I've noticed in my scan logs: *\RegScanner.exe » UPX v13_m2 - unpack error *\CCommand.exe » UPX v12_m2 - unpack error + more of the same I'm sure there was a time when ESS/EAV didn't report any unpack error for UPX packed files.
Hello, Would you mind forwarding copies of the files in question to ESET's virus lab per ESET Knowledgebase Article #141, "How to submit virus or potential false positive samples to ESET's labs?" Use a descriptive Subject: such as "UPX files which cannot be unpacked by Archive Support Module xxxx" (where "xxxx" is the build in your copy of ESET Smart Security) and be sure to include a link to this message thread in the body of the message. Regards, Aryeh Goretsky
Sorry about jumping in: I found, the new EAV/ESS 4.2.x versions to interfere with manual upx decompression as well. upx reports an unpack error, unless I specify a different name for the extracted file via the upx -o{file} option. This was not necessary with the 4.0.x versions.
I'm not getting any error with v. 4.2 when scanning the two files above nor when compressing an exe file via upx -o {file}. Please post somebody the information about installed modules (Help -> About) here.
Marcos, I'm not sure whether you want my details or no_idea's, as our problems don't appear to be related. Code: xpsp3 x86 - Win 7 x64 ESS 4.2.35.0 Virus signature database: 4966 (20100322) Update module: 1031 (20091029) Antivirus and antispyware scanner module: 1266 (20100312) Advanced heuristics module: 1101 (20100309) Archive support module: 1109 (20100316) Cleaner module: 1048 (20091123) Anti-Stealth support module: 1017 (20100204) Personal firewall module: 1056 (20100202) Antispam module: 1014 (20100212) SysInspector module: 1214 (20100127) Self-defense support module : 1012 (20100208)
sorry for taking some time in answering - had to find the file in question. so, here's a recreation scenario: 1. download ImgBurn 2.5.1.0 from this location: http://download.imgburn.com/SetupImgBurn_2.5.1.0.exe 2. unpack SetupImgBurn_2.5.1.0.exe with 7zip 3. note, that downloading and unpacking take an inordinate amount of time 4. change to the unpacked files folder and uncompress ImgBurn.exe with upx 3.04w Code: C:\_incoming\SetupImgBurn_2.5.1.0>upx -d ImgBurn.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04w Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- 10063360 <- 2347520 23.33% win32/pe ImgBurn.exe upx: ImgBurn.exe: IOException: rename error: Permission denied Unpacked 1 file: 0 ok, 1 error. C:\_incoming\SetupImgBurn_2.5.1.0> Please note, that the file ImgBurn.exe gets destroyed in this process! And - no, it's neither infected nor quarantined. now, unpack ImgBurn.exe again using 7zip and unpack to a different file: Code: C:\_incoming\SetupImgBurn_2.5.1.0>upx -d -oImgBurnUnpacked.exe ImgBurn.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04w Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- 10063360 <- 2347520 23.33% win32/pe ImgBurnUnpacked.exe Unpacked 1 file. C:\_incoming\SetupImgBurn_2.5.1.0> My system is XP SP3 fully patched, and I stand corrected as the error occurs even with 4.0.x . This system still runs ESS 4.0.474 with these details: Code: Virus signature database: 4972 (20100324) Update module: 1031 (20091029) Antivirus and antispyware scanner module: 1267 (20100324) Advanced heuristics module: 1101 (20100309) Archive support module: 1109 (20100316) Cleaner module: 1048 (20091123) Anti-Stealth support module: 1012 (20090526) Personal firewall module: 1056 (20100202) Antispam module: 1014 (20100212) SysInspector module: 1214 (20100127) Self-defense support module : 1009 (20090917) I think it is a conflict of upx wanting to rename a file while ESS is still examining it. I can pack / unpack other files - even a lot larger ones - without problems.
I've traced the unpack error to Hardware based DEP. Disabling XD in the BIOS resolves the problem, but this work around is totally unacceptable. note: If the file is packed with UPX using LZMA, then there is no unpack error. System Manufacturer INTEL_ System Model DG33FB__ System Type x64-based PC Processor Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz, 2331 Mhz, 2 Core(s), 2 Logical Processor(s) BIOS Version/Date Intel Corp. DPP3510J.86A.0517.2009.0107.2203, 7/01/2009 @no_idea - I can reproduce your UPX packing problem on my PC, DEP kicks in and the file disappears in a cloud of ESET/DEP smoke.
Thank you for your work. Of course I have DEP enabled as well, but it never occurred to me to look in that corner. I simply did the upx decompression error away as an odd glitch until I saw your posting Haven't tried to unpack ImgBurn with the new archive module though - I didn't like ImgBurn that much in the first place (to much AdWare) --------- Addendum: yes it works! Archive support module 1110 ftw Code: C:\_incoming\SetupImgBurn_2.5.1.0>upx -d imgburn.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04w Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- 10063360 <- 2347520 23.33% win32/pe imgburn.exe Unpacked 1 file. C:\_incoming\SetupImgBurn_2.5.1.0>