How I removed a false positive from VirusTotal

[BarryG]

So, as you might have read from me before, I usually compress my executables with UPX and then remove the first 3 x "UPX" strings at the start of the exe (by changing "U" "P" "X" to 00 00 00 bytes). This drastically reduces its size (9 MB to 3 MB), and stops the uneducated user from decompressing the exe to see its strings.

But when I was uploading the exe to VirusTotal.com, there was usually one false positive - often Microsoft with "Win32/Wacapew.C!ml" named. As we know, the "ml" at the end means "machine learning", so it's not actual real malware but just a bad guess that it is. Take a look:





Now, quite frankly I was getting tired of submitting my exes to Microsoft for white-listing, and so I signed up with VirusTotal.com to upvote my own exe (because you can't upvote without a VirusTotal account). However, I then realised it showed me WHY my exe was flagged: it was matching a UPX rule! There was an icon to click at the right of this ruleset (not shown in the screenshot above), which literally SHOWED ME which byte sequence was causing the false positive! I tried changing the first byte in the sequence but my exe wouldn't run, so I changed the second instead (from 00 to 01) and now my exe ran again. Take a look at what I changed (you might need you right-click and open the image in a new tab):





I then re-uploaded this new modified exe to VirusTotal and NO FALSE POSITIVE! Just from changing one single byte in a 3 MB exe! Look:





I hope my experience can help someone else fix their false positive issues.

I'm actually going to code a small app to auto-change that 00 to 01 in my build process, so my exes will NEVER match that ruleset again.

[Bitblazer]

Thanks for posting this useful tip!

I wonder if the antivirus was actually running with a setting that has decompression detection enabled. Some do this by defauit now and classify it as detection of "potentionally unwanted software".

[BarryG]

No problem. Just goes to show how much anti-virus apps are absolute bullsh*t when reporting their findings! Changing one single byte magically makes the exe "safe" again. It's so ridiculous and basically defamatory to software developers like us!

[benubi]

Sorry, useless post of mine - should have better read the OP.

I'll have to look into this UPX thing now; thanks for the tips!

[AZJIO]

BarryG
1. Their algorithm is based on searching for a specific sequence.
2. Replacing a byte is not always a useful method, perhaps this byte is responsible for something and the consequences may emerge later, or maybe you are lucky, since this byte is a reserve and you will never have problems.

SHOWED ME

This option, if it is there, will also show the virus creator how to change the file so that the virus bypasses the protection.

[drgolf]

Hello,

I make some tests and it is not conclusive.

With PB 6.11 B2 x64, C backend on Windows 10 Pro x64.

This code :

Code: Select all

EnableExplicit

Enumeration window
#window_new
EndEnumeration

Procedure openwin()
OpenWindow(#window_new,#PB_Ignore,#PB_Ignore,300,200,"window",#PB_Window_SystemMenu|#PB_Window_TitleBar|#PB_Window_SizeGadget|#PB_Window_MaximizeGadget|#PB_Window_MinimizeGadget|#PB_Window_ScreenCentered)
EndProcedure

Openwin()

Repeat
Select WaitWindowEvent()
Case #PB_Event_CloseWindow
CloseWindow(#window_new)
Break
EndSelect

ForEver

The results :

* simplewin.exe (not UPXed - no modification) = 226 ko
VirusTotal : 2/72 =
Bkav Pro : W64.AIDetectMalware
DeepInstinct : MALICIOUS

* simplewincp.exe (UPXed) = 115 ko
VirusTotal : 7/71 =
Bkav Pro : W64.AIDetectMalware
CrowdStrike Falcon : Win/malicious_confidence_90% (D)
Elastic : Malicious (moderate Confidence)
MaxSecure : Trojan.Malware.300983.susgen
Microsoft : Program:Win32/Wacapew.C!ml
SecureAge : Malicious
Trapmine : Suspicious.low.ml.score

* simplewincp2.exe (UPXed with modified pattern 6A 00 48 .. to 6A 01 48 ..)
VirusTotal : 6/71 =
Bkav Pro : W64.AIDetectMalware
Elastic : Malicious (moderate Confidence)
MaxSecure : Trojan.Malware.300983.susgen
Microsoft : Program:Win32/Wacapew.C!ml
SecureAge : Malicious
Trapmine : Suspicious.low.ml.score

The conclusion : dont use UPX.

[BarryG]

The conclusion : dont use UPX.

It obviously depends on the exe and what it does. With mine, no UPX = 4 or 5 false positives. With UPX = 0, as I showed in my screenshot above. Looks like I'm one of the lucky ones.

Replacing a byte is not always a useful method, perhaps this byte is responsible for something and the consequences may emerge later

Yes, I'm aware of this. This byte pattern doesn't exist in my non-UPX exe so it's something UPX is adding; it's not part of my exe's code. Changing that one byte hasn't caused any unintended consequences so far over several days of testing.

[pjay]

I don't understand how UPXing an executable would reduce false-positives.

Surely the host PC's anti-virus would check both the UPX executable itself and the subsequently unpacked executable. The only way false-positives would be reduced is if UPX has modified the original executable, such as removed unneccessary bits etc,.

If you manually decompress a UPX'd file, do the contents of the original executable and decompressed executable match exactly?

Either way, I'd advise against byte-editing as you've done here.