IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> UPX False Positives
Richard Steven H...
post 21.03.2009 03:13
Post #1


Member
**

Group: Members
Posts: 32
Joined: 6.12.2007




I use a lot of system deployment tools in my consulting work for various clients. These tools include various utilities which have been compiled by their authors using the UPX packing utilities or are frequently .

Many, many of these utilities get detected by KAV as various trojans, despite the fact that they aren't trojans or infected with anything.

Can we PLEASE stop treating every EXE in a Zip file and every UPX packed executable as a trojan - especially to the point of specifically identifying WHICH trojan - when they aren't?

I just had a dozen utilities which were on one server and being replicated via Windows Server file replication on to another server flagged and deleted by KAV. This is becoming very irritating.

I could send you a sample of the utilities, but frankly this is not the right approach. It doesn't make sense to exclude each and every false positive individually. KAV needs to be more precise about its detection methods because it is flagging wholesale batches of programs embedded in zip files or compiled with packers.

I know this is probably hard to do (great, just popped up four more alerts as I'm typing this! The same ones because the OS is trying to replicate these files!), but it needs to be done.
Go to the top of the page
 
+Quote Post
Baz^^
post 21.03.2009 03:20
Post #2


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




Hi,

Detection names?

KAV doesn't detect any file packed by UPX, this simply isn't the case.


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
Richard Steven H...
post 21.03.2009 05:10
Post #3


Member
**

Group: Members
Posts: 32
Joined: 6.12.2007




QUOTE(Baz^^ @ 21.03.2009 02:20) *
Hi,

Detection names?

KAV doesn't detect any file packed by UPX, this simply isn't the case.


Then why do I have files listed ending with /UPX?

What does this mean?

G:\Home\DfsrPrivate\Installing\csdswitch.exe-{35D91C01-79F6-47FB-8711-CF90CAAOFB13}-v140699//UPX

That's the reported "trojan" which KAV claims is "Trojan-Downloader.Win32.Agent.ahvv" - which it is not.

The original file which Windows is trying to replicate is merely called cdswitch.exe. I don't know if it was packed with UPX or not originally.

You might want to read this I just found, too:

Runtime Packer Testing Experience
http://www.datasecurity-event.com/uploads/runtimepacker.ppt

The point is I have a ton of KAV alerts about perfectly harmless software - the only distinction with these products is that they are either EXE files encapsulated in a ZIP or RAR file when downloaded, or they may have been UPX packed.

I've submitted four files using the Web form submission process that KAV is repeatedly bugging me about on my client's server. I've had to exclude the DfsrPrivate folders from scanning, which is not something I prefer to do as it's possible infected files could end there from other sources.

Last year the AutoHotkey Community forum issued a letter to the AV companies complaining that anything that has AutoHotkey scripts in it is treated as malware.

This doesn't look good either:

http://www.av-comparatives.org/seiten/erge...se/report20.pdf
http://www.av-comparatives.org/seiten/erge...se/report19.pdf

"Number of false alarms found in our clean set (lower is better):"
1. McAfee, Microsoft : 1
2. ESET: 7
3. F-Secure : 11
4. Symantec : 12
5. eScan : 14
6. AVIRA : 17
7. Norman : 19
8. AVG : 21
9. BitDefender : 27
10. Kaspersky : 28
11. Trustport : 30
12. VBA32 : 46
13. Avast : 47
14. GDATA : 62
15. Sophos : 117

KAV isn't as ridiculously high as Sophos or even Avast, but remember this is the "clean" set!

What I want is for KAV to NOT tell me that these programs are specific trojans when in reality the only thing it knows is that it's packed in a ZIP file or has been packed by a packer. And I don't want them deleted automatically regardless of whether the default action is deletion if it cannot be disinfected.

If KAV really doesn't know what these programs are - and it doesn't - it needs to ask or quarantine them only and allow me to say, "yes, these are good, ignore them".
Go to the top of the page
 
+Quote Post
Baz^^
post 21.03.2009 05:29
Post #4


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




QUOTE(Richard Steven Hack @ 21.03.2009 01:10) *
Then why do I have files listed ending with /UPX?

What does this mean?

G:\Home\DfsrPrivate\Installing\csdswitch.exe-{35D91C01-79F6-47FB-8711-CF90CAAOFB13}-v140699//UPX

That's the reported "trojan" which KAV claims is "Trojan-Downloader.Win32.Agent.ahvv" - which it is not.

The original file which Windows is trying to replicate is merely called cdswitch.exe. I don't know if it was packed with UPX or not originally.

You might want to read this I just found, too:

Runtime Packer Testing Experience
http://www.datasecurity-event.com/uploads/runtimepacker.ppt

The point is I have a ton of KAV alerts about perfectly harmless software - the only distinction with these products is that they are either EXE files encapsulated in a ZIP or RAR file when downloaded, or they may have been UPX packed.

