Jump to content
ZoriaRPG

UPX false positive

Recommended Posts

Sorry to gravedig this, but one of our users reported that our binaries, compressed with the latest UPX, are also causing the same false flags reported by the OP here eight years ago.

 

We have VERSION metadata set in our MSVC Resource Scripts. I just added this (used in the EXE files below) as a follow-up to information in this thread, but it made no difference.

 

The flag itself seems to be on the zelda.exe files, for no particular reason, and it is showing:

MachineLearning/Anomalous.94%

 

Here are some links to the EXEs

v2.53.1 (Not UPX Compressed)
http://timelord.insomnia247.nl/zc-dev/malwarebytes/zelda-253-NOT-UPX.exe

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zquest-253-NOT-UPX.exe

 

v2.53.1 (with UPX Compression)

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zelda-253-UPX.exe

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zquest-253-UPX.exe

 

v2.55.0 Alpha, (Without UPX Compression)

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zelda-255-NOT_UPX.exe

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zquest-255-NOT-UPX.exe

 

v2.55.0 Alpha, (WITH UPX Compression)

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zelda-255-UPX.exe

http://timelord.insomnia247.nl/zc-dev/malwarebytes/zquest-255-UPX.exe

 

This is all (unfunded) open source software, built in MSVC08.

The repo for it is on GitHub, if anyone wishes to review the code itself.

 

This issue seems ONLY to occur if the files are UPX compressed.

We would appreciate someone looking into this, and both fixing it on your end, and providing solutions to prevent it on ours that do not involve avoiding UPX.

 

These EXE files require a variety of support files to run, including library and data files. If you need the full package to run tests, please let us know.

Share this post


Link to post
Share on other sites

 

mwb-defs.png

13 hours ago, cli said:

These have been fixed. Please ask your customers to update. 

As for how to avoid it in the future, please read MachineLearning/Anomalous Detections and Explanation

 

I asked the user who reported this to update and rescan. While I am waiting on that, he sent me his version and definitions information as a screenshot.

 

 

 

 

Please let me know if it should not have been a problem with these version IDs.

 

Share this post


Link to post
Share on other sites

Your customers should have a Update package version of at least 1.0.12971. Thanks.

Share this post


Link to post
Share on other sites

Can you try clearing your hubble cache to see if that fixes it? Here are the steps:

  1. Totally exit/shutdown Malwarebytes.
  2. Go to here in explorer: C:\ProgramData\Malwarebytes\MBAMService
  3. Delete the following file only: hubblecache
  4. Then you can restart MBAM and the cache file will rebuild on the next scan.

Let us know if the detection persists

Share this post


Link to post
Share on other sites
On 10/21/2019 at 3:38 PM, thisisu said:

Can you try clearing your hubble cache to see if that fixes it? Here are the steps:

  1. Totally exit/shutdown Malwarebytes.
  2. Go to here in explorer: C:\ProgramData\Malwarebytes\MBAMService
  3. Delete the following file only: hubblecache
  4. Then you can restart MBAM and the cache file will rebuild on the next scan.

Let us know if the detection persists

I asked the user who reported the issue to do this, so I'll let you know what he says.

In the interim, have you tried scanning those files to try to replicate the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.