False Positive - iterasiFFScheduler.exe

[MadJeff]

I thought I would report a false positive I've started hitting this weekend with the last def update.

The file is iterasiFFscheduler.exe. I'm getting this on a variety of machines on different networks I maintain. I've uploaded the file to www.virustotal.com and also tested in a clean sandbox here just to verify that the file is actually clean. And as I work for Iterasi, I can trace all the way back to the source. =)

All show clean, including Avast, only GData shows a hit.

I'm currently using the 10/18/08 def file. Looks like VirusTotal is using a 10/15/08 def.

Results of virus total:

Code: [Select]

File iterasiFFScheduler.exe received on 10.20.2008 17:00:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/36 (2.78%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.20 -
AntiVir 7.9.0.5 2008.10.20 -
Authentium 5.1.0.4 2008.10.20 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.20 -
BitDefender 7.2 2008.10.20 -
CAT-QuickHeal 9.50 2008.10.20 -
ClamAV 0.93.1 2008.10.20 -
DrWeb 4.44.0.09170 2008.10.20 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6159 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 4.4.4.56 2008.10.20 -
F-Secure 8.0.14332.0 2008.10.20 -
Fortinet 3.113.0.0 2008.10.20 -
GData 19 2008.10.20 Win32:Zlob-CPC 
Ikarus T3.1.1.44.0 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 7.0.0.125 2008.10.20 -
McAfee 5408 2008.10.17 -
Microsoft 1.4005 2008.10.20 -
NOD32 3538 2008.10.20 -
Norman 5.80.02 2008.10.17 -
Panda 9.0.0.4 2008.10.20 -
PCTools 4.4.2.0 2008.10.20 -
Prevx1 V2 2008.10.20 -
Rising 20.67.01.00 2008.10.20 -
SecureWeb-Gateway 6.7.6 2008.10.20 -
Sophos 4.34.0 2008.10.20 -
Sunbelt 3.1.1732.1 2008.10.18 -
Symantec 10 2008.10.20 -
TheHacker 6.3.1.0.119 2008.10.18 -
TrendMicro 8.700.0.1004 2008.10.20 -
VBA32 3.12.8.7 2008.10.19 -
ViRobot 2008.10.20.1428 2008.10.20 -
VirusBuster 4.5.11.0 2008.10.20 -
Additional information
File size: 81920 bytes
MD5...: 25120390da2ac835736ff4b969243005
SHA1..: b77a79f514cde00132c80f669f95994d59c8dc9c
SHA256: a704e145213f75737cd65b505a6350e7ff2e244c93616d95e7f0af0bc1db040b
SHA512: c7687f61e61d43eef5a2e5348500299c40f5137e383d76d62154bf8f0d7fefab
5938ac46cb17e68eec32ab616185b6a2735f758c75e1aeb15948b95ae78156bf
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404882
timedatestamp.....: 0x48c15f4e (Fri Sep 05 16:33:18 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc5e8 0xd000 6.47 1c5dce2396e8b0ee0c75ecdd6dd915f3
.rdata 0xe000 0x31b6 0x4000 4.41 efa3c8326e02122598a72abe6993b7fb
.data 0x12000 0x19e0 0x1000 2.52 3840ca7b92e7db4384ca661e7a90b141
.rsrc 0x14000 0xb0 0x1000 3.06 cec9b95146f57b35474dc9da6c445146

( 4 imports )
> PSAPI.DLL: GetModuleBaseNameW, EnumProcesses, EnumProcessModules
> KERNEL32.dll: CreateMutexW, OpenProcess, SetThreadExecutionState, CreateWaitableTimerW, OpenWaitableTimerW, GetLastError, CloseHandle, TerminateProcess, CreateProcessW, SetWaitableTimer, GetExitCodeProcess, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, CompareStringA, CompareStringW, Sleep, TlsFree, GetFileAttributesW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, RaiseException, RtlUnwind, WideCharToMultiByte, GetTimeZoneInformation, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, SetEnvironmentVariableA, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSection, LCMapStringA
> USER32.dll: SetTimer, KillTimer, GetMessageW, CreateWindowExW, wsprintfW, TranslateMessage, DispatchMessageW, RegisterClassW, DefWindowProcW
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCloseKey

0 exports
Can you guys take a look? I don't want all our iterasi users that have Avast to start freaking out. =)

[polonus]

Hi MadJeff,

When the iterasi plugin is installed, a separate program called iterasiFFScheduler.exe is installed.  It is our client scheduler program and runs as a stand alone process outside of firefox.  This allows the scheduler to launch firefox when it needs to notarize pages, and to close firefox when it is done. There it is a False Positive because of the heuristic scanning, that is why GData shows a hit.

Here more about the adware that was found inside:
http://www.daniweb.com/forums/thread141461.html
So before being sure it is actually a FP, and not a lop infection, check this:
http://66.220.17.157/help.html

polonus

[MadJeff]

Actually I'm well aware of what the scheduler does as I work for the company.  However, I can assure you there is NO adware in this app. I'll be glad to work with any Avast engineer as needed to get the issue resolved, just let me know what you need. 

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

[MadJeff]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Sorry, should of stated in my first message I did this. 

[DavidR]

They are usually quite quick to correct an FP when identified, though they normally don't contact you unless they need more information.

[polonus]

Hi MadJeff,

If you are lucky the next iAVS update may no longer flag it. Tell us here on the forum when the heuristic coast is clear again, and thanks again for the heads-up to our forum community,

polonus

[MadJeff]

Just to clarify, Avast won't contact me once they fix the false positive, so I need to watch for the next update and see what happens? Not a problem, just wanted to be clear as to the process. 

[DavidR]

I have on occasion been informed when it was a false positive, also it may be acknowledged on the forums and an idea on the VPS version, etc. But that I would say is the exception.

When the next VPS update occurs scan the sample in the avast chest, as if you have excluded a file in a location a scan wouldn't find anything as it is excluded.

[MadJeff]

Just wanted to follow up on this to thank you for fixing the false positive, it seems to be passing just fine now. 

[DavidR]

Thanks for the feed back.