Sign in to follow this  
Followers 0
anonimous

Obfuscator Temp File?

11 posts in this topic

#1 ·  Posted (edited)

After obfuscating, compiling and running the file, Avira suddenly detects a HTML script virus which I think is a false positive. Could it be a temp file created when the obfuscated script is decrypted?

The file is detected in 'C:\Documents and Settings\username\Local Settings\Temp\qihaihs'(random 7 letter filename with no extension)

Virus Total scan result: https://www.virustotal.com/analisis/1673155c5512211571ebd0aca880cca19a847dd50c1c7d06def28123be7b3f1e-1260696481

Does it happen to anyone else?

I managed to capture one before it was deleted by running a script to kill the process before it can delete the temp file. I monitored the files using Sysinternals's FileMon.

Edited by anonimous

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

This is the table file created at Obfuscation time and included in the obfuscated exe. Doubt this file is marked as a virus.

Pretty sure you got yourself a false positive.

Talk to your AV provider.

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

This is the table file created at Obfuscation time and included in the obfuscated exe. Doubt this file is marked as a virus.

Pretty sure you got yourself a false positive.

Talk to your AV provider.

Jos

Oh I didn't realise it was the exact table that was generated when obfuscating the script. I thought it was temp file generated when running the script. Thanks for the info!

Share this post


Link to post
Share on other sites

Sometimes you just can't believe your eyes.

What an irrational thing to do. Incredible. AVs are out of control.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Hi,

I had recently a similar problem with obfuscator and McAfee. (I reported the false positive)

Mega


Scripts & functions Organize Includes Let Scite organize the include files

Yahtzee The game "Yahtzee" (Kniffel, DiceLion)

LoginWrapper Secure scripts by adding a query (authentication)

_RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...)

Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc.

MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times

Share this post


Link to post
Share on other sites

Hi,

I had recently a similar problem with obfuscator and McAfee. (I reported the false positive)

Mega

Has McAfee fixed the problem? Because in the Virus Total result above, McAfee also is detecting the table file as a virus.

Share this post


Link to post
Share on other sites

Hi,

till Friday the don't.

I'll check my laptop tomorrow, cause it is the one for business. On my private PC I do not use McAfee.

Mega


Scripts & functions Organize Includes Let Scite organize the include files

Yahtzee The game "Yahtzee" (Kniffel, DiceLion)

LoginWrapper Secure scripts by adding a query (authentication)

_RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...)

Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc.

MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times

Share this post


Link to post
Share on other sites

I reported to avira and they still say that its an damaged maleware file with harmful Codefragments...

Share this post


Link to post
Share on other sites

I reported to avira and they still say that its an damaged maleware file with harmful Codefragments...

... and what do you think?

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

false positive

http://virscan.org/report/cb94cf26d999cf41270fef06383f3d80.html

http://virusscan.jotti.org/de/scanresult/661a60a2953c5680671ff5ba9a2397cf93819830

but it suxx -.-

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0