UniExtract.exe largely detected as malicious

[JomSpoons]

I want to start this by admitting that I am not familiar with code myself, so I can't verify any of these detections myself, but the sheer amount of sources detecting the program as malicious is alarming to me. I apologize if what I'm sharing here is pointless.

Today I did a full scan of my computer with Malwarebytes and I was surprised to see UniExtract in the list of flagged files. This made me curious so I put the EXE (Version 2.0.0 RC 3 (15.05.2020)) through Hybrid Analysis and the results were very largely classified as malicious across the board, both by antivirus scans and sandbox tests. You can take a look at the results here.

Why exactly is this? Again, I'm not familiar with code so I'd like some explanation as to why all of this is being detected as harmful. Thanks.

[vatterspun]

... why all of this is being detected as harmful

Well it certainly comes up a lot as you'll see in these issues: #180 #158 #78 #73

First, AV programs are dedicated to paranoia. Accidentally deciding something is okay that then infects your computer helps no one. They'd rather be on the side of being too cautious. And to be fair, sometimes even open projects do find themselves in malware land (e.g. the Transmission BitTorrent client episode)

Second, my understanding on this is that some tools and libraries get associated (right or wrong) with malware. Visual basic and PowerShell files, executable compression (which is widely available and can cut down on your program download size), and so forth are all treated with concern by AV programs.

Also, Uniextract does something that strictly speaking most developers don't want. Users unpacking their tools and running them in unexpected ways means more complex support cases. So nobody apart from Uniextract's users are going to change the status. Meanwhile, Google will move mountains to make sure Chrome.exe isn't confused with malware.

The best thing you can do to help is keep submitting to your AV program of choice and point to the fact that this is an openly developed program on Github where the code is available for review. I'm convinced that some AV tools just copy-paste the analysis of others. In other words, back when there were only 50 or so engines analyzed on VirusTotal, we were no more safe than we are with 65+. After a few major tools accept something as not Malware, the others come along too.

[jyrkive]

UniExtract tends to be detected as malware for two reasons.

First, it's written in AutoIt. AutoIt is rarely used to write software that's distributed to other people, but it's fairly common for malware developers. Thus, AutoIt programs are prone to false positives.

Second, it utilizes a bunch of external extractor programs as separate EXEs (and if they aren't present, it downloads them from Bioruebe's server). This means that if even one of these EXEs is detected as malware, UniExtract itself is as well. The probability increases exponentially with the number of external extractors.

In the sandbox test, three of the five "malicious indicators" were that AV scans detected UniExtract or files it downloaded as malware. In other words, the sandbox test was mostly just parroting what the AVs said.

[headsetguy37]

The most frustrating example is Windows Defender (don't laugh; it's what I use). The main issue is that, no matter how many times I tell it to trust the program, it still deletes it anyway. Annoyingly, when I tell it to only scan the main executable it says "No threat".

[vatterspun]

The most frustrating example is Windows Defender

Yeah Windows is generally more interested in protecting you from yourself. If you have the ability, you might want to try another AV tool. If you're stuck with Defender, it's far from the worst program out there. In terms of ways forward, the best you have to hope for is submitting to Microsoft as a false-positive: https://www.microsoft.com/en-us/wdsi/filesubmission

[Bioruebe]

I have to admit, I have no idea why it was suddenly detected by 20+ AV engines. A score of 6 detections on VirusTotal is the norm for UniExtract - and after rebuilding the exe, detection ratio went down again.

Thanks to everyone who posted in this thread, you explained the reasons better than I could have done. :1st_place_medal: