AVG 13.0.0 reports trojan in installer

[gcamley]

2 days ago we upgraded AVG to 13.0.0. Since then the output from Advanced Installer 13.6 has been reported by AVG as carrying 'Trojan horse SCGeneric1.CORO'. No other changes occurred on the server.

We clearly have to ensure our installers are clean so we cannot simply exclude the file from AVG.

Can this be rectified with AVG urgently?

[Sorin]

Hello,

There aren't any other users reporting this problem.

First of all please ensure that you have updated the database of your anti-virus software.

Can you please perform an AVG scan to the Advanced Installer installation location? If the result is not positive then it might be a problem with the resources contained by the package. You can scan all the resources contained by your package. One of your files could be infected, or could be false positive detected. You should contact AVG in order to add this file to their whitelist.

Best regards,
Sorin

[ittim]

Hi, we've started getting this from AVG users as well!!

We pushed an update of our software out on Friday, and clearly AVG is scanning on access and removing the updater. Thats a real problem as it will leave these users without an update path.

Interestingly enough i can't replicate the issue having downloaded AVG, I did request our file to be whitelisted but I'd be surprised if it was fixed in under 30 mins.

[gcamley]

I performed a scan of all contents of Program Files use AVG with latest updates.
AVG reported the same trojan in a Caphyon file ExternalUI.exe. I guess this is included in the installer and so throws the same false positive.

I repaired AI 13.6 installation and immediately AVG reported the same problem with ExternalUI.exe

[ittim]

Are you still getting the behaviour now? i've just scanned the file with AVG IS and it comes back as good.

[gcamley]

We are using AVG Business Edition version 3556
Virus database version 4769/14577 (19 June 2017 09:38)

[ittim]

ah, ok think i'm testing with the generic version. I'm going to try the business edition. That said i'd have thought the virus definition would be the same regardless.

[Sorin]

Hello,

Our workflow regarding Anti-Virus detection is the following on every release of Advanced Installer:
- we check our binary files on Virustotal
- we forward a whitelist entry request to all Anti-Viruses that detect one of our files

We have checked ExternalUi.exe (AI 13.6) with virustotal. Here are the results:
Virustotal ExternalUi.exe

As you can see, AVG doesn't detect this file.
We have also installed the latest AVG version on a test machine and scanned the whole Advanced Installer 13.6 installation. No threats have been found.

Best regards,
Sorin

[ittim]

So i've just tried my updater.exe file on virustotal.com and it comes out clean.

Installed AVG business and its flagged it up as a virus, as it has for 4 of my customers.



where do i go from here?

[gcamley]

I would suggest that VirusTotal is not using the latest version of AVG as AVG is definitely rejecting the file every time I repair the installation.


The problem is not limited to our build server or to only new builds. One of our managers uses the latest AVG and reports that it started to reject installer files created the day before AVG was updated on the server so installers which were once fine according to AVG are now reported as infected. These files were signed so cannot have become infected without a system warning about tampered files.

[ittim]

also interesting that virustotal only has 'AVG' listed, i've tried business and the free version. The free version allows the updater and the business one flags it up as a virus so not sure virustotal is a good test.

[ittim]

Hello,

Our workflow regarding Anti-Virus detection is the following on every release of Advanced Installer:
- we check our binary files on Virustotal
- we forward a whitelist entry request to all Anti-Viruses that detect one of our files

We have checked ExternalUi.exe (AI 13.6) with virustotal. Here are the results:
Virustotal ExternalUi.exe

As you can see, AVG doesn't detect this file.
We have also installed the latest AVG version on a test machine and scanned the whole Advanced Installer 13.6 installation. No threats have been found.

Best regards,
Sorin

Sorin, have you tried it with this build of AVG?

http://www.avg.com/gb-en/download.prd-ise

[gcamley]

From VirusTotal FAQs

A given antivirus in VirusTotal detects a file and its equivalent commercial version does not

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

[ittim]

I've contacted AVG, waiting for their response. I did upload it to their whitelist area but i'd rather get some actual dialogue going. It doesn't exactly do much for our reputation. Hopefully i can pin it all on AVG

[gcamley]

This is getting stranger. Maybe it is an AVG bug.
When Windows Explorer has the folder open that contains the ExternalsUI.exe then AVG immediately reports it and removes it. However if Windows Explorer is not viewing the file and I scan the file then AVG says it is fine but as soon as I open the folder again with Windows Explorer then AVG again warns and removes the file. Seems AVG is remembering that the file was suspect and not recording that it is no longer suspect