Jump to content

Adware.Install is detected.


TLFI

Recommended Posts

Hello, I am Peter, a software developer at a company that distributes software for payroll processing. We regularly release hotfixes for our applications.

 

Sometimes, we encounter the issue that malware in the hotfix applications detects the problem <Adware.Install> and, as a result, deletes the application.

 

I have analyzed the issue and was able to reproduce it. Apparently, it's the size of the generated .exe and not its content that's responsible for this.

 

I have set up a test environment for this purpose. To conduct the test, I created 3 Hotfix.exe files. All three applications contain the file (lo_hotfix.pbd) that we want to deliver to our customers; the Hotfix.exe does nothing more. To replicate the issue, I additionally created 2 PDF files with arbitrary content and added them to the patch one after the other.

 

Here are the results:

 

Hotfix_original.exe -> Content: lo_hotfix.pbd -> Adware.Install is detected.

Hotfix_detected.exe -> Content: lo_hotfix.pbd + pdf_1.pdf -> Adware.Install is detected.

Hotfix_not_detected -> Content: lo_hotfix.pbd + pdf_1.pdf + pdf_2.pdf -> Adware.Install is not detected.

 

It appears to me that the size of the Hotfix.exe is responsible for triggering the problem.

 

Can you please assist me with this? How can we address the issue in the future? Does the .exe file need to have a certain size?

 

with kind regards

malware.zip

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.