Sign in to follow this  
Followers 0
richardstevenhack

UPX False Positives

8 posts in this topic

I use a lot of system deployment tools in my consulting work for various clients. These tools include various utilities which have been compiled by their authors using the UPX packing utilities or are frequently .

 

Many, many of these utilities get detected by KAV as various trojans, despite the fact that they aren't trojans or infected with anything.

 

Can we PLEASE stop treating every EXE in a Zip file and every UPX packed executable as a trojan - especially to the point of specifically identifying WHICH trojan - when they aren't?

 

I just had a dozen utilities which were on one server and being replicated via Windows Server file replication on to another server flagged and deleted by KAV. This is becoming very irritating.

 

I could send you a sample of the utilities, but frankly this is not the right approach. It doesn't make sense to exclude each and every false positive individually. KAV needs to be more precise about its detection methods because it is flagging wholesale batches of programs embedded in zip files or compiled with packers.

 

I know this is probably hard to do (great, just popped up four more alerts as I'm typing this! The same ones because the OS is trying to replicate these files!), but it needs to be done.

Share this post


Link to post
Share on other sites

Hi,

 

Detection names?

 

KAV doesn't detect any file packed by UPX, this simply isn't the case.

Share this post


Link to post
Share on other sites
Hi,

 

Detection names?

 

KAV doesn't detect any file packed by UPX, this simply isn't the case.

 

Then why do I have files listed ending with /UPX?

 

What does this mean?

 

G:\Home\DfsrPrivate\Installing\csdswitch.exe-{35D91C01-79F6-47FB-8711-CF90CAAOFB13}-v140699//UPX

 

That's the reported "trojan" which KAV claims is "Trojan-Downloader.Win32.Agent.ahvv" - which it is not.

 

The original file which Windows is trying to replicate is merely called cdswitch.exe. I don't know if it was packed with UPX or not originally.

 

You might want to read this I just found, too:

 

Runtime Packer Testing Experience

http://www.datasecurity-event.com/uploads/runtimepacker.ppt

 

The point is I have a ton of KAV alerts about perfectly harmless software - the only distinction with these products is that they are either EXE files encapsulated in a ZIP or RAR file when downloaded, or they may have been UPX packed.

 

I've submitted four files using the Web form submission process that KAV is repeatedly bugging me about on my client's server. I've had to exclude the DfsrPrivate folders from scanning, which is not something I prefer to do as it's possible infected files could end there from other sources.

 

Last year the AutoHotkey Community forum issued a letter to the AV companies complaining that anything that has AutoHotkey scripts in it is treated as malware.

 

This doesn't look good either:

 

http://www.av-comparatives.org/seiten/erge...se/report20.pdf

http://www.av-comparatives.org/seiten/erge...se/report19.pdf

 

"Number of false alarms found in our clean set (lower is better):"

1. McAfee, Microsoft : 1

2. ESET: 7

3. F-Secure : 11

4. Symantec : 12

5. eScan : 14

6. AVIRA : 17

7. Norman : 19

8. AVG : 21

9. BitDefender : 27

10. Kaspersky : 28

11. Trustport : 30

12. VBA32 : 46

13. Avast : 47

14. GDATA : 62

15. Sophos : 117

 

KAV isn't as ridiculously high as Sophos or even Avast, but remember this is the "clean" set!

 

What I want is for KAV to NOT tell me that these programs are specific trojans when in reality the only thing it knows is that it's packed in a ZIP file or has been packed by a packer. And I don't want them deleted automatically regardless of whether the default action is deletion if it cannot be disinfected.

 

If KAV really doesn't know what these programs are - and it doesn't - it needs to ask or quarantine them only and allow me to say, "yes, these are good, ignore them".

 

Share this post


Link to post
Share on other sites
Then why do I have files listed ending with /UPX?

 

What does this mean?

 

G:\Home\DfsrPrivate\Installing\csdswitch.exe-{35D91C01-79F6-47FB-8711-CF90CAAOFB13}-v140699//UPX

 

That's the reported "trojan" which KAV claims is "Trojan-Downloader.Win32.Agent.ahvv" - which it is not.

 

The original file which Windows is trying to replicate is merely called cdswitch.exe. I don't know if it was packed with UPX or not originally.

 

You might want to read this I just found, too:

 

Runtime Packer Testing Experience

http://www.datasecurity-event.com/uploads/runtimepacker.ppt

 

The point is I have a ton of KAV alerts about perfectly harmless software - the only distinction with these products is that they are either EXE files encapsulated in a ZIP or RAR file when downloaded, or they may have been UPX packed.

