jessy 0 Posted December 23, 2013 Share Posted December 23, 2013 (edited) When I create a winrar sfx, it's being detected by nod32. Looks like no matter, if i Use %appdata%, or %userprofile%, or %temp%, or whatever, it's being detected. with %temp% it's being detected as: RAR/Agent.L trojan and with %appdata%: RAR/Agent.O trojan the settings are: ;The comment below contains SFX script commands Path=%appdata%\settings Setup=apply.vbs Silent=1 Overwrite=2 Edited December 23, 2013 by jessy Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) Good day Jessy Lets start with providing some more background about what your trying to archive and compress ? What code is behind apply.vbs file ? All the other info you provided is irrelevent besides the infection name. Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted December 23, 2013 Administrators Share Posted December 23, 2013 If you use a script very similar to what malware uses, it will be obviously detected by generic signatures like in this case. Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted December 23, 2013 ESET Insiders Share Posted December 23, 2013 wow, ESET stepping into script malware It happened to me sòme LockScreens compiled/embedded in AutoIt bypassed some protection layers Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 it doesn't matter what the content in the vbs script is, it's detecting it no matter, what content it is for some reason Link to comment Share on other sites More sharing options...
jessy 0 Posted December 24, 2013 Author Share Posted December 24, 2013 this false positive is not solved after the last update Link to comment Share on other sites More sharing options...
Veremo 6 Posted December 24, 2013 Share Posted December 24, 2013 This is the second time you tell about FP doing something suspicious. Maybe there is some problem with you, not with ESET.. Link to comment Share on other sites More sharing options...
jessy 0 Posted December 24, 2013 Author Share Posted December 24, 2013 veremo, i'm simply reporting a false positive. there's no suspecious of what i posted, and it's clearly a false detection, but being able to use the sfx commands. Link to comment Share on other sites More sharing options...
Veremo 6 Posted December 24, 2013 Share Posted December 24, 2013 You try to silently run .vbs from self-extract RAR.. It is suspicious. If you want to use it yourself just add it to exceptions, if you are going to make public - just don't do it, it will be flagged by more AVs I guess. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 25, 2013 Share Posted December 25, 2013 Veremo does have a point on this particular scenario. Link to comment Share on other sites More sharing options...
jessy 0 Posted December 25, 2013 Author Share Posted December 25, 2013 I often used this method to create my own installers for my workplace, using a vbs file to launch the software with a silent switch Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 25, 2013 Share Posted December 25, 2013 What are you creating installers with because msiexec has a silent switch already. No need for a vbs to launch it. Link to comment Share on other sites More sharing options...
jessy 0 Posted December 25, 2013 Author Share Posted December 25, 2013 I know .msi got the silent parameter which, but that doesn't help me if I want to make a installer for it, which is only 1 single file Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted December 25, 2013 Administrators Share Posted December 25, 2013 We will continue detecting sfx files like this because of the high similarity with malware. Link to comment Share on other sites More sharing options...
jessy 0 Posted December 26, 2013 Author Share Posted December 26, 2013 ok, thanks for your reply Link to comment Share on other sites More sharing options...
Recommended Posts