Aller au contenu principal

UPXed PowerBasic Programms are likely to identified as Gen.Trojan

Commentaires

19 commentaires

  • Customer

    Hello theogott!

     

    Could you write more about the product that detects your files? What version? Does it detect during installation or downloading the file from the Internet?

    0
  • Customer

    The Product is "Ad-Aware" FreeAntivirus

    The file - in m,y case - is detected from the realtime protection engine.

     

    I have a Script, that does the following:

    When the PowerBasic Compiler is ready compiling,

    then the UPX will be applied,

    after that automatically "signtool.exe" is called to add the certificate.

    In that last Moment i got a Window (green window) "Thread detected". The the file is gone ...

    and not only the file is gone, but its not more possible to create such a file until the computer is restarted,

     

    Eben renaming a file that has another name to "this name" does not work.

     

    Now taking a peek into the "Quarantined files" there is a long list of false positives ... he eat a lot of programms ... let me add that i can not move the first column "Threat" and make it bigger.

    Therefore i can only read "Ge.Trjoan.Hezr.FU ..:" Rest missing.

     

    How many false positive do you want?

     

    I think i have a lot ... (See attached picture)

     

    PS: Just thinking if i tell him to completely exclude the Powerbasic Folder from Scannning, but thats a problem during Backup.

     

     

    0
  • Customer

    Please try to add a folder with a project to Exclusions.

    And please check if you have the latest definitions. Your file "M42.exe" is clean and is not detecting.

     

    Please send us several files that were detected as Gen:Trjoan.Hezr.FU. Clarify what version of AAW do you use.

    0
  • Customer

    Very interesting ...ok.

    Where did you say are all the Quarantined Files ?

    I have the version ... see picture.

    From what you say, i suspect that in teh process when the "Signtool.exe" adds the certificate, for a moment maybe a invalid combination may have been there,

    I really miss that "Send a false positive to Lavasoft" button in the Program.

     

    Ok, I will send you a lot of these files, just tell me where they are located, then i zip them and upload them.

     

    This would be good so you can make things a bit more bulletproof.

     

    In case i have also some larger files that are setup-files, how could i send them to you (Dropbox or something ?)?

    0
  • Customer

    Please find a folder "<your_disk>:\Users\All Users\Lavasoft\Ad-Aware 11\Quarantine", pack this folder and attach it here. If it will be rather big - please share a dropbox link.

    0
  • Support

    Sorry, but if it's your real email address, that is visible in the last screen shot, it should be removed before someone uses it for spamming or hacking.

    0
  • Customer

    Thanks for your caution.

    My e-mail is publicly available also on my web-site ( http://www.smart-package.com/), in facebook .. therefore anybody can use it.
    I can't say that i get lots of Spam until now.

     

    Besides ... just realized that while you can open these attachments, i thing other people can't.
    At least i can't. Therefore the problem is even smaller.

    0
  • Customer

    Hello,

     

    Have you added your folder to Exclusions?

    0
  • Customer

    Ok, here is the second Part of the Archive with the 322 false positives.

    There may be a few real "cookis" in there. But i do not expect real viruses.

    If so i would like to know.

    Quarantine.part2.rar

    0
  • Customer

    Ok, here is the picture ....

    0
  • Customer

    Yes i did.

    Here is a picture of my quarantine folder. I bet its all false positives.
    Its 322 files and 16.5 MB

    Let me see if i can attach them.

     

    Even though i have deactivated the AV WinRar was not able to touch all of the quarantained files see attached error msg.

     

    I will split the whole bunch of files in two parts: Part 1 in this post, part 2 in teh next.

    Use WinRar to get them together.

    Quarantine.part1.rar

    0
  • Customer

    Ok. just got another one. This time i have completely deaktivated the AV to be able to recreate (recompile) the script.

    Again the same effect, the AV prevents windows from creating a file with that name as long as it is running.

     

    Unless i completely stop the AV, or reboot the computer. (Picture 2)

    In this case its not enought ot stop the real-time protection - as i did yesterday - but it was necessary to completely deactivate the AV.

    Compile_SPRE.zip

    0
  • Customer


    Ok. just got another one. This time i have completely deaktivated the AV to be able to recreate (recompile) the script.

    Again the same effect, the AV prevents windows from creating a file with that name as long as it is running.

     

    Unless i completely stop the AV, or reboot the computer. (Picture 2)

    In this case its not enought ot stop the real-time protection - as i did yesterday - but it was necessary to completely deactivate the AV.


     

     

    About this case - I found that the file is detecting by a set of AV vendors (https://www.virustotal.com/ru/file/c85f4d3808f975d66b6ca84dad6faa7fde73839cedcd21e6e1cc189c49061a71/analysis/1438937903/). I sent a request for a False Positive for your file "Compile_SPRE.exe"

    0
  • Customer

    theogott,

    we investigated your Quarantine and found that most of binary files are detecting as "Gen.Trjoan.Hezr.FU" (as you said). I have several assumptions about this fact:


    • your files began to detect after compilation

    • your files began to detect after packing (UPX, anything else)


    Could you send me one compiled file NOT packed or send it to Virustotal for check?

    0
  • Customer

    I attach one of the files ... this files receives 11/55 from VT, see picture.

    Its not a virus, as well as the others are not,.

    These files are results from the Powerbasic-Compiler or from the WinRobots/Smart Package Robot Compiler / UPX-Packer or from the Bitsum Packer.

    If you have questions or your developer have questions you can reach me via mail or other contact data.

     

    regsvrhelper.rar

    0
  • Customer

    This file is just compiled with Powerbasic.

    Otherfiles are compiled and packed with UPX or the Bitsum Runtime Packer.

    0
  • Customer

    theogott

    Is this file just compiled or packed too? I trying to understand if compiler can produce "detected" piece of code or it is some part of a packer that was detected.

    0
  • Customer

    Can you send Powerbasic to check on Virustotal? Or send us binary or md5 hash.

    0
  • Customer

    Powerbasic is available here:
    https://www.componentsource.com/product/powerbasic-compiler-windows

     

    It would not be legal for me to send ist.

     

    I can send you a Download-Link and a keyfile for the "Smart Package Robot" Automatioon System,

    but this is only possible with Mail.

    0

Vous devez vous connecter pour laisser un commentaire.