Jump to content

false positive on EXEs created by my software


isurumy
 Share

Recommended Posts

My software 'Advance BAT to EXE converter' creates EXE files from BAT files. It does not do any harm to computers
or data.

Your product falsely detect my program and EXEs created by it as "Malware"

I sell this software and my paid customers are annoyed with these false positives.

This zip file contains a sample of batch files compiled to EXE with 'Advanced BAT to EXE Converter' and there are thousands of variations of these files. Anything close to these files must NOT be a false positive.

i have included compiled batch scripts in "COMPILED Batch Files" folder.
And i have included my compiler program files in "COMPILER" folder.

The compiled EXE are created from "bfchlp1.dat" and "bfchlp4.dat" from "Specially flagged files" folder with the encrypted batch file append at the end, There are also few bytes overwrite inside of the "bfchlp" files.

Can you please fix this? i have attached files and virustotal.com link

virustotal link : https://www.virustotal.com/gui/file/c7ac0007e46976e6127c01357203e0ca7a43466e96757b80dc6489f524953bd5/detection

The sample is in a password protected zip file
The password for the attachment is "infected"
 

FP_ABF_passwd.zip

Link to post
Share on other sites

For staff, The following from the submitted files are detected.

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/2/21
Scan Time: 8:48 PM
Log File: 9fb2ba76-941e-11eb-a231-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1251
Update Package Version: 1.0.39030
License: Premium

-System Information-
OS: Windows 10 (Build 19042.906)
CPU: x64
File System: NTFS
User: I7-PC\SAPC

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 90
Threats Detected: 8
Threats Quarantined: 0
Time Elapsed: 0 min, 10 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 8
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\1\B7.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , C919C4B0B754A579080BE4D5E2C0A0FC, A46ED655B4D62C7A8326823337F7C0336801EF35184BC0E04CA16316CD3BE138
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\1\B6.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , 5BB15C03C16E912849C6CE526E2E1794, 5A938AE0DD002A6A828BEB4D1A20E0A682532FC18F96DAA4039D939EB5AD1471
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\2\B6.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , 508018699172A17540AB1766AB6F878F, 60E9611052A95B441BCEE97A6AE546BCCE6480C77FBE3A0E5666C152A4FCD651
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\2\B7.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , F1DBE64DF7122CDC2F3ECC154496E2A5, 61400C8D951E6B5DA7BD148FEE8F555DFA2CA66FA65C631A3285A40E0CB21065
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\3\B6.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , DC650CA4AB7B2EA5C17C6B0AB36C9FD8, ED45CEC43F383F2B67A1802D84A6EB8282EE40458138CC81BFD515B76D13AF2F
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\3\B7.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , 941E4472EB91EA62DA4E2756C55981A6, 9519FE112B07A8DF50E60729CF82E294DAC7726CA4A6BB97C91202C88637284A
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\4\B7.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , 6A652E87B60E0AB04A0C06700705FC96, E5F980C17C0575E78344EEF8721B2FDDB83F4AF855A86380EA0F6E5358E28FD2
MachineLearning/Anomalous.100%, C:\MALWARE TEST\FP_ABF_PASSWD\FP\COMPILED BATCH FILES\4\B6.EXE, No Action By User, 0, 392687, 1.0.39030, , shuriken, , 82488DECD3A00BF0EDAB3837620E4ED6, CC36904ABA4EBF7533AA34A661DD4F2A5EE11FC533AA13A1FC79278C9A563074

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

I also tested one file that Malwarebytes detected and MS detects it as well. Food for thought.😉

https://www.virustotal.com/gui/file/61400c8d951e6b5da7bd148fee8f555dfa2ca66fa65c631a3285a40e0cb21065/detection

Edited by Porthos
Link to post
Share on other sites

  • Staff

Well here are the few problems we have. 

1. You software is abused by malware so blanket whitelisting unfortunately isnt a solution.

2. How many files were detected when you did your test? I show only 3 were detected out of all these when i checked a few minutes ago. This is do to machine learning whitelisting.  It can take up to 24 hours to whitelist a file from when  the system first encounters a file. 

 

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
MachineLearning/Anomalous.100%, C:\SAMPLES\021916\6321105831493632\FP\COMPILED BATCH FILES\2\B7.EXE, No Action By User, 0, 392687, 1.0.39054, , shuriken, , F1DBE64DF7122CDC2F3ECC154496E2A5, 61400C8D951E6B5DA7BD148FEE8F555DFA2CA66FA65C631A3285A40E0CB21065
MachineLearning/Anomalous.100%, C:\SAMPLES\021916\6321105831493632\FP\COMPILED BATCH FILES\4\B6.EXE, No Action By User, 0, 392687, 1.0.39054, , shuriken, , 82488DECD3A00BF0EDAB3837620E4ED6, CC36904ABA4EBF7533AA34A661DD4F2A5EE11FC533AA13A1FC79278C9A563074
MachineLearning/Anomalous.100%, C:\SAMPLES\021916\6321105831493632\FP\COMPILED BATCH FILES\4\B7.EXE, No Action By User, 0, 392687, 1.0.39054, , shuriken, , 6A652E87B60E0AB04A0C06700705FC96, E5F980C17C0575E78344EEF8721B2FDDB83F4AF855A86380EA0F6E5358E28FD2

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

 

3. This engine works off file anomalies and certain encryption. Virustotal shows these files are created with an invalid rich pe linker version. 

Edited by shadowwar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.