Anti-Malware false positives
Bioruebe opened this issue · 27 comments
Universal Extractor (or parts of it) sometimes get flagged as malicious by security software.
Of course, Universal Extractor is safe. If you have some programming skills, you can even verify that yourself by looking at the source code. However, some anti-malware tools are over-sensitive and flag programs as malicious if they are not sure.
Here's what you can do, if your anti-malware software complains about Universal Extractor:
Send a false-positive report
The easiest way of fixing the problem is to send the file to the developer of your security software. Depending on your anti-malware program, this can be done either from within the software (there might be a link/button in the 'malware detected' message box), using a web form or via email. If you are unsure how it works, a simple web search should give you all information you need.
Or comment here
Alternatively, you can add a comment here. Please include the version of Universal Extractor, the name of your security software and which file was detected (UniExtract.exe or something else?).
Notes
It is very likely that even after sending a false-positive report the file in question will be flagged as malicious again after updating Universal Extractor (or your anti-malware software). This happens because whitelisting is done only for one specific version of a program. There is nothing we can do about it, except sending false-positive reports after every update.
I think if you just submit the file to VirusTotal, it will give you a breakdown on the various different tools.
For example v.2.0.0 beta 2c has a bunch of obscure engine flags including Endgame, Qihoo-360, SentinelOne (Static ML), and Webroot
There's also an FAQ for devs: https://www.virustotal.com/en/faq/ (see "VirusTotal is detecting a legitimate software I have developed, please remove the detections")
Is AutoIt similar to autohotkey in that compiling the script always produces 1 or 2 false positives even if you don't use UPX?
the compiled "pie.exe" executable got recognized by Windows Defender (cloud protection engine) as Trojan:Win32/Fuerboos.B!cl so I've submited the file as false positive for manual analysis to MS and the end result is "not malware"...
I've submited the file as false positive for manual analysis to MS and the end result is "not malware"...
Thanks
My BitDefender didn't like the DGCA or Smart Install Maker Unpacker plugin modules.
Norton sees uniextractupdater.exe as a threat b/c of bad crowd-sourced reputation
About the latest version "v2.0.0 - rc.1"
1. VirusTotal warns of false positives.
UniExtractRC1.zip
https://www.virustotal.com/ja/file/a7e5b4499f8edab6eca0dc253c988ce3175198d5d174a49b57d6014dbff97731/analysis/1535047860/
UniExtract.exe
https://www.virustotal.com/ja/file/e6262a90eb1b619b892eb75ec002b3842da8437df542f177e49c9df8fb3e435e/analysis/1534898614/
niExtractUpdater.exe
https://www.virustotal.com/ja/file/a75b328e4098e3b497388eec906b43248ae4124e79cb9284154fb7c0647d4506/analysis/1534900661/
2. It is blocked by "Windows Defender SmartScreen" when running the application.
"Application: UniExtract.exe Publisher: Unknown Publisher"
usage environment
Windows10 Home(64bit)1803 build:17134.191
I judged from contents, "false positive" and "unregistered definition", ignored the warning and "executed".
"Windows Defender's PUP protection" and the resident Security Solution(Malwarebytes Free、Heimdal PRO、Reason Core Security Free、AppCheck)were all nonresponsive and "no threat".
However, many end users will be upset by "false positive alert" or "blocked by WD". (Infects with malware)
Therefore, it seems necessary to take measures.
About the latest version "v2.0.0 - rc.2b"
TrendMicro deletes UniExtractUpdater.exe due to following reasons:
Avast Free flags each new release as malware (Win32:Malware-gen).
After sending it for additional analysis it says it's clean.
VirusTotal also detects as generic trojan by several engines
https://www.virustotal.com/gui/file/12d45f03acdea4eb2d99379d26562b93a2967adb13f508c539e1521d4de60453/detection
https://www.virustotal.com/gui/file/bd314d610720b169d74b61f17619574e9b3465875211231f6a65168fb3a64634/detection
https://www.virustotal.com/gui/file/56282f727ebfca78b951472942cea47c978e51bb240ffea2fc3ccd07574ba6e1/detection
UniExtract.exe 3.3.14.1 (2019.10.17) detected by Windows Defender as having Trojan:Win32/Azden.A!cl
Edit: I send the file to MS and, after revision, they have removed the detection
A big thanks to everyone who contributed in this thread or sent false positive reports. Please continue to do so :)
I updated the issue description with more information about false positives and how everyone can help.