 

I've submitted four files using the Web form submission process that KAV is repeatedly bugging me about on my client's server. I've had to exclude the DfsrPrivate folders from scanning, which is not something I prefer to do as it's possible infected files could end there from other sources.

 

Last year the AutoHotkey Community forum issued a letter to the AV companies complaining that anything that has AutoHotkey scripts in it is treated as malware.

 

This doesn't look good either:

 

http://www.av-comparatives.org/seiten/erge...se/report20.pdf

http://www.av-comparatives.org/seiten/erge...se/report19.pdf

 

"Number of false alarms found in our clean set (lower is better):"

1. McAfee, Microsoft : 1

2. ESET: 7

3. F-Secure : 11

4. Symantec : 12

5. eScan : 14

6. AVIRA : 17

7. Norman : 19

8. AVG : 21

9. BitDefender : 27

10. Kaspersky : 28

11. Trustport : 30

12. VBA32 : 46

13. Avast : 47

14. GDATA : 62

15. Sophos : 117

 

KAV isn't as ridiculously high as Sophos or even Avast, but remember this is the "clean" set!

 

What I want is for KAV to NOT tell me that these programs are specific trojans when in reality the only thing it knows is that it's packed in a ZIP file or has been packed by a packer. And I don't want them deleted automatically regardless of whether the default action is deletion if it cannot be disinfected.

 

If KAV really doesn't know what these programs are - and it doesn't - it needs to ask or quarantine them only and allow me to say, "yes, these are good, ignore them".

 

 

I will repeat- KAV does NOT undiscriminately detect solely based on the fact that an executable is packed by UPX or any other packer...the UPX at the end of the detection shows the file is packed with UPX, a packer that Kaspersky recognises and can scan/unpack. UPX is one of the most commonly used packers and detecting solely based on it would make no sense (and it doesn't as the FP rate would be through the roof). Those files are obviously triggering a detection on other elements that may have been misused by malware or carry similar characteristics.

 

Send the files in to the lab via the webform and they will be corrected. Those FP testing reports details reveal that most of the files detected were obscure files that are unlikely to be in widespread circulation.

Share this post


Link to post
Share on other sites

Hi there,

 

I also would like to report the following that is related to this thread.

I am a developer and I routinely pack my Executables with UPX.

Now this is whats happening in many cases:

If I do not pack the executables with UPX Kaperski (and AdAware for that matter) then these programs do not block them,

however when I pack that same exact files with UPX, they get blocked. In one case, I also noticed that packing with the upx LZMA compression option would trigger the false positive detection, but not with NRV compression. This seems to suggest that while Karperski may indeed be unpacking the upx files, to look into their code, something is not going entirely right here, otherwise, why would it detect no thread in the original (pre-upx pack) file and find a problem with the same exact file when it is upxed? Of course, I can guarantee that my executable files are free from infection, hence the non detection as such, when they are uncompressed.

 

Also, when I say "in many cases" above, what I mean is this: depending on the build of my software, this may or may not happen.

Needless to say this is VERY frustrating and I basically cannot use Kaperski on my Development machine, which I otherwise think is a great AV.

I have completely given up on kaperski for my Dev machines, and right now, AGAIN, I am facing the same problems with Adaware, which also has to go now.

I would have purchased a few licenses of Kaperski, but after my messages to you about this and no response what so ever I gave up on it. Just today I found this thread, while trying to solve the same problem with adaware.

 

I also would like to mention here that not using UPX, is not an option as it is a fantastic and very very stable tool for compressing my exes, and it saves the company I work with a significant amount of bandwidth cost, due to our relatively high number of downloads for our software titles.

 

This is a problem that needs to be addressed, not only by Kaperski but others as well as the new detection methods that are starting to appear in virtually all of the more popular AVs, will cause more and more problems.

 

I hope this helps,

 

Thanks,

 

Stav

Share this post


Link to post
Share on other sites

hello

what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?

Share this post


Link to post
Share on other sites

Hi,

 

I cannot remember right now as I have uninstalled it.

I will install again and tell you.

 

the upx I am using is the latest, unchanged binary.

 

Thanks

 

hello

what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?

 

Share this post


Link to post
Share on other sites
hello

what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?

 

I was also wondering why the upx isn't detected. Still trying to find the files.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0