Jump to content

UPX false positives


tuyen

Recommended Posts

I have two questions:

1) Can you guys please update your scan algorithms so that they don't freak out every time a UPX header is detected? I'm a software developer, and I can confirm with 100% certainty that any EXE file compressed with UPX will trigger a warning with a "TROJAN.DOWNLOADER" message, even if the file is perfectly clean.

2) Why is Malwarebytes randomly popping up warning messages about files which are not being executed? The message says that Malwarebytes blocked a file which was attempting to run, but this is absolutely not true, because those are my own executables which I created and placed them into my C:\Temp directory for testing purposes. They are NOT resident in memory, and there's nothing else which is attempting to load them, so why is Malwarebytes being triggered?

Link to post
Share on other sites

It is impossible to correct words alone, we do need samples and I can assure you that UPX alone will not cause detection.

Thanks for the reply and for your assurance. However, my experience tends to disagree with your statement. Please find attached a zip file containing 4 different test files. Each of them are completely clean, very simple programs, with totally different purposes. The only thing they have in common is that they've all been compressed with UPX 3.07.

When I compile the files and run them, they do NOT trigger the Malwarebytes warning message. But as soon as I compress them, all four of them trigger the exact same warning message (TROJAN.DOWNLOADER).

UPX_FalsePositives.zip

Link to post
Share on other sites

  • Staff

Can you update and rescan this should be fixed now.

This was a combination of upx , program used to make the files before compression and no version info that caused some of the issue. If any one of these were different they would of not been detected. All 3 symptoms are very common in malware.

Thanks for the files!

Link to post
Share on other sites

Can you update and rescan this should be fixed now.

Perfect! Everything's working now without any warning messages.

This was a combination of upx , program used to make the files before compression and no version info that caused some of the issue. If any one of these were different they would of not been detected. All 3 symptoms are very common in malware.

Thanks for the files!

So if I would've added version info to the executable, it wouldn't have triggered the warning? That's good to know for future reference.

Thanks for the very quick response and fix.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.