Author Topic: My self written text editor being treated as malware (Read 4226 times)

roytam1 · « **on:** September 11, 2011, 09:41:08 AM »

My open source editor "GreenPad-nt350" was being treated as Win32:Paleworm-B [Wrm].

Sources: http://rtoss.googlecode.com/svn/GreenPad-nt350/
Binary: http://roy.orz.hm/gpc/files1.rt/GreenPad-nt350.rar

VirusTotal report: http://www.virustotal.com/file-scan/report.html?id=bb280ad13679c9857f27e434ff1b3cd288bc8f3b719389f3341c9b2de88c3117-1315725035

ady4um · « **Reply #1 on:** September 11, 2011, 10:07:14 AM »

Send "False Positive" as subject:
virus@avast.com

including the link to this topic and/or the relevant info/links (NOT the file itself).

You can report a false positive here:
http://www.avast.com/contact-form.php?loadStyles

CraigB · « **Reply #2 on:** September 11, 2011, 12:17:46 PM »

Can you add the program to the exclusion list of the shield that is detecting it ? you would probably have to add the exe files to the behaviour shields trusted processes as well.

ady4um · « **Reply #3 on:** September 11, 2011, 12:52:16 PM »

Quote from: craigb on September 11, 2011, 12:17:46 PM

Can you add the program to the exclusion list of the shield that is detecting it ? you would probably have to add the exe files to the behaviour shields trusted processes as well.

But then roytam1 is the only one that knows this is a FP. By providing the info to Avast Team, we all get the benefits, and the database is improved.

... Unless the program is only used by roytam1 only and not shared/distributed in any way to anyone.

CraigB · « **Reply #4 on:** September 11, 2011, 01:06:57 PM »

Quote from: ady4um on September 11, 2011, 12:52:16 PM

Quote from: craigb on September 11, 2011, 12:17:46 PM
Can you add the program to the exclusion list of the shield that is detecting it ? you would probably have to add the exe files to the behaviour shields trusted processes as well.
But then roytam1 is the only one that knows this is a FP. By providing the info to Avast Team, we all get the benefits, and the database is improved.

... Unless the program is only used by roytam1 only and not shared/distributed in any way to anyone.

That how i interpreted it as it was just his own custom program

ady4um · « **Reply #5 on:** September 11, 2011, 01:25:29 PM »

Quote from: craigb on September 11, 2011, 01:06:57 PM

Quote from: ady4um on September 11, 2011, 12:52:16 PM
... Unless the program is only used by roytam1 only and not shared/distributed in any way to anyone.
That how i interpreted it as it was just his own custom program

Well, no according to the OP:

Quote from: roytam1 on September 11, 2011, 09:41:08 AM

My open source editor "GreenPad-nt350" was being treated as Win32:Paleworm-B [Wrm].

Sources: hXXp://rtoss.googlecode.com/svn/GreenPad-nt350/
Binary: hXXp://roy.orz.hm/gpc/files1.rt/GreenPad-nt350.rar

So, I was providing the "unless..." for:
A_ general info
B_ in case roytam1 is actually saying that the original open source program is not detected by Avast, but only a personal customization is. Since roytam1 is the original developer, the customization probably turns out to be the open source to public distribution version/build/edition.

Directly contacting Avast improves the database and the engine in any case. The "unless..." is just a possible workaround, that helps to only one user/system. In case *that* particular system is the one and only that has this file, then the effects are equivalent.

If roytam1 wants the tool to be used/downloaded with no "panics" from Avast's users, it is better to send the info about the FP (or an unknown unconfirmed possible malware, if that would be the case). In addition, Avast engine gets smarter.

DavidR · « **Reply #6 on:** September 11, 2011, 02:46:53 PM »

It doesn't matter, essentially both actions should be carried out. A. if it is available for open source distribution and B. to allow roytam1 to use it.

I would also suggest that roytam1 upload the sample to virustotal and see if other AVs also alert on it.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

ady4um · « **Reply #7 on:** September 11, 2011, 03:22:39 PM »

Quote from: DavidR on September 11, 2011, 02:46:53 PM

I would also suggest that roytam1 upload the sample to virustotal and see if other AVs also alert on it.

@DavidR,

Already done; see the first post. Avira also identifies it, but not the rest.

Either it is a FP, or it got recently hacked and the developer (roytam1) didn't notice it.

misak · « **Reply #8 on:** September 12, 2011, 04:20:14 PM »

Hi,

false positive alert will be fixed in next VPS update (110912-1).

Author Topic: My self written text editor being treated as malware (Read 4226 times)

roytam1

My self written text editor being treated as malware

ady4um

Re: My self written text editor being treated as malware

CraigB

Re: My self written text editor being treated as malware

ady4um

Re: My self written text editor being treated as malware

CraigB

Re: My self written text editor being treated as malware

ady4um

Re: My self written text editor being treated as malware

DavidR

Re: My self written text editor being treated as malware

ady4um

Re: My self written text editor being treated as malware

misak

Re: My self written text editor being treated as malware