Jump to content

Upx and Advanced Heuristics false detection


Go to solution Solved by Marcos,

Recommended Posts

Posted

Hi,

 

I use upx extensively (a packer for executables to reduce their size), and have noticed that more and more frequently my applications are being detected as a potential threat by the advanced heuristic scanner as a unknown NewHeur_PE virus.

 

(The application is fine until it is packed).

 

I was wondering if there is another packer that works better with Eset, or why simply packing the software is causing this to occur, and what we can do (besides disabling advanced heuristics) to remedy the situation.

 

We're talking multiple clients with many eset installations, so unfortunately it's not efficient to go to every client and have them manually add the effected application(s) to the ignore list.

 

Thanks & Regards

 

Adam.

Posted

Thanks Evik,

 

It doesn't happen on all files. I've noticed it's a bit hit and miss. Sometimes some of my applications are fine, othertimes they're not. (As per attached).

 

I do notice though that my version is UPX v13_m8 and yours is showing v13_m14 if that is something? (I've downloaded the latest version from their website, or so I thought)?

 

Also - the exe files scan fine in Eset prior to packing, or if they are unpacked, but not while they are packed.

 

FWIF - if I upx iexplorer, it scans fine on my computer too. it seems to be on some applications but not others.

 

Thanks & Regards

 

Adam

post-1633-0-38783800-1381725715_thumb.jpg

  • Administrators
Posted

Please report the alleged FP to ESET as per the instructions here and enclose information about the purpose of the software and the official download url to a beta or final version of the software. The software must perform some operations or activities that are evaluated as suspicious by advanced heuristics.

Posted

Thanks Marcos

 

 I can understand eset getting upset if my application preformed certain suspicious activities, but I don't understand why it's fine when it's uncompressed, but as soon as it's packed then it's a problem. (As from my understanding packing doesn't change the application's functions, just compresses / packs it). As such I would have expected Eset to be upset whether it was packed or not if it was suspicious.

 

I have submitted the file as suggested per those instructions, so will see where we go to from there.

 

Thanks for your help.

 

Adam.

  • Administrators
  • Solution
Posted

This is due to a certain condition applied by the emulator. We're working on a solution which will prevent files like this from being flagged by advanced heuristics which should be released soon (ie. within a few days).

Posted

Hi Marcos

 

Fantastic - thanks for the feedback and info.

 

Best Regards

Adam.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...