Need help submitting false positive -- pls see explanation

[JLJ]

avast! Home free v 4.8.1129 / Xtreme Toolkit v 1.9.4.0 / Windows XP Home

I use an application called FlexCrypt Folder (http://www.flexcrypt.com/flexcryptfolder.html) which encrypts files into password-protected executables. I have been using this for a while and I have every reason to believe it is legit and clean.

Each time it's run, Flexcrypt generates variably-named .DAT files, and avast! is flagging these files as containing "Win32: Trojan-gen{Other}" --Flexcrypt cannot be run, nor the resulting executable files opened or accessed, while Standard Shield is running, it must be paused to run Flexcrypt and generate or access the resulting executables.

Since avast! is flagging multiple, individually-generated files, I'm not sure how to submit this to VirusTotal and/or avast! directly for consideration.  Any advice appreciated.

THX JLJ

[DavidR]

You can only upload individual files to VT, so I would suggest you upload a couple and post the link to the results here.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, send a couple of the sample to avast these can be grouped into one password protected archive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic and VT results might help and false positive/undetected malware in the subject.

[JLJ]

Thanks, I've followed your instructions to the letter. Here is the VirusTotal result of one of three flagged Flexcrypt files:

*****************

File 00000010 received on 10.24.2008 02:57:49 (CET)
Result: 0/36 (0%)
   
AhnLab-V3   2008.10.22.0   2008.10.23   -
AntiVir   7.9.0.5   2008.10.23   -
Authentium   5.1.0.4   2008.10.23   -
Avast   4.8.1248.0   2008.10.23   -
AVG   8.0.0.161   2008.10.23   -
BitDefender   7.2   2008.10.24   -
CAT-QuickHeal   9.50   2008.10.23   -
ClamAV   0.93.1   2008.10.24   -
DrWeb   4.44.0.09170   2008.10.24   -
eSafe   7.0.17.0   2008.10.23   -
eTrust-Vet   31.6.6164   2008.10.22   -
Ewido   4.0   2008.10.23   -
F-Prot   4.4.4.56   2008.10.23   -
F-Secure   8.0.14332.0   2008.10.24   -
Fortinet   3.113.0.0   2008.10.23   -
GData   19   2008.10.24   -
Ikarus   T3.1.1.44.0   2008.10.24   -
K7AntiVirus   7.10.505   2008.10.23   -
Kaspersky   7.0.0.125   2008.10.24   -
McAfee   5413   2008.10.23   -
Microsoft   1.4005   2008.10.24   -
NOD32   3550   2008.10.23   -
Norman   5.80.02   2008.10.23   -
Panda   9.0.0.4   2008.10.23   -
PCTools   4.4.2.0   2008.10.23   -
Prevx1   V2   2008.10.24   -
Rising   21.00.32.00   2008.10.23   -
SecureWeb-Gateway   6.7.6   2008.10.23   -
Sophos   4.34.0   2008.10.24   -
Sunbelt   3.1.1749.1   2008.10.23   -
Symantec   10   2008.10.24   -
TheHacker   6.3.1.0.126   2008.10.23   -
TrendMicro   8.700.0.1004   2008.10.24   -
VBA32   3.12.8.8   2008.10.22   -
ViRobot   2008.10.23.1434   2008.10.23   -
VirusBuster   4.5.11.0   2008.10.23   -

Additional information
File size: 634888 bytes
MD5...: 118c95c2f7e9d14a001c2efea3a4221e
SHA1..: 744305ab324c21b80327308f706b9e45818b02f4
SHA256: 249740a2e1a4837e8a23ff200cd1437ab1c4ca51dad2642c9608fb9f2ce8b6dd
SHA512: fbec2296dc9f7c5bd0d5d6ba2677f3698c638f94752adac786be75d3a06d4ba6
04876e5be32a6434622b7afe7a6faaac7d500752c4c2ba98adbff41c30a52b49
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

******************

I'll submit a zip with three files as noted. THANKS

JLJ

[DavidR]

You're welcome, lets hope there is a speedy correction.

You could exclude the *.dat files if they are in the one folder e.g. c:\foldername\*.dat that * wildcard means all .dat files in the folder would be excluded from scans, so if you chose to do that you would have to exercise care or you could leave a big security hole.

Periodically scan the suspect files in the chest and when they are no lomger detected restore the files and remove the exclusions.