Author Topic: Win32:Malware-gen in Adobe Photoshop 7, false positive?  (Read 7296 times)

0 Members and 1 Guest are viewing this topic.

rabies

  • Guest
Win32:Malware-gen in Adobe Photoshop 7, false positive?
« on: June 02, 2010, 12:55:44 PM »
When I did a full scan on my pc today with virus definition 100601-1, Avast detected some Adobe Photoshop 7.0 application files as Win32:Malware-gen. I suspected that it was a false positive because these files have been on my pc ever since I installed Photoshop and Avast never detected them as threats until now. I immediately updated my virus definition to 100602-0 and ran another full scan. This time, no threats were detected.

Can anyone confirm the virus definition 100601-1 caused a false positive in Photoshop 7? The reason I'm asking this is because a few months back, I was trying out Avira and it too flagged the same Photoshop files as threats, but it seems that it too was a case of false positive since subsequent scans eventually turned up nothing.

Thanks.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Malware-gen in Adobe Photoshop 7, false positive?
« Reply #1 on: June 02, 2010, 01:08:54 PM »
It seems avast is reading data in yr Photoshop 7 that approximates some signature that may relate to suspect malware.
guesstimates on what info you provided points to a false positive.

but Im not sure as to virus definition 100601-1.
maybe there are others that have noticed something.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

kidd

  • Guest
Re: Win32:Malware-gen in Adobe Photoshop 7, false positive?
« Reply #2 on: June 02, 2010, 01:54:40 PM »
rabies, yes I got C:\Program Files\Adobe\Photoshop 7.0 ME\Samples\Droplets\Photoshop Droplets\Drop Shadow Frame.exe flagged with virus definition 100601-1. Sent it for analysis, virus definition 100602-0 doesn't flag it. I submitted it to VirusTotal and it was flagged a couple of times. The date stamp of the file on my system is 14 August 2002 so I assume an F/P.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Win32:Malware-gen in Adobe Photoshop 7, false positive?
« Reply #3 on: June 02, 2010, 03:52:41 PM »
If 100602-0 doesn't flag it the signature has been corrected after analysis and included in the next available virus definitions update.

Restore it from the chest (assuming you sent it there) to its original location, confirm that it is now in the original location and delete the copy that remains in the chest.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

rabies

  • Guest
Re: Win32:Malware-gen in Adobe Photoshop 7, false positive?
« Reply #4 on: June 02, 2010, 07:36:30 PM »
rabies, yes I got C:\Program Files\Adobe\Photoshop 7.0 ME\Samples\Droplets\Photoshop Droplets\Drop Shadow Frame.exe flagged with virus definition 100601-1. Sent it for analysis, virus definition 100602-0 doesn't flag it. I submitted it to VirusTotal and it was flagged a couple of times. The date stamp of the file on my system is 14 August 2002 so I assume an F/P.
Thanks for the info, kidd. In my case all 9 .exe files in the Photoshop Droplets folder on my pc were flagged as Win32:Malware-gen. I remembered that back in February, Avira 9 also initially flagged these files as trojans (TR/Dldr.Agent.darp, I think), but after updating their virus definition, the files were no longer flagged. I'm just a bit concerned that 2 excellent AV products would have the same false positives months apart.

NoelC

  • Guest
Re: Win32:Malware-gen in Adobe Photoshop 7, false positive?
« Reply #5 on: December 30, 2012, 02:44:31 AM »
FYI, this is happening again, sort of?, with Photoshop Droplets files from Adobe Photoshop 6.0 and Avast! definitions current as of yesterday evening (and the past few days).  The detection has happened some time after midnight and before 1am for the past several nights.

Here is one of the files:

http://Noel.ProDigitalSoftware.com/temp/Aged%20Photo.zip

Interestingly, scanning the files manually today results in no threat detection.  Maybe the errant definition has already been fixed.

Note the attached screen grab of the File System Shield Scan Log.

-Noel