About Windows Defender: sadly this is a common problem. It's very likely that the software flags every new release as malicious again. Please keep sending false positive reports if you have the spare time.
Bitdefender just stop some of the UniExtractRC2 update as Ransomware. Screenshot attached.
The nightly went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos
https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection
It would be nice if it was a simple case of the server being hacked and replaced with a malicious file, at least then you could fix it easily, but it seems like the AutoIT scripts have whacked a hornets nest with a large stick.
If you could, as the author, submit the nightly to https://opentip.kaspersky.com with your email address so they can contact you.
You'll have to click on the reanalyze button after uploading it to get a specialist to look it over.
The nightly went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos
Thanks for letting me know. I sent a bunch of false positive reports and now it's back at 6 detections.
Windows Defender
UniExtract 2.0.0 RC 3
Trojan:Script/Woreflint.A!cl
file: C:\Users\iGom\Downloads\UniExtractRC3.zip
Windows Defender
UniExtract 2.0.0 RC 3 while updating to RC 4
Trojan:Win32/Azden.A!cl
file: C:\Users\iGom\AppData\Local\Microsoft\Windows\INetCache\IE\17BBYC0C\UniExtract[1].exe
file: C:\Users\iGom\Downloads\UniExtractRC3\UniExtract\UniExtract.exe
Tested on 11/1/2020
Due to the size of the file only VirusTotal scans it.
Alibaba: TrojanDownloader:Win32/Generic.d8e526a0
Comodo: Malware@#2o7650syxru6b
Gridinsoft: Trojan.Win32.Agent.dg
Jiangmin: Trojan.DTStealer.h
Rising: Trojan.Generic@ML.81 (RDML:7beaJz6snfU7S
SentinelOne (Static ML): DFI - Suspicious Archive
Sophos AV: ForceLibrary (PUA)
Sophos ML: ForceLibrary (PUA)
Zillya: Adware.OutBrowse.Win32.94827
Other scan sites
AntiScan.Me: https://antiscan.me/
Any run: https://any.run/
BitBaan MALab: https://lab.bitbaan.com/
Hybrid-Analysis: https://hybrid-analysis.com/
Metascan Online: https://metadefender.opswat.com/
VirSCAN: https://www.virscan.org/
VirusTotal: https://www.virustotal.com/
Latest Avast is seeing UniExtract.exe as an idp.generic virus.
Still getting PUP detections in (a fully patched) Windows Defender:
I think if you just submit the file to VirusTotal, it will give you a breakdown on the various different tools.
There's also an FAQ for devs: https://www.virustotal.com/en/faq/ (see "VirusTotal is detecting a legitimate software I have developed, please remove the detections")
A suggestion for users can be give a positive vote in VirusTotal page, for example
https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection
for version 2.0.0 RC 3.
Hi, I just got a false positive on PEiD.exe by SentinelOne software. I guess it's a false positive, it has been identified as malicious at virustotal in the past and redeemed again. Using 2.0.0 RC 3
VirusTotal link: https://www.virustotal.com/gui/file/e13171d50f45a79bc09b9e4b9ffa38eb02301aca94a1867a9bf8acccc3759030/detection
Hi there,
- Microsoft flags it as malicious ( Program:Win32/Wacapew.C!ml )
- Comodo flags it as malicious ( Malware@#2o7650syxru6b )
- SpyHunter flags it as malicious ( Trojan.Delf.Q )
Is there any possibillity to make future versions getting less harmful results, please? I know the software isn't a risk, but other people and AVs won't...
@Dragodraki Not really. Viruses use scripts to and other ways to decompress their malicious payloads in hopes of avoiding detection. UniExtract has lots of scripts and utilities to decompress files and antivirus vendors sometimes make their templates loose in hopes of catching variations, but in this case they will occasionally catch Uniextract's legitimate methods as falsely being that malware.
While better vendors make attempts to ensure new virus definitions don't cause regressions, even that can be error prone, and unfortunately it is usually on the makers and users of legitimate programs to notify the virus makers of their mistakes after the fact, as they can't fix what they are not aware of being broken.
@CeruleanSky Thank you for explanation. Yes, I'm aware of that. Indeed I mean these scripts - maybe they can be changed to not seem so aggressive?
SentinelOne flagging these:
Trojan:Win32/Leonem
Detected by Microsoft Defender Antivirus
