AVAST Erroniously Says My Software Is A Trojan

[kevinper]

I wrote a horse racing handicapping program.  For security purposes and for a free 10 day evaluation, the program connects to 129.6.15.28 ' time-a.nist.gov Gaithersburg, Maryland' to get the current date and writes it to the users hard drive.  Every time the program is run during the evaluation, it checks the current date and if 10 days are up then it tells the user so.

When given an activation code, the user enters it and the program checks the code on the server and if the code is valid, it puts a text file on my server so that I know that the program was installed and writes to their hard drive that there is a valid license.

I have had two people tell me who use Avast say that Avast is telling them that there is a trojan with the software.  Each time I redownload and check the software for viruses and there is none.  The name reported is: Win 32: Trojan-gen.{upx!}

Can someone tell me why Avast would report it as a virus and maybe tell me how to avoid such a situation.

The software can be checked at:

http://quickplayhorseracingsoftware.com/ShowBet_Install

Thanks,

Kevin

[kevinper]

User is using Avast v4.7 home edition.

[Lisandro]

Can someone tell me why Avast would report it as a virus and maybe tell me how to avoid such a situation.

Kevin, most probably a false positive.
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

Sorry...

[kevinper]

Jotti says it's INFECTED/MALWARE  with packers detected :UPX, ASPACK whatever that means.  Two virus scans says came up with something:

Avast: Found Win32:Trojan-gen.

Norman Virus Control: Found W32/ProAgent.MT

I know for a fact that my software does not contain any viruses.

Kevin

[kevinper]

I don't have winzip.  Is there another program I can use to send it in?

[kevinper]

Nevermind.  Found one.  http://www.freebyte.com/fbzip/

[CharleyO]

***

I got this below when I tried to access the link you provided ......

[polonus]

Hi Charley(),

Maybe "Disney America"   did not allow you access there, but according to DrWeb's hyperlink scanner the link is CLEAN.
"File size: 15674 bytes
I suggest that kevinper uploads to virustotal, then sends a FP-report to those vendors whose signatures falsely flag it, might be in the packers used.

fbzip - OK"

pol

[Lisandro]

I don't have winzip.  Is there another program I can use to send it in?

www.izarc.org is the best I've found. ZipGenius is another.
Hope they correct the false positive soon.

[kevinper]

***

I got this below when I tried to access the link you provided ......

\
CharleyO, you are right.  I forgot to add .exe to the end.  Here is the corrected link:

http://quickplayhorseracingsoftware.com/ShowBet_Install.exe

Kevin

[DavidR]

No detections found with DrWeb link checker, it may be because of the multiple packers that is causing the hiccup.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[kevinper]

Apparently he can't even download the software off of the server.  I did  zip it up and send it in but how long does something like this take?

Thanks

[Lisandro]

Apparently he can't even download the software off of the server.

If it is detected as a virus it will be blocked by WebShield before you finish the download of the file...

I did zip it up and send it in but how long does something like this take?

They're usually quick on correcting false positives... you're being unluck... hope they're monitoring this thread...

[DavidR]

Apparently he can't even download the software off of the server. 

He will be able to if he pauses (or terminates) the web shield provider, that will at least get it to his hard disk, where the standard shield may chirp in, but he will be able to choose no action and then add the file detected to the exclusions lists as previously mentioned.

[kevinper]

Thank you.  I will tell him.  I went ahead and started scanning all the files in the program - after it is unpacked and installed - and Avast said they are all clean (according to Jotti's). 

I really appreciate everyones help!

Thanks