About fake virus detection of your packed/protected software

The PE packer place.

Moderator: CGSoftLabs

Post Reply
CGSoftLabs
Registered User
Posts: 118
Joined: Thu Feb 10, 2005 12:00 am

About fake virus detection of your packed/protected software

Post by CGSoftLabs »

It's a problem related to all packers/protectors. Virii authors use this kind of programs to hide their viruses, trojans etc.; because antivirus software makers find the virus and don't know that it was protected or packed, it will assume that the virus signature it's in fact some packed data inside the shell with which the packer envelope the application;
The problems with fake alarms comes few weeks after releasing the packer; soon, virii authors use the packer and release a new packed version of the virus; in time...as the anivirus companies find the packers with which the virus was packed/protected it will develop methodes to detect packed files from packed viruses.

You and your clients must use the newest signature database for the antivirus they use.

You must notice the antivirus company which made your antivirus if your packed/protected software is detected as a virus.

Check your packed exe here http://www.virustotal.com to see if it's detected as a virus;


greatz
CGSoftLabs

CGSoftLabs
Registered User
Posts: 118
Joined: Thu Feb 10, 2005 12:00 am

Post by CGSoftLabs »

I've informed the F-Secure and Sophos about their fake detection:

----- Original Message -----
From: "F-Secure Security Labs" <ticketing-t2533@f-secure.com>
To: "CGSoftLabs" <christigNOSP@cgsoftlabs.ro>
Sent: Sunday, February 10, 2008 6:02 PM
Subject: Re: Re: NWF: False positive : christigNOSP@cgsoftlabs.ro [FS-T2772]


> Hello,
>
> Our engine team are now looking into this. At the moment we do have detection for some versions of the packer but because most of the samples in our backend that are packed with eXPressor are malware, we cannot just whitelist them.
>
> For now, clients with this problems should send their software to us for whitelisting.
>
> --
> F-Secure Security Labs http://www.f-secure.com/weblog/
> F-Secure Corporation http://www.f-secure.com/
> BE SURE.
>

>
>
> -----Original Message-----
> From: CGSoftLabs <christigNOSP@cgsoftlabs.ro>
> To: F-Secure Security Labs <ticketing-t2533@f-secure.com>; ticketing-t2533@samples-spam.f-secure.com
> Cc: F-Secure Security Labs <ticketing-t2533@f-secure.com>; ticketing-t2533@samples-spam.f-secure.com
> Date:
> Subject: Re: NWF: False positive : christigNOSP@cgsoftlabs.ro [FS-T2533]
>
>> Hi again
>>
>> I wasn't clear enough. I'm the packer's author. Each software
>> packed/protected with my software will trigger F-Secure; so any of my
>> clients distributing their software packed/protected with eXPressor can
>> encount problems due F-Secure.
>>
>> I'm not using your software. Just that a client reported this problem. He
>> has problems running his application which he sells in a packed form, using
>> my eXPressor.
>>
>> Please forrward the problem to the coders team. they will know what to do.
>>

...

From: "Sophos Support" <supportNOSP@sophos.com>
To: <christigNOSP@cgsoftlabs.ro>
Sent: Wednesday, February 06, 2008 12:32 PM
Subject: Re: Fake virus detection [#775772]


Hi Christian,

I have been informed by SophosLabs that someone will be in touch with you shortly.

Regards,

Manoj Parmar
Sophos Technical Support

CGSoftLabs
Registered User
Posts: 118
Joined: Thu Feb 10, 2005 12:00 am

Post by CGSoftLabs »

because of this problem I have decided not to deliver beta ori intermediate releases to public or customers (which may be virus makers); it's easy to understand that those version can escape from analisys to antivirus companies and therefore a higher risk of fake detections or viruses propagations.

CGSoftLabs
Registered User
Posts: 118
Joined: Thu Feb 10, 2005 12:00 am

Post by CGSoftLabs »

Yesterday I have contacted some AV companies: McAfee, Sophos, F-prot regarding this problem; they are lazy companies which doesn't handle all packer/protectors; it's true that eXPressor isn't such popular but this is not a reason not to learn your software to scan inside protected files; that's why, first virus found packed with eXPressor becomes a signature in their database and after that, all apps protected will be seen as that virus; in other words virustotal.com shows you which av software is good and which is bad;

If your software is fake detected as a virus I advise you (if you wish to help) to contact av companie and complain that their av. block your protected software; they will fix the problem at some moment.

Post Reply