PureBasic Forums - English

I submitted one of my exes to both Jotti's Malware Scan and VirusTotal to check them for malware flags, and they both reported that my exe was packed with UPX, and therefore they both reported that my exe was "suspicious".

I did not pack it with UPX at all, but I am using 4 third-party libs. This leads me to the conclusion that one (or more) of them is either fully or partially packed with UPX.

Therefore, I'd like to ask that if you are the developer who has done this, can you please re-compile your libs to NOT be packed with UPX, and make them available again in that clean state for us. Thank you!

(PS. I don't know if any PureBasic native libs are packed with UPX, but Fred/Freak: if so, please remove such packing too for the next update).

Thank you for reading and your co-operation.

So the antivirus makers, wrongly detecting a virus where there is none, should determine if i can use a certain library / exe compressor or not ?

The question is purely rhetoric, I already have the answer.

luis wrote:So the antivirus makers, wrongly detecting a virus where there is none, should determine if i can use a certain library / exe compressor or not ?

For your own apps: of course not.
For sharing libs with others: yes.

I disagree.

BTW, I never said they detected a virus. I only said they flagged my app as "suspicious", and this was thanks to a third-party lib author. Now I'm forced to drop the lib, and probably stop development of my app, because of this problem. So disagree all you like, but it is a major problem.

Libraries should never be packed, exactly because of these problems.
The user of the library can always compress them later if he / she wishes to.

Then again I don't see any reason to pack an executable file if you're not trying to write an awesome 4k intro.

For the disagreeing part...check out my signature.

MachineCode wrote:BTW, I never said they detected a virus.

Yes, you are right, sorry. I thought the reasoning was the same.
Here is the correct version:

So the antivirus makers, erroneously flagging an executable as "suspicious" , should determine if I can use a certain library / exe compressor or not ?

MachineCode wrote:"and this was thanks to a third-party lib author."

No, this was thanks to the antivirus author.

MachineCode wrote:"Now I'm forced to drop the lib, and probably stop development of my app, because of this problem."

The problem is between you and your users, and within you and your users.

Not in the library just because a not particularly bright and totally extraneous software dislikes it.

MachineCode wrote: So disagree all you like, but it is a major problem.

Can I ? Thank you.

I disagree

Shield wrote: Then again I don't see any reason to pack an executable file if you're not trying to write an awesome 4k intro.

The fact is not necessarily limited to packers. Any code fragment "out of the ordinary" can be marked as suspicious.
Antiviruses should be infallible to be kept in the high regards they are kept.
But they are wrong so many times the term "false positive" is known to anyone.

If I want to use a packer, if I want to put antidebug code, if I want to write self modifying code, if I want to use a particular sequence of API calls, I'll do it if I have reason to do so. Why I should care about their opinion especially when they are wrong ? I don't and I find incredible someone else do it.

why drop the lib? just decompress it yourself

UPX is a well known packer and each file can uncompressed on the fly which seems to be an easy job for all antivir programs I know. No reason to ban this packer, would think about avoiding an antivir program which is not able to handle such things...

BTW: with what I previously wrote I don't want to concentrate my criticism toward antiviruses exclusively.
They are a tool in the toolbox, and they (often) do the best they can. But if using signatures is fallible in a certain measure, using heuristic analysis or execution inside a virtual environment (for example for unknown packers) coupled with behavior analysis can only lead to more false positives. If a "suspicious" un-unpackable (for the AV) exe for example is virtually executed and observed to enumerate all the .exe in the current dir as the first thing it does, it's reasonable to give a warning to the user, and tell him "you should look into it (if you can) or submit to us for analysis (and hope will do something about it)".

The real problem is how this kind of "warning" are blindly, religiously interpreted by the general public (suspicios = virus). I know that for a shareware author one of this "warning" could mean a lost sale, and that's why they should try to educate their potential customers about this.

A reasonable person should be able to understand all this. If not, probably you better off without this kind of user if you also offer some kind of support.

It's not just 1 antivirus app flagging it, it's 4 with VirusTotal. So, it's a problem that 4 are wrong from 4 different vendors.

I will try to decompress the libs like Lucifer said. But I still think other people shouldn't compress them.

It's not just 1 antivirus app flagging it, it's 4 with VirusTotal. So, it's a problem that 4 are wrong from 4 different vendors.

That's actually a good score MachineCode! Anyway, the right thing to do is to contact the AV developers concerned and point-out their false-positive. You will find this is very easy to do, they all have a web page for such reports (because they know their engines cannot be perfect). In my experience, the AV developers are, on the whole, very quick to respond.

IdeasVacuum wrote:the right thing to do is to contact the AV developers concerned and point-out their false-positive

I know I could do that, but then it becomes a band-aid solution and game of cat-and-mouse. They'll fix it for this particular exe's release, but the problem may occur again in future (as evidenced by PureBasic in the past, where Avira suddenly starts reporting a virus for our compiled exes over and over). It's simpler just to avoid UPX in the first place; a cure rather than a short-term fix.

Well no, it is your action that is the work-around. The libs may well be packed for a specific and sensible reason, that is the prerogative of the lib developer. It's simply the case that the four AVs do not 'know' UPX is safe. Virus total hit the jackpot on one of my exe files in the past, simply because it included the name of a CAD program - the name in question was 'VX', which unfortunately is also the name of a dangerous gas - so, several AV apps didn't like it. I could do two things - ask the CAD developer to change the name of their 10years plus app (like that would happen, although it actually did later as they got bought-out by another company) or ask the AV developers to remove their false positive, for the benefit of all, not just me and my app.