Win32:Bifrose-EGW[Trj]

[Snagglegrain]

Hello

Has anyone recently had avast! flag a Windows Installer file named c415ae.msp as infected with Win32:Bifrose-EGW[Trj]?

I zipped and password-protected the file and sent it to support a few hours ago, but have not heard back.

As an aside, I also noticed that when I tried to email the file to avast from the Chest (by clicking the email icon on the toolbar), nothing happened... that is, the Submit file dialog did not appear.    It does appear for other files in the Chest.  Any ideas?

I eventually added the file to the exclusions lists, in order to email it and also upload it to VirusTotal.  VT, by the way, only had avast! and one other vendor flagging this file.

Any info and help would be appreciated. 

[polonus]

Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus

[DavidR]

Yes, lots of them, in the viruses and worms forum. http://forum.avast.com/index.php?topic=47063.0 as polonus mentioned.

No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.

[Snagglegrain]

No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.

I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   

[Snagglegrain]

Hi Snagglegrain,

Look here for some answers: http://forum.avast.com/index.php?topic=47063.0
Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update,

polonus

Sorry, looks like I posted this in the wrong forum.    I'll know better next time.   

[Snagglegrain]

Most likely a False Positive, but we are waiting for the final word from the man, and an upcoming correction with a scanner update

Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."

[DavidR]

No idea idea why the submission form didn't pop-up for this file but does for others as there should be no difference in file types.

I am puzzled by that as well.  It's almost virus-like behavior, to prevent itself from being sent for analysis.   

It can't be virus like behaviour inside the chest, a protected area, even if it was possible it doesn't make sense that it would effect one file type and not another.

The other problem there have been others who have been able to submit the file.

[Snagglegrain]

The other problem there have been others who have been able to submit the file.

David, did you notice that Fallen-Parts encountered the same behavior as I did when trying to email one of these fp's from the Chest?

[Snagglegrain]

Yes, a malware analyst from support just emailed me back...

"File is falsely detected. The detection
will be corrected in next VPS update 090725-0."

It's all good now!   

[DavidR]

The other problem there have been others who have been able to submit the file.

David, did you notice that Fallen-Parts encountered the same behavior as I did when trying to email one of these fp's from the Chest?

Yes I did, weird. Not something I could check out as I have had no detections.

[Snagglegrain]

If you really want to check it out, I could email you a zipped copy of the fp file I had, and if it's possible to roll back detections to yesterday, you might be able to see the behavior for yourself??

[DavidR]

I don't go that far to check things out on my own system thanks.

[Snagglegrain]

I don't blame you!

[DavidR]

Well I have found out what your problem is

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.

[Snagglegrain]

Well I have found out what your problem is

I found a .msp file and added it to the chest and that failed to bring up the form. However, I though it might be because of its size getting in the way.

So I went to the Program Settings, Chest, Maximum size of file to be sent, mine I had previously set to 2048KB (2MB), changing that to 10000KB (roughly 10MB), a size greater than the actual size of the .msp file.

Having done that I went to the chest again and clicked the email to Alwil Software and the form popped-up, image2. So the problem was trying to send a file exceeding the maximum size, why it didn't report that rather than simply not displaying the submit form I don't know.

You are 100% absolutely correct!  Good thinking, David.  I tested it on my settings as well, and have made the (10mb) change... that's a nice round number.   I'm glad you figured that out.  Thank you.