adam 2 Posted October 14, 2013 Posted October 14, 2013 Hi, I use upx extensively (a packer for executables to reduce their size), and have noticed that more and more frequently my applications are being detected as a potential threat by the advanced heuristic scanner as a unknown NewHeur_PE virus. (The application is fine until it is packed). I was wondering if there is another packer that works better with Eset, or why simply packing the software is causing this to occur, and what we can do (besides disabling advanced heuristics) to remedy the situation. We're talking multiple clients with many eset installations, so unfortunately it's not efficient to go to every client and have them manually add the effected application(s) to the ignore list. Thanks & Regards Adam.
adam 2 Posted October 14, 2013 Author Posted October 14, 2013 Thanks Evik, It doesn't happen on all files. I've noticed it's a bit hit and miss. Sometimes some of my applications are fine, othertimes they're not. (As per attached). I do notice though that my version is UPX v13_m8 and yours is showing v13_m14 if that is something? (I've downloaded the latest version from their website, or so I thought)? Also - the exe files scan fine in Eset prior to packing, or if they are unpacked, but not while they are packed. FWIF - if I upx iexplorer, it scans fine on my computer too. it seems to be on some applications but not others. Thanks & Regards Adam
Administrators Marcos 5,466 Posted October 14, 2013 Administrators Posted October 14, 2013 Please report the alleged FP to ESET as per the instructions here and enclose information about the purpose of the software and the official download url to a beta or final version of the software. The software must perform some operations or activities that are evaluated as suspicious by advanced heuristics.
adam 2 Posted October 14, 2013 Author Posted October 14, 2013 Thanks Marcos I can understand eset getting upset if my application preformed certain suspicious activities, but I don't understand why it's fine when it's uncompressed, but as soon as it's packed then it's a problem. (As from my understanding packing doesn't change the application's functions, just compresses / packs it). As such I would have expected Eset to be upset whether it was packed or not if it was suspicious. I have submitted the file as suggested per those instructions, so will see where we go to from there. Thanks for your help. Adam.
Administrators Solution Marcos 5,466 Posted October 14, 2013 Administrators Solution Posted October 14, 2013 This is due to a certain condition applied by the emulator. We're working on a solution which will prevent files like this from being flagged by advanced heuristics which should be released soon (ie. within a few days).
adam 2 Posted October 15, 2013 Author Posted October 15, 2013 Hi Marcos Fantastic - thanks for the feedback and info. Best Regards Adam.
Recommended Posts