I've submitted four files using the Web form submission process that KAV is repeatedly bugging me about on my client's server. I've had to exclude the DfsrPrivate folders from scanning, which is not something I prefer to do as it's possible infected files could end there from other sources.

Last year the AutoHotkey Community forum issued a letter to the AV companies complaining that anything that has AutoHotkey scripts in it is treated as malware.

This doesn't look good either:

http://www.av-comparatives.org/seiten/erge...se/report20.pdf
http://www.av-comparatives.org/seiten/erge...se/report19.pdf

"Number of false alarms found in our clean set (lower is better):"
1. McAfee, Microsoft : 1
2. ESET: 7
3. F-Secure : 11
4. Symantec : 12
5. eScan : 14
6. AVIRA : 17
7. Norman : 19
8. AVG : 21
9. BitDefender : 27
10. Kaspersky : 28
11. Trustport : 30
12. VBA32 : 46
13. Avast : 47
14. GDATA : 62
15. Sophos : 117

KAV isn't as ridiculously high as Sophos or even Avast, but remember this is the "clean" set!

What I want is for KAV to NOT tell me that these programs are specific trojans when in reality the only thing it knows is that it's packed in a ZIP file or has been packed by a packer. And I don't want them deleted automatically regardless of whether the default action is deletion if it cannot be disinfected.

If KAV really doesn't know what these programs are - and it doesn't - it needs to ask or quarantine them only and allow me to say, "yes, these are good, ignore them".



I will repeat- KAV does NOT undiscriminately detect solely based on the fact that an executable is packed by UPX or any other packer...the UPX at the end of the detection shows the file is packed with UPX, a packer that Kaspersky recognises and can scan/unpack. UPX is one of the most commonly used packers and detecting solely based on it would make no sense (and it doesn't as the FP rate would be through the roof). Those files are obviously triggering a detection on other elements that may have been misused by malware or carry similar characteristics.

Send the files in to the lab via the webform and they will be corrected. Those FP testing reports details reveal that most of the files detected were obscure files that are unlikely to be in widespread circulation.


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
DotH
post 24.04.2009 12:10
Post #5


Newbie
*

Group: Members
Posts: 2
Joined: 24.04.2009




Hi there,

I also would like to report the following that is related to this thread.
I am a developer and I routinely pack my Executables with UPX.
Now this is whats happening in many cases:
If I do not pack the executables with UPX Kaperski (and AdAware for that matter) then these programs do not block them,
however when I pack that same exact files with UPX, they get blocked. In one case, I also noticed that packing with the upx LZMA compression option would trigger the false positive detection, but not with NRV compression. This seems to suggest that while Karperski may indeed be unpacking the upx files, to look into their code, something is not going entirely right here, otherwise, why would it detect no thread in the original (pre-upx pack) file and find a problem with the same exact file when it is upxed? Of course, I can guarantee that my executable files are free from infection, hence the non detection as such, when they are uncompressed.

Also, when I say "in many cases" above, what I mean is this: depending on the build of my software, this may or may not happen.
Needless to say this is VERY frustrating and I basically cannot use Kaperski on my Development machine, which I otherwise think is a great AV.
I have completely given up on kaperski for my Dev machines, and right now, AGAIN, I am facing the same problems with Adaware, which also has to go now.
I would have purchased a few licenses of Kaperski, but after my messages to you about this and no response what so ever I gave up on it. Just today I found this thread, while trying to solve the same problem with adaware.

I also would like to mention here that not using UPX, is not an option as it is a fantastic and very very stable tool for compressing my exes, and it saves the company I work with a significant amount of bandwidth cost, due to our relatively high number of downloads for our software titles.

This is a problem that needs to be addressed, not only by Kaperski but others as well as the new detection methods that are starting to appear in virtually all of the more popular AVs, will cause more and more problems.

I hope this helps,

Thanks,

Stav
Go to the top of the page
 
+Quote Post
Lucian Bara
post 24.04.2009 17:28
Post #6


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?
Go to the top of the page
 
+Quote Post
DotH
post 9.05.2009 17:15
Post #7


Newbie
*

Group: Members
Posts: 2
Joined: 24.04.2009




Hi,

I cannot remember right now as I have uninstalled it.
I will install again and tell you.

the upx I am using is the latest, unchanged binary.

Thanks

QUOTE(Lucian Bara @ 24.04.2009 16:28) *
hello
what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?

Go to the top of the page
 
+Quote Post
shanevic7
post 30.07.2012 23:30
Post #8


Newbie
*

Group: Members
Posts: 2
Joined: 28.07.2012




QUOTE(Lucian Bara @ 24.04.2009 16:28) *
hello
what exactly does kaspersky list them as? normally files packed with upx aren't detected. is this some modified upx packer you are using?


I was also wondering why the upx isn't detected. Still trying to find the files.


--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 20.01.2017 01:21