Anti-Malware false positives #78
Comments
|
I think if you just submit the file to VirusTotal, it will give you a breakdown on the various different tools. For example v.2.0.0 beta 2c has a bunch of obscure engine flags including Endgame, Qihoo-360, SentinelOne (Static ML), and Webroot There's also an FAQ for devs: https://www.virustotal.com/en/faq/ (see "VirusTotal is detecting a legitimate software I have developed, please remove the detections") |
|
Is AutoIt similar to autohotkey in that compiling the script always produces 1 or 2 false positives even if you don't use UPX? |
|
the compiled "pie.exe" executable got recognized by Windows Defender (cloud protection engine) as Trojan:Win32/Fuerboos.B!cl so I've submited the file as false positive for manual analysis to MS and the end result is "not malware"... |
Thanks |
|
My BitDefender didn't like the DGCA or Smart Install Maker Unpacker plugin modules. |
|
Norton sees
|
|
About the latest version "v2.0.0 - rc.1"
2. It is blocked by "Windows Defender SmartScreen" when running the application. I judged from contents, "false positive" and "unregistered definition", ignored the warning and "executed". However, many end users will be upset by "false positive alert" or "blocked by WD". (Infects with malware) |
|
About the latest version "v2.0.0 - rc.2b" |
|
Avast Free flags each new release as malware (Win32:Malware-gen). |
|
UniExtract.exe 3.3.14.1 (2019.10.17) detected by Windows Defender as having Trojan:Win32/Azden.A!cl Edit: I send the file to MS and, after revision, they have removed the detection |
|
A big thanks to everyone who contributed in this thread or sent false positive reports. Please continue to do so :) I updated the issue description with more information about false positives and how everyone can help. About Windows Defender: sadly this is a common problem. It's very likely that the software flags every new release as malicious again. Please keep sending false positive reports if you have the spare time. |
|
Bitdefender just stop some of the UniExtractRC2 update as Ransomware. Screenshot attached. |
|
The nightly went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos It would be nice if it was a simple case of the server being hacked and replaced with a malicious file, at least then you could fix it easily, but it seems like the AutoIT scripts have whacked a hornets nest with a large stick. If you could, as the author, submit the nightly to https://opentip.kaspersky.com with your email address so they can contact you. You'll have to click on the reanalyze button after uploading it to get a specialist to look it over. |
|
I’m not the author.
From: CeruleanSky [mailto:notifications@github.com]
Sent: Saturday, August 15, 2020 11:41 AM
To: Bioruebe/UniExtract2 <UniExtract2@noreply.github.com>
Cc: bqguynb82 <bill7210@gmail.com>; Comment <comment@noreply.github.com>
Subject: Re: [Bioruebe/UniExtract2] Anti-Malware false positives (#78)
The nightly <https://update.bioruebe.com/uniextract/nightly/UniExtract.exe> went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos
https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection
It would be nice if it was a simple case of the server being hacked, but it seems like the AutoIT scripts have wacked a hornets nest with a large stick.
If you could, as the author, submit the nightly to https://opentip.kaspersky.com with your email address so they can contact you.
You'll have to click on the reanalyze button after uploading it to get a specialist to look it over.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#78 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQLELVVKYLQSBPLPHDTYTSDSA2UBJANCNFSM4D5V5R3Q> . <https://github.com/notifications/beacon/AQLELVTQDME7Y63D5Q7IJZLSA2UBJA5CNFSM4D5V5R32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOFAZLZEQ.gif>
|
Thanks for letting me know. I sent a bunch of false positive reports and now it's back at 6 detections. |
|
Windows Defender |
|
Windows Defender file: C:\Users\iGom\AppData\Local\Microsoft\Windows\INetCache\IE\17BBYC0C\UniExtract[1].exe |
|
Tested on 11/1/2020 Due to the size of the file only VirusTotal scans it. Alibaba: TrojanDownloader:Win32/Generic.d8e526a0 Other scan sites AntiScan.Me: https://antiscan.me/ |
|
Latest Avast is seeing UniExtract.exe as an |
|
Still getting PUP detections in (a fully patched) Windows Defender: |
A suggestion for users can be give a positive vote in VirusTotal page, for example |
|
Hi, I just got a false positive on PEiD.exe by SentinelOne software. I guess it's a false positive, it has been identified as malicious at virustotal in the past and redeemed again. Using 2.0.0 RC 3 |
|
Hi there,
Is there any possibillity to make future versions getting less harmful results, please? I know the software isn't a risk, but other people and AVs won't... |
|
@Dragodraki Not really. Viruses use scripts to and other ways to decompress their malicious payloads in hopes of avoiding detection. UniExtract has lots of scripts and utilities to decompress files and antivirus vendors sometimes make their templates loose in hopes of catching variations, but in this case they will occasionally catch Uniextract's legitimate methods as falsely being that malware. |
|
@CeruleanSky Thank you for explanation. Yes, I'm aware of that. Indeed I mean these scripts - maybe they can be changed to not seem so aggressive? |
|
SentinelOne flagging these: |
|
Trojan:Win32/Leonem |
Universal Extractor (or parts of it) sometimes get flagged as malicious by security software.
Of course, Universal Extractor is safe. If you have some programming skills, you can even verify that yourself by looking at the source code. However, some anti-malware tools are over-sensitive and flag programs as malicious if they are not sure.
Here's what you can do, if your anti-malware software complains about Universal Extractor:
Send a false-positive report
The easiest way of fixing the problem is to send the file to the developer of your security software. Depending on your anti-malware program, this can be done either from within the software (there might be a link/button in the 'malware detected' message box), using a web form or via email. If you are unsure how it works, a simple web search should give you all information you need.
Or comment here
Alternatively, you can add a comment here. Please include the version of Universal Extractor, the name of your security software and which file was detected (
UniExtract.exeor something else?).Notes
It is very likely that even after sending a false-positive report the file in question will be flagged as malicious again after updating Universal Extractor (or your anti-malware software). This happens because whitelisting is done only for one specific version of a program. There is nothing we can do about it, except sending false-positive reports after every update.
The text was updated successfully, but these errors were encountered: