False Positive UMove for Active Directory
We were notified by one of our business customers about recent false positives coming from Lavasoft AV. We publish and market the U-Move software utility for Microsoft Active Directory backup and recovery (https://u-tools.com/u-move).
U-Move has been used by 1000s of businesses, universities, and Fortune 500 companies for over 10 years (NYT, HP, DoD, the White House, US military, etc). See https://u-tools.com/UMove_users.asp
The installer files (.msi) have the Microsoft Authenticode digital signature "U-Tools Software LLC (Algin Technology LLC)".
I tried uploading the samples per the instructions on your web site multiple times, but the uploads were rejected by your Report False Positive web page. The red error message is just two words: 'Missing email'. The error message made no sense as I did provide our e-mail address.
The download URL is https://u-tools.com/download (click on 'U-Move'). You can test installing it on any version of Windows (XP through 10) or Windows Server (Windows Server 2003 through Windows Server 2016).
If this problem is not rectified we will update our documentation to warn about LavaSoft.
Regards,
Alan Klietz (Owner)
U-Tools Software LLC
-------- Forwarded Message --------
Subject: Files flagged by anti-malware
Date: Sun, 25 Sep 2016 13:37:21 -0700
From: rob@fixbit.org
Organization: HipMicro.com
To: support@u-tools.com
Lavasoft AD-Aware Antivirus has flagged three files:
aecom.dll Gen:Heur.Conjar2
umove.msi Gen:Trojan.HeuJP.bul1@aqgKvLai
umove64.msi Gen:Heur.Conjar2
Rob Ingenthron
IT Consultant
-
Hi UTools,
Thanks for letting us know. We'll check this out and report back here.
Regards,
Andy
Lavasoft Malware Lab
0 -
Hi again,
The three files were not detected in my test. Either they've been removed from detection already or I'm not testing the correct files.
I downloaded UMove1718.exe (md5: 13a6b127f1a9b85f56d2afee83ab9782) from hxxp://download.algintech.com/UMove1718.exe and extracted the contents.
Here are the md5s of the corresponding files you mentioned:
56ce0748feed9b6caaa2e39f04350cf1 AECOMDLL.dll
0c336651bea70ecb063b33abbf75a7e4 UMove64.msi
e275b936a42bca0e52a504c1c3dc184a UMove.msiCan I ask you to verify that the files are no longer detected, or, upload a zip file containing the detected files to this thread?
Thanks,
Andy
Lavasoft Malware Lab
0 -
Thank you for the fast reply, I appreciate it very much. I will forward the information and will follow up if any further action is needed.
Regards,
-Alan
0
Please sign in to leave a comment.
Comments
3 comments