Compiled Batch Files being flagged in error as Trojan Horse

[grannyGrump]

I have the same problem that was posted here a year ago with no response

http://forum.avast.com/index.php?topic=23339.0
(and additional posts on same subject during the year previous to that.)

Is there ANY hope of this getting fixed?
I, and many others, use compiled batch files a lot, and I must baby-sit Avast through every scan.
I have about 30 of them scattered on my 120 gb usb drive, and it is a real disappointment that Avast thinks they have Trojan Horses.

Please, can this get fixed?
Can somebody advise a way to tell AVAST to ignore these particular files ( I give them unique names starting with ~__ )

Any info will be greatly appreciated.

[DavidR]

If you give them unique names and also put them in a specific folder you can exclude them using the wildcard c:\foldername\~__*.*, see below exclusions lists.

But what would be better is to confirm that it is only avast detecting this and if so submit the sample (or a couple) for analysis.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists and Restore it to its original location:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Periodically check it (scan it in the chest, there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a false positive and include the password in the body of the email and False Positive for the email subject. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[grannyGrump]

Thank you so much for responding.
I added the files & paths to the Exclusions list, but continued to get the siren and verbal warning when I actually ran the (converted) exe files.
I don't know what I did wrong, I will try again when I get home.

I use freeware Batch2Exe-converter to compile batch files I wrote myself.
     From the author's website:

This program uses UPX to pack executables
This program uses FASM to compile the executables
This program uses GoRC to compile the resource files

I know UPX is known to sometimes cause false positives, maybe the others do as well.


For one of the compiled batch files, VirusTotal results show 2 flags for backdoor, 2 for Trojan.bat.agent, and 2 for "suspicious".

For the converter itself, VirusTotal results show 1 flag for suspicious Trojan/Worm, 1 for Win32.ModifiedUPX.gen!84 (suspicious). 
I think probably because the author used UPX to pack the converter.

Can you advise what action I should take at this point?

Thanks for any help you can provide.

[oldman]

There are two exclution lists. Is this the one you added your files/paths to? left click the "a" icon, choose the standard shield, click customize button and advanced tab.

[mouniernetwork]

I have the same problem that was posted here a year ago with no response

http://forum.avast.com/index.php?topic=23339.0
(and additional posts on same subject during the year previous to that.)

Is there ANY hope of this getting fixed?
I, and many others, use compiled batch files a lot, and I must baby-sit Avast through every scan.
I have about 30 of them scattered on my 120 gb usb drive, and it is a real disappointment that Avast thinks they have Trojan Horses.

Please, can this get fixed?
Can somebody advise a way to tell AVAST to ignore these particular files ( I give them unique names starting with ~__ )

Any info will be greatly appreciated.

Did you compiled it as a ghost application ?
What virus does it detect ? (w32:Trojan-gen{other} ?)

Al968

[Lisandro]

Thank you so much for responding.
I added the files & paths to the Exclusions list, but continued to get the siren and verbal warning when I actually ran the (converted) exe files.

You must use two Exclusion lists as posted by David and Oldman to cover both on-demand and on-access scanning. Look that David posted both ways before. Are you saying that even this way the detection alert is shown?

[DavidR]

Thank you so much for responding.
I added the files & paths to the Exclusions list, but continued to get the siren and verbal warning when I actually ran the (converted) exe files.

No problem, welcome to the forums.

As has been mentioned you need to exclude them in both locations.

If you did that please post that path that you entered and we may be able to see why it might not be working.

[grannyGrump]

OK, I did a reboot, and now the exclusions list is working for me.
(I knew it would be something dumb I did wrong).  So if I can trust the compiler, I am good to go for running the exe's.



al968 , I did compile them as "ghost".

TotalVirus had more hits than Jotti, but both flagged my compiled files.

Authentium = W32/Backdoor.AFNU
eSafe  = suspicious Trojan/Worm
F-Prot  = W32/Backdoor.AFNU
Ikarus  and VBA32   = Trojan.BAT.Agent.j
NOD32v2  = Trojan:Win32/Agent!6239
Prevx1  = Malware.Gen
Webwasher  = Win32.ModifiedUPX.gen!90

at Jotti site
CPsecure  = Downloader.W32.Url2File.A
F-Prot   = W32/Backdoor.AFNU
VBA32  = Trojan.BAT.Agent.j
NOD32  = NOTHING
Avast  =  NOTHING

TotalVirus flagged the compiler itself, but Jotti did not.


I downloaded the compiler from the author's website, not a download site.  I don't think he is propogating viruses.

How concerned should I be? 
What other actions do you recommend?

[DavidR]

I don't know what was wrong but you shouldn't need to reboot for the exclusions to work.

VirusTotal is more likely to have more hits as it uses the windows version of the scanners (Jotti is Linux/Unix version) and certainly for avast that means more supported packers. This could be the same for other scanners so it is able to actually scan by unpacking first.

I notice there was no detection on VT for avast, unless you left that out, if not it is down to the fact that the VT signatures are a little behind the users, which are updated automatically.

I would doubt there is an intention by the author to propagate malware, but I would suggest you contact him as there are a number of scanners detecting stuff. Whilst these may well be false positives based on the code used and what it might be doing, it is something the author should consider.

You should most certainly send some samples of the compiled files to avast for analysis as 'possible' false positive, this may find what it triggering the detection and if it is malicious or not so that the signatures might be improved/corrected.

[grannyGrump]

Thanks so much for the input.  I will follow your advice.

[DavidR]

Your welcome, let us know the outcome.