Why you can not rely....

... only on AV to know if a file is a real malware or not....
The following file is a false positive. I think maybe some AV had this false positive and some other AV's followed them by adding this file to the signatures without having a deep look to the sample . I am sure it will be fixed soon...

 

current situation on this famous false positive:

 

Based on quick comparison i can see only KAV and AVG fixed it.

 

Can you please send me a sample so I can have a look at it?

 

@RejZor: also F-Prot fixed it.
@Stefan: sure, just sent it again. I think HBEDV and other companies got this file already some months ago. Maybe because it is compressed with Armadillo nobody even checks it deeper.

 

Ok and your point is

It is just silly to expect every AV company to give every sample a deep analysis - especially the time it takes on some single samples! Companies get thousands of samples a week and you want them to examine each one for an hour? Please.

Lets be realistic here, this thread is nonsense.

 

Well, this is not an excuse to add a signature for a CLEAN file without even taking a look on what the file is. It is a shame for those companies IMO.

And other thing this thread says is that peoples that rely exclusivly only on antiviruses to determine if a file is malicious or not and make tests with such files should see that this is not a good idea. even if 10 AV says it is malware, it can be a false positive copied by other av.

 

Interesting is how so many have caused a false positive result.

What are the results on an unpacked example ?

 

The file is an Armadillo-packed version of "DC++" (p2p filesharing program); absolutly clean file. Armadillo is hard to unpack, so some companies just copied the false positive of the other company without notice that the file is clean. This file will be included in my future false positive test-set. How it is when the file is unpacked is not of interest in this case.

 

You points are valid IBK. No doubt about it.But lets face it. How many legit programs are packed by Armadillo? Pack a legit program with Armadillo is just plain stupid.



tECHNODROME

 

Then should all AV detect everything packed by Armadillo?

 

You've made his point. If it's hard to unpack and few legit programs use it then extra attention is warranted by the AV companies.

 

My tools are packed with Armadillo (can't remember exactly which version) and few others Had only one false positive "incident" long ago...

 

Thanks for the info.
I was going to ask if the contents was a known legitimate.

 

I found another example:

"susp.dll" file.

Antivirus Version Update Result
AntiVir 6.31.1.0 08.21.2005 TR/Dldr.Agent.DE12
Avast 4.6.695.0 08.20.2005 Win32:Trojan-gen. {Other}
AVG 718 08.19.2005 Downloader.Agent.3.BT
Avira 6.31.1.0 08.21.2005 TR/Dldr.Agent.3069
BitDefender 7.0 08.22.2005 Trojan.Downloader.Agent.DE
CAT-QuickHeal 7.03 08.22.2005 TrojanDownloader.Agent
ClamAV devel-20050725 08.18.2005 Trojan.Downlader.Small-158
DrWeb 4.32b 08.22.2005 Trojan.DownLoader.665
eTrust-Iris 7.1.194.0 08.21.2005 no virus found
eTrust-Vet 11.9.1.0 08.19.2005 no virus found
Fortinet 2.41.0.0 08.21.2005 W32/Agent.GC-tr
F-Prot 3.16c 08.20.2005 security risk named W32/Agent.BZ@dl
Ikarus 0.2.59.0 08.19.2005 Trojan-Downloader.Win32.Agent.DE
Kaspersky 4.0.2.24 08.22.2005 no virus found
McAfee 4563 08.19.2005 potentially unwanted program Generic Downloader
NOD32v2 1.1198 08.19.2005 no virus found
Norman 5.70.10 08.18.2005 W32/Agent.OA
Panda 8.02.00 08.21.2005 Trj/Downloader.ADU
Sophos 3.96.0 08.22.2005 Troj/Agent-GC
Sybari 7.5.1314 08.22.2005 Trojan.DL.Agent.EV
Symantec 8.0 08.21.2005 no virus found
TheHacker 5.8.2.092 08.22.2005 Trojan/Downloader.Agent.de
VBA32 3.10.4 08.22.2005 TrojanDownloader.Win32.Agent.DE

 

Other thing that I want to say is that often AV companies says that e.g. KAV is adding a lot of trash and that they are not like e.g. KAV, but that they analyze and add only real malware. Seems like maybe e.g. KAV (or some other scanner) had a false positive on this file, and the other AV simply added automatically a signature to this file just because another scanner found something in it and they do not wanted to take the time to look on what the file is.

