false positive

[smfd]

Hello forum, i have a problem

I work in a internet service provider. We use authorisation program to authorise users on our server. Today many people who use avast phoned me and said they can't work in the internet cos authorisation program was detected as malware and deleted by the antivirus

Please help me to solve this problem

The program can be downloaded here http://www.elite-net.org/auth.exe

Thank you!

[DavidR]

Avast isn't alone in finding it suspect, http://www.virustotal.com/file-scan/report.html?id=0fc7fc461697c6f57ca784904d49533b54d7aeba07544d98e778a19240686d04-1312124288.

However the Win32:Malware-gen is a generic signature (the -gen bit) and more prone to misdetection, since most of the VT detections are also generic, suspicious/heuristic it should be analysed.

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.
- If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc.

[smfd]

Several days ago avira also detected this program as virus (i also contacted them) and I've sent it to virustotal - the result was 12/43. But virustotal also said that that file was already scanned and the result is 4/43.

Thank you for the link - sent the file via contact form.

[Pondus]

SOPHOS lab

SophosLabs has analyzed the submitted file(s) and have determined it is a false positive detection.

auth.exe -- identity created/updated

Avira lab

The file 'auth.exe' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Detection will be added to our virus definition file (VDF) with one of the next updates.Detection will be removed from our virus definition file (VDF) with one of the next updates.

[DavidR]

Several days ago avira also detected this program as virus (i also contacted them) and I've sent it to virustotal - the result was 12/43. But virustotal also said that that file was already scanned and the result is 4/43.

Thank you for the link - sent the file via contact form.

You're welcome, hopefully it will be quickly analysed and the detection corrected.

[polonus]

Hi DavidR,

I have run the executable in question through Anubis. Here are the results of the Analysis Report:
http://anubis.iseclab.org/?action=result&task_id=180a4941b8eae2d441d260896425ad586&format=html
There it is being classified as a (medium risk) download and low risk risktool, so could be classified as a PUP, but as users know what it is meant to do and have installed it themselves intentionally, then it should be OK.
The generic flag could be because of the \​NameSpace_Catalog5 Winsock2 monitoring key settings and or similar key settings for  \Protocol_Catalog9 but these have to do with the network settings by the program.
Device Control Communications Control Code is also found in certain Trojan-Spy variants.
The mutex, _SHuassist.mtx, is also found with certain risktools.
I.M.O. more than likely a False Positive,

polonus