Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

AntiVirus False Positives (Again)


  • Please log in to reply
6 replies to this topic

#1 FuryCell

FuryCell

    A cornered fox is more dangerous than a jackal!

  • Active Members
  • PipPipPipPipPipPip
  • 2,437 posts

Posted 03 December 2005 - 01:15 PM

I just scanned an AutoItScript I compiled at http://virusscan.jotti.org/ and got these results:

File: MD5.exe
Status: INFECTED/MALWARE
MD5 49874947f9287de91c606c981afc79ed
Packers detected: UPX, AUTOIT
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Clicker.Small.Ht
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


It appears to be another false postive becuase of careless updates to antivirus definitions. :P

Edited by SolidSnake, 03 December 2005 - 01:34 PM.

HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.







#2 w0uter

w0uter

    resreveR nA

  • Active Members
  • PipPipPipPipPipPip
  • 2,262 posts

Posted 03 December 2005 - 02:29 PM

could you give some more info like what was in it and what was it compiled/packed with ?
latest beta gives me this.

POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

VBA32
Found Trojan-Downloader.Agent.70 (probable variant)



ArcaVir probbly just flagged it becouse it was packed by the default UPX.

Edited by w0uter, 03 December 2005 - 02:35 PM.

My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll

#3 FuryCell

FuryCell

    A cornered fox is more dangerous than a jackal!

  • Active Members
  • PipPipPipPipPipPip
  • 2,437 posts

Posted 03 December 2005 - 04:00 PM

could you give some more info like what was in it and what was it compiled/packed with ?
latest beta gives me this.


I have attached the script which was compiled using the v3.1.1 compiler. It was an MD5 include I downloaded off the forums.

ArcaVir probbly just flagged it becouse it was packed by the default UPX.


I do not understand what you mean by this. Could you please try and explain it in different words.


Thanks for the feedback.
-SolidSnake

Attached Files

  • Attached File  MD5.au3   21.72KB   446 downloads

Edited by SolidSnake, 03 December 2005 - 04:02 PM.

HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

#4 SmOke_N

SmOke_N

    It's not what you know ... It's what you can prove!

  • Moderators
  • 15,730 posts

Posted 03 December 2005 - 04:10 PM

AutoIt uses a UPX packer by default. w0uter was simply stating that, the anti-virus protection programs, typically find this and label it as a 'potential threat'. That seems to be the consensus here.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.


#5 FuryCell

FuryCell

    A cornered fox is more dangerous than a jackal!

  • Active Members
  • PipPipPipPipPipPip
  • 2,437 posts

Posted 03 December 2005 - 05:33 PM

AutoIt uses a UPX packer by default. w0uter was simply stating that, the anti-virus protection programs, typically find this and label it as a 'potential threat'. That seems to be the consensus here.


Thanks.
HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

#6 w0uter

w0uter

    resreveR nA

  • Active Members
  • PipPipPipPipPipPip
  • 2,262 posts

Posted 03 December 2005 - 07:10 PM

tested it with the latest beta + upx beta

Plain Text         
Status:         POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s).             This might be a false positive. Therefore, results of this scan will not be stored in the database) MD5:            317612dd7eaac711d4bdf698f5b47047 Packers detected:   UPX, AUTOIT Scanner results: AntiVir         Found nothing ArcaVir         Found nothing Avast           Found nothing AVG Antivirus       Found nothing BitDefender     Found nothing ClamAV          Found nothing Dr.Web          Found nothing F-Prot Antivirus    Found nothing Fortinet        Found nothing Kaspersky Anti-Virus    Found nothing NOD32           Found nothing Norman Virus Control    Found nothing UNA         Found nothing VBA32           Found Trojan-Downloader.Agent.70 (probable variant)

Edited by w0uter, 03 December 2005 - 07:12 PM.

My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll

#7 FuryCell

FuryCell

    A cornered fox is more dangerous than a jackal!

  • Active Members
  • PipPipPipPipPipPip
  • 2,437 posts

Posted 04 December 2005 - 03:40 AM

tested it with the latest beta + upx beta

Plain Text         
Status:         POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s).             This might be a false positive. Therefore, results of this scan will not be stored in the database) MD5:            317612dd7eaac711d4bdf698f5b47047 Packers detected:   UPX, AUTOIT Scanner results: AntiVir         Found nothing ArcaVir         Found nothing Avast           Found nothing AVG Antivirus       Found nothing BitDefender     Found nothing ClamAV          Found nothing Dr.Web          Found nothing F-Prot Antivirus    Found nothing Fortinet        Found nothing Kaspersky Anti-Virus    Found nothing NOD32           Found nothing Norman Virus Control    Found nothing UNA         Found nothing VBA32           Found Trojan-Downloader.Agent.70 (probable variant)

That makes two problems VBA32 and AcraVir. Guess somebody should send an email to both of them so they can fix their definitions.

Thanks for the feedback.

Edited by SolidSnake, 04 December 2005 - 03:40 AM.

HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users