@marcos: yeah, there are lots of such examples

 

Maybe. The thing is why would you pack something with Armadillo? Wouldn't you at least be curios? Or...Would you install an application which was packed by Armadillo on your computer?



tECHNODROME

 

Just because something is difficult to unpack does not make it malware. Criteria for instalation of an app is based mostly on the source of the package, not how the author chose to pack it.

 

My comment has nothing to do with unpacking methods. Lots of malicious installers that I came across were packed by Armadillo. Maybe this is how AV companies think. Or maybe they just follow KAV or any AV to add detection for a suspicious file without further analyzing as IBK pointed.
Many VXs are in fact using Armadillo to avoid detection by the virus scanners. For i.e. UPX is another one common used packer by VXs (at least it used to be). But many legit programs are using UPX as well nowadays. Plus many Avs are able to support unpacking of UPX.

Another fact is that many less known programmers (mostly never heard of) are using Armadillo to pack whatever. Can you trust them? Maybe if you analyze the code yourself. But how many people will do the same? I am sure as hell I’d like to know if something is packed by Armadillo or any other exotic packer before I even download it.


tD

 

Sorry, but this way of thinking just leads to the asinine. Whether it's realistic or not... yes, I do, in fact, expect the vast majority of for-profit, commercial companies advertising AV expertise to review each and every submission and to properly categorize each. Call me old fashioned, but that's precisely what I believe most people are paying them for... not for flashy graphics and a nice UI. If they are getting thousands of samples, then they better have adequate staffing and a good set of automated screening and analysis utilities as a first step. If they aren't analyzing files, and they are just adding them because a few others like KAV have them listed, then in my mind they aren't following ethical business practices and are little better than snake-oil salesmen.

 

You just described much of the AV industry my friend (at least in my experiance). Anyone relying on an AV as a mainline of defense is relying on a false sense of security. I rely on my firewall and Safe'N'Sec far more than I would an AV alone. But I feel a good, light, and reasonably effective AV is a nice compliment to an already extremely effective security process.

*LIGHT* being the key here, thus Dr.Web and VBA32 are my only real viable choices for extremely light protections. My point however is AV should only be a small part of a reasonable protection portfolio (i'm not talking this insanity with 400 applications installed). But insinuating an AV is better than another because of *TWO* examples of a false positive is just plain dumb.. No AV is perfect, I constantly see false positives for *ALL* AV's, including KAV and NOD32. Nothing to see here, move along.

 

False Positives are of concern to me, as you can see...

There were several creatures that were concerned about the depth of testing above. Some discussion on that as well.

https://www.wilderssecurity.com/showthread.php?t=93144

 

And to me. To have them on a network of 200-300 PC's is a real headache, not to mention the panic of the user base.

 

Armadillo is an application sold by Silicon Realms and is mainly used for protecting software against piracy/counterfeiting. Recent versions are very hard to unpack, and I'm not sure that softwares packed using Armadillo would run in VMWare or VirtualPC. But there are not that much viruses or installers that use Armadillo. You'll find much more that use UPX, ASPack, Petite, FSG...

There is no point rejecting a-priori programs that are packed with Armadillo. By the way, one of the security specialists that lead Armadillo development is also an expert in the area of malware analysis.

What is this : "less known programmers" ? Do you know "famous programmers" ? Most of the applications you are using (including your browser, most of your operating system, etc.) have been programmed by obscure programmers you'll probably never hear anything about.

Would you be able to reliably analyze the code if the executable were not packed at all, anyway ?

 

Hm,but look from a programmers standpoint. You worked hard on some program and you protect it with Armadillo just because you don't want someone else rev-engineeres your program and steals your hard work? Sounds perfectly logical to me.

And there should be some strict standard regarding packers and so called "heuristic" detections by famous McAfee and QuickHeal+few others.
Few days ago iONiX team released eMule iONiX mod,a modified version of eMule P2P client. They packed it with UPack (LZMA algorithm) to decrese size by compressing main executable (packed was a bit over 3MB while unpacked was over 5 MB). And guess what,McAfee flagged it as New Malware.[something],Fortinet also alarmed etc. and it's a perfectly clean open-source program. It's kinda dumb if you ask me.

I think there shoould be some rules regarding detection of suspicious packers.
Using "Heuristic: Suspicious packer" instead of "Heuristic: New Malware.n" would be a much better choice. But in the end i prefer true heuristic although McAfee once detected something that few others missed and it was really malware.
But anyway,naming should be more clear.