another false positive - winrar sfx

jessy · December 23, 2013

When I create a winrar sfx, it's being detected by nod32.

Looks like no matter, if i Use %appdata%, or %userprofile%, or %temp%, or whatever, it's being detected.

with %temp% it's being detected as: RAR/Agent.L trojan

and with %appdata%: RAR/Agent.O trojan

the settings are:

;The comment below contains SFX script commands

Path=%appdata%\settings

Setup=apply.vbs

Silent=1

Overwrite=2

Edited December 23, 2013 by jessy

Arakasi · December 23, 2013

Good day Jessy

Lets start with providing some more background about what your trying to archive and compress ?

What code is behind apply.vbs file ?

All the other info you provided is irrelevent besides the infection name.

Edited December 23, 2013 by Arakasi

Marcos · December 23, 2013

If you use a script very similar to what malware uses, it will be obviously detected by generic signatures like in this case.

toxinon12345 · December 23, 2013

wow, ESET stepping into script malware

It happened to me sòme LockScreens compiled/embedded in AutoIt bypassed some protection layers

jessy · December 23, 2013

it doesn't matter what the content in the vbs script is, it's detecting it no matter, what content it is for some reason

jessy · December 24, 2013

this false positive is not solved after the last update

Veremo · December 24, 2013

This is the second time you tell about FP doing something suspicious. Maybe there is some problem with you, not with ESET..

jessy · December 24, 2013

veremo, i'm simply reporting a false positive.

there's no suspecious of what i posted, and it's clearly a false detection, but being able to use the sfx commands.

Veremo · December 24, 2013

You try to silently run .vbs from self-extract RAR.. It is suspicious.

If you want to use it yourself just add it to exceptions, if you are going to make public - just don't do it, it will be flagged by more AVs I guess.

Arakasi · December 25, 2013

Veremo does have a point on this particular scenario.

jessy · December 25, 2013

I often used this method to create my own installers for my workplace, using a vbs file to launch the software with a silent switch

Arakasi · December 25, 2013

What are you creating installers with because msiexec has a silent switch already. No need for a vbs to launch it.

jessy · December 25, 2013

I know .msi got the silent parameter which, but that doesn't help me if I want to make a installer for it, which is only 1 single file

Marcos · December 25, 2013

We will continue detecting sfx files like this because of the high similarity with malware.

jessy · December 26, 2013

ok, thanks for your reply

Sign In

another false positive - winrar sfx

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics