AntiVirus False Positives (Again)

#1 P5ych0Gigabyte

(A)bort, (R)etry, (S)elf-destruct?

Group: Full Members
Posts: 1,849
Joined: 03-December 04
Gender:Male
Location:New Jersey,USA

Posted 03 December 2005 - 02:15 PM

I just scanned an AutoItScript I compiled at http://virusscan.jotti.org/ and got these results:

Quote

File: MD5.exe
Status: INFECTED/MALWARE
MD5 49874947f9287de91c606c981afc79ed
Packers detected: UPX, AUTOIT
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Clicker.Small.Ht
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

It appears to be another false postive becuase of careless updates to antivirus definitions. :(

This post has been edited by SolidSnake: 03 December 2005 - 02:34 PM

#2 w0uter

resreveR nA

Group: Full Members
Posts: 2,262
Joined: 11-January 05
Location:The Netherlands

Posted 03 December 2005 - 03:29 PM

could you give some more info like what was in it and what was it compiled/packed with ?
latest beta gives me this.

Quote

POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

VBA32
Found Trojan-Downloader.Agent.70 (probable variant)

ArcaVir probbly just flagged it becouse it was packed by the default UPX.

This post has been edited by w0uter: 03 December 2005 - 03:35 PM

#3 P5ych0Gigabyte

(A)bort, (R)etry, (S)elf-destruct?

Group: Full Members
Posts: 1,849
Joined: 03-December 04
Gender:Male
Location:New Jersey,USA

Posted 03 December 2005 - 05:00 PM

w0uter, on Dec 3 2005, 09:29 AM, said:

could you give some more info like what was in it and what was it compiled/packed with ?
latest beta gives me this.

I have attached the script which was compiled using the v3.1.1 compiler. It was an MD5 include I downloaded off the forums.

w0uter, on Dec 3 2005, 09:29 AM, said:

ArcaVir probbly just flagged it becouse it was packed by the default UPX.

I do not understand what you mean by this. Could you please try and explain it in different words.

Thanks for the feedback.
-SolidSnake

Attached File(s)

MD5.au3 (21.72K)
Number of downloads: 154

This post has been edited by SolidSnake: 03 December 2005 - 05:02 PM

#4 SmOke_N

It's not what you know .... It's what you can prove!

Group: Moderators(Mod)
Posts: 14,970
Joined: 21-February 05
Location:UNITED STATES

Posted 03 December 2005 - 05:10 PM

AutoIt uses a UPX packer by default. w0uter was simply stating that, the anti-virus protection programs, typically find this and label it as a 'potential threat'. That seems to be the consensus here.

#5 P5ych0Gigabyte

(A)bort, (R)etry, (S)elf-destruct?

Group: Full Members
Posts: 1,849
Joined: 03-December 04
Gender:Male
Location:New Jersey,USA

Posted 03 December 2005 - 06:33 PM

SmOke_N, on Dec 3 2005, 11:10 AM, said:

AutoIt uses a UPX packer by default. w0uter was simply stating that, the anti-virus protection programs, typically find this and label it as a 'potential threat'. That seems to be the consensus here.

Thanks.

#6 w0uter

resreveR nA

Group: Full Members
Posts: 2,262
Joined: 11-January 05
Location:The Netherlands

Posted 03 December 2005 - 08:10 PM

tested it with the latest beta + upx beta

[ code='text' ] ( Expand - Popup )

Status:         POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). 
            This might be a false positive. Therefore, results of this scan will not be stored in the database)

MD5:            317612dd7eaac711d4bdf698f5b47047

Packers detected:   UPX, AUTOIT

Scanner results:
AntiVir         Found nothing
ArcaVir         Found nothing
Avast           Found nothing
AVG Antivirus       Found nothing
BitDefender     Found nothing
ClamAV          Found nothing
Dr.Web          Found nothing
F-Prot Antivirus    Found nothing
Fortinet        Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32           Found nothing
Norman Virus Control    Found nothing
UNA         Found nothing
VBA32           Found Trojan-Downloader.Agent.70 (probable variant)

This post has been edited by w0uter: 03 December 2005 - 08:12 PM

#7 P5ych0Gigabyte

(A)bort, (R)etry, (S)elf-destruct?

Group: Full Members
Posts: 1,849
Joined: 03-December 04
Gender:Male
Location:New Jersey,USA

Posted 04 December 2005 - 04:40 AM

w0uter, on Dec 3 2005, 02:10 PM, said:

tested it with the latest beta + upx beta

[ code='text' ] ( Expand - Popup )

Status:         POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). 
            This might be a false positive. Therefore, results of this scan will not be stored in the database)

MD5:            317612dd7eaac711d4bdf698f5b47047

Packers detected:   UPX, AUTOIT

Scanner results:
AntiVir         Found nothing
ArcaVir         Found nothing
Avast           Found nothing
AVG Antivirus       Found nothing
BitDefender     Found nothing
ClamAV          Found nothing
Dr.Web          Found nothing
F-Prot Antivirus    Found nothing
Fortinet        Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32           Found nothing
Norman Virus Control    Found nothing
UNA         Found nothing
VBA32           Found Trojan-Downloader.Agent.70 (probable variant)

That makes two problems VBA32 and AcraVir. Guess somebody should send an email to both of them so they can fix their definitions.

Thanks for the feedback.

This post has been edited by SolidSnake: 04 December 2005 - 04:40 AM

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

AutoIt Forums: AntiVirus False Positives (Again) - AutoIt Forums