

Marius80 · « **Reply #5 on:** April 01, 2021, 09:59:20 AM »

Thank you polonus for your response.

Is there any way to report them outside the whitelisting program that limits the file size to 50MB?
Our installer exceeds that and there is no documentation on how to report those files. I mean there is with the FTP but the credentials are given with the first whitelisting program report.

Marius

polonus · « **Reply #6 on:** April 01, 2021, 10:39:33 AM »

You have to take that up with avast's team.

We here are just volunteers with relative knowledge
(Little old me in the field of website security and script-error-hunting).
Avast Team will instruct you what to do in this case, contact them.

polonus

Author Topic: False positive for installer that has 180 MB (Read 1569 times)

Marius80

False positive for installer that has 180 MB

polonus

Re: False positive for installer that has 180 MB

Milos

Re: False positive for installer that has 180 MB

Marius80

Re: False positive for installer that has 180 MB

polonus

Re: False positive for installer that has 180 MB

Marius80

Re: False positive for installer that has 180 MB

polonus

Re: False positive for installer that has 180 MB