Spotty.exe (Helper for Squeezebox) new spotify protocol detected as virus

Question

Hi, I need to install a new way to stream spotify to my squeezebox players due to changes that spotify is implementing. 
 
 There is a solution that consist on install a plugin from a third party, the plugin runs OK on Linuz but on windows my sophos Endpoint says is a virus. 
 this is the message I receive: 
 20170724 010917 On-access scanner has denied access to location "C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe" 20170724 010917 File "C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe" belongs to virus/spyware 'Mal/EncPk-ZC'.

This is the version I'm running: 
 Endpoint security and control = 11.0.11 UTM Support reference = 1.0.462 
 
 Appreciate your help to verify if the file is definitely a Virus and/or this is a false/positive. 
 
 Thanks very much in advance for your help

jak · Answer

Hi, 
 There are a few things you can do from here: 
 Submit a sample of the file (C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe) to SophosLabs. https://community.sophos.com/kb/en-us/11490 . You will get a response advising if this is/isn't a false positive. If it is a false positive the detection data will be updated and you're fixed. 
 This process shouldn't take long. 
 If you want/need to do something in the short term you could: 
 Upload the file to https://www.virustotal.com/ if the consensus is that the file is safe you could make an exclusion in SAV for the file. 
 This could be the full path: C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe or just spotty.exe 
 The first being more secure/specific. 
 Once the Labs have updated the detection you can remove the exclusion. 
 Obviously making the exclusion before SophosLabs has given you feedback carries some risk but this could be mitigated by the VirusTotal scan. 
 I hope this helps you make a decision. 
 Regards, 
 Jak

Robert Duck · Answer

I have this same problem. It has also been submitted to Sophos as a false positive by Michael Herger (user mherger) who supports this exe file but it is still detected as false positive. 
 On 1st September 2017... 
 Malware cleaned up: 'Mal/EncPk-ZC' at 'C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe' 
 
 There seems to be no way around this! 
 Any help appreciated.

Robert Duck · Answer

jak said: 
 Well in the meantime, you could make a file exclusion for spotty.exe or probably more secure, include the full path, i.e.: C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe 
 This is assuming it is a false positive. 
 Uploading the file/hash to https://www.virustotal.com/#/home/upload might give you some confidence if it is or isn't. You may need to disable on-access scanning or make the file exclusion in order to make the submission. 
 
 I uploaded the file to virus total and 60 out of 62 antivirus engines found it to be clean. Is there any way I can submit the file to Sophos so it can be excluded from detection as a positive? 
 
 Thank you