AVG Quarantining HYP Spreadsheet

[escalader]

Today AVG antivirus (free) won't let me open the HYP spreadsheet. It thinks that it contains a trojan horse malware.

I have sent a copy for analysis but as yet had no reply.

Regards Escalader

[Breelander]

Today AVG antivirus (free) won't let me open the HYP spreadsheet....

Which one? The Excel version or the OpenOffice one?

[escalader]

The Excel version.
I also down loaded the latest version just to make sure there wasn't a genuine problem

[kiloran]

Today AVG antivirus (free) won't let me open the HYP spreadsheet. It thinks that it contains a trojan horse malware.

I have sent a copy for analysis but as yet had no reply.

Regards Escalader

It does sound like AVG is flagging a false positive, which can occur with any antivirus software. I've seen reports of slow AVG response to analysing submitted files.

Does this help: https://smallbusiness.chron.com/turn-of ... 69481.html

--kiloran

[escalader]

Thanks Kiloran.

I have made the whole folder an exception and it seems to have done the trick.

Escalader

[kiloran]

Thanks Kiloran.

I have made the whole folder an exception and it seems to have done the trick.

Escalader

I've had another report of Avast detecting a HYPTUSS virus. I found that by saving the HYPTUSS as a macro-enabled .xlsm file, instead of .xls, no virus was detected.
Certainly sounds like a false positive to me.

--kiloran

[midgesgalore]

Thanks Kiloran.

I have made the whole folder an exception and it seems to have done the trick.

Escalader

I've had another report of Avast detecting a HYPTUSS virus. I found that by saving the HYPTUSS as a macro-enabled .xlsm file, instead of .xls, no virus was detected.
Certainly sounds like a false positive to me.

--kiloran

I keep my HYPTUSS as a macro-enabled .xlsm file (because it takes up significantly less memory in the file system) but AVG free version recently flagged this xlsm format too.

Specifically in the AVG report there must be a script called "SNH-gen" as that is the potential trojan being flagged.
The AVG report does give the option to report as a false positive (and presumably it will be relocated back into my original file system) however like a previous poster I let AVG quarantine the HYPTUSS spreadsheet until I checked this out.
I guess I am happy that AVG is proactive in hunting out sneaky scripts so they can be verified before they are allowed to run, causing potential havoc.

Does this, "SNH-gen", script look familiar to your macro enabled spreadsheet as that is what is being flagged?

thanks

midgesgaolore

[kiloran]

I keep my HYPTUSS as a macro-enabled .xlsm file (because it takes up significantly less memory in the file system) but AVG free version recently flagged this xlsm format too.

Specifically in the AVG report there must be a script called "SNH-gen" as that is the potential trojan being flagged.
The AVG report does give the option to report as a false positive (and presumably it will be relocated back into my original file system) however like a previous poster I let AVG quarantine the HYPTUSS spreadsheet until I checked this out.
I guess I am happy that AVG is proactive in hunting out sneaky scripts so they can be verified before they are allowed to run, causing potential havoc.

Does this, "SNH-gen", script look familiar to your macro enabled spreadsheet as that is what is being flagged?

thanks

midgesgaolore

I've looked at everything I can and can find no evidence of a virus. I used https://www.virustotal.com/gui/ to submit the file to over 50 anti-virus detectors and this is what it found with hyp_top-up_spreadsheet_-_v11-74.xls
https://postimg.cc/hJFdfZY1
So, Avast, AVG and Tachyon thought the file was infected.

I then deleted a random bit of code and the file was reported as clean. I put that bit of code back and deleted another random bit of code and the file was reported as clean. Those bits of code were totally innocuous.
I then just renamed the file as hyp_top-up_spreadsheet_-_v11-74 virus test.xls and this was also reported as clean.

If a simple change of file name can remove the report of a virus, it strikes me that it is a false positive. I don't know what else I can do.

--kiloran

[midgesgalore]

...

If a simple change of file name can remove the report of a virus, it strikes me that it is a false positive. I don't know what else I can do.

--kiloran

You are absolutely correct Kiloran, I don't think there is anything you can do.
I honestly didn't think you would do any work on this other than you might check to see if the script SNH_gen was one of yours.
Considering everything you detailed in your previous post, and it seems quite a comprehensive exercise on proving how fickle these virus checkers can be, I also believe it to be a false positive.

The fact others are all of a sudden experiencing the same thing corroborates the false positive.

Thanks
midgesgalore

[kiloran]

...

If a simple change of file name can remove the report of a virus, it strikes me that it is a false positive. I don't know what else I can do.

--kiloran

You are absolutely correct Kiloran, I don't think there is anything you can do.
I honestly didn't think you would do any work on this other than you might check to see if the script SNH_gen was one of yours.
Considering everything you detailed in your previous post, and it seems quite a comprehensive exercise on proving how fickle these virus checkers can be, I also believe it to be a false positive.

The fact others are all of a sudden experiencing the same thing corroborates the false positive.

Thanks
midgesgalore

No, nothing like SNH_gen in HYPTUSS. I found various tools which could be downloaded to remove SNH_gen from a file but I'm EXTREMELY wary about these.

--kiloran

[csearle]

I'm getting AVG quarantining my HYPTUSS because of SNH-gen[Trj]. I've got to go find it now as it has deleted the original.

Chris

[csearle]

I'm getting AVG quarantining my HYPTUSS because of SNH-gen[Trj]. I've got to go find it now as it has deleted the original.

Chris

Found it. Now I am struggling to email it myself (new computer) because my email client (server?) has detected a virus too!

[csearle]

I'm getting AVG quarantining my HYPTUSS because of SNH-gen[Trj]. I've got to go find it now as it has deleted the original.

Chris

Found it. Now I am struggling to email it myself (new computer) because my email client (server?) has detected a virus too!

Oh wait, I think that was AVG sticking its fingers in again. C.