Open Bioruebe opened 6 years ago
vatterspun
commented
6 years ago I think if you just submit the file to VirusTotal, it will give you a breakdown on the various different tools.
For example v.2.0.0 beta 2c has a bunch of obscure engine flags including Endgame, Qihoo-360, SentinelOne (Static ML), and Webroot
There's also an FAQ for devs: https://www.virustotal.com/en/faq/ (see "VirusTotal is detecting a legitimate software I have developed, please remove the detections")
ghost
commented
6 years ago Is AutoIt similar to autohotkey in that compiling the script always produces 1 or 2 false positives even if you don't use UPX?
cubedj
commented
6 years ago the compiled "pie.exe" executable got recognized by Windows Defender (cloud protection engine) as Trojan:Win32/Fuerboos.B!cl so I've submited the file as false positive for manual analysis to MS and the end result is "not malware"...
vatterspun
commented
6 years ago I've submited the file as false positive for manual analysis to MS and the end result is "not malware"...
Thanks
Darthagnon
commented
6 years ago My BitDefender didn't like the DGCA or Smart Install Maker Unpacker plugin modules.
myfairsyer
commented
5 years ago Norton sees uniextractupdater.exe as a threat b/c of bad crowd-sourced reputation
Shitennouji
commented
5 years ago About the latest version "v2.0.0 - rc.1" 1. VirusTotal warns of false positives.
UniExtractRC1.zip https://www.virustotal.com/ja/file/a7e5b4499f8edab6eca0dc253c988ce3175198d5d174a49b57d6014dbff97731/analysis/1535047860/ UniExtract.exe https://www.virustotal.com/ja/file/e6262a90eb1b619b892eb75ec002b3842da8437df542f177e49c9df8fb3e435e/analysis/1534898614/ niExtractUpdater.exe https://www.virustotal.com/ja/file/a75b328e4098e3b497388eec906b43248ae4124e79cb9284154fb7c0647d4506/analysis/1534900661/
2. It is blocked by "Windows Defender SmartScreen" when running the application. "Application: UniExtract.exe Publisher: Unknown Publisher" usage environment Windows10 Home(64bit)1803 build:17134.191
I judged from contents, "false positive" and "unregistered definition", ignored the warning and "executed". "Windows Defender's PUP protection" and the resident Security Solution(Malwarebytes Free、Heimdal PRO、Reason Core Security Free、AppCheck)were all nonresponsive and "no threat".
However, many end users will be upset by "false positive alert" or "blocked by WD". (Infects with malware) Therefore, it seems necessary to take measures.
dguder
commented
4 years ago About the latest version "v2.0.0 - rc.2b"
TrendMicro deletes UniExtractUpdater.exe due to following reasons:
DanieleR87
commented
4 years ago Avast Free flags each new release as malware (Win32:Malware-gen). After sending it for additional analysis it says it's clean. VirusTotal also detects as generic trojan by several engines https://www.virustotal.com/gui/file/12d45f03acdea4eb2d99379d26562b93a2967adb13f508c539e1521d4de60453/detection https://www.virustotal.com/gui/file/bd314d610720b169d74b61f17619574e9b3465875211231f6a65168fb3a64634/detection https://www.virustotal.com/gui/file/56282f727ebfca78b951472942cea47c978e51bb240ffea2fc3ccd07574ba6e1/detection
PMoro
commented
4 years ago UniExtract.exe 3.3.14.1 (2019.10.17) detected by Windows Defender as having Trojan:Win32/Azden.A!cl
Edit: I send the file to MS and, after revision, they have removed the detection
Bioruebe
commented
4 years ago A big thanks to everyone who contributed in this thread or sent false positive reports. Please continue to do so :)
I updated the issue description with more information about false positives and how everyone can help.
About Windows Defender: sadly this is a common problem. It's very likely that the software flags every new release as malicious again. Please keep sending false positive reports if you have the spare time.
bqguynb82
commented
3 years ago Bitdefender just stop some of the UniExtractRC2 update as Ransomware. Screenshot attached.
CeruleanSky
commented
3 years ago The nightly went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection
It would be nice if it was a simple case of the server being hacked and replaced with a malicious file, at least then you could fix it easily, but it seems like the AutoIT scripts have whacked a hornets nest with a large stick.
If you could, as the author, submit the nightly to https://opentip.kaspersky.com with your email address so they can contact you.
You'll have to click on the reanalyze button after uploading it to get a specialist to look it over.
bqguynb82
commented
3 years ago I’m not the author.
From: CeruleanSky [mailto:notifications@github.com] Sent: Saturday, August 15, 2020 11:41 AM To: Bioruebe/UniExtract2 UniExtract2@noreply.github.com Cc: bqguynb82 bill7210@gmail.com; Comment comment@noreply.github.com Subject: Re: [Bioruebe/UniExtract2] Anti-Malware false positives (#78)
The nightly https://update.bioruebe.com/uniextract/nightly/UniExtract.exe went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection
It would be nice if it was a simple case of the server being hacked, but it seems like the AutoIT scripts have wacked a hornets nest with a large stick.
If you could, as the author, submit the nightly to https://opentip.kaspersky.com with your email address so they can contact you.
You'll have to click on the reanalyze button after uploading it to get a specialist to look it over.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Bioruebe/UniExtract2/issues/78#issuecomment-674413714 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AQLELVVKYLQSBPLPHDTYTSDSA2UBJANCNFSM4D5V5R3Q . https://github.com/notifications/beacon/AQLELVTQDME7Y63D5Q7IJZLSA2UBJA5CNFSM4D5V5R32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOFAZLZEQ.gif
Bioruebe
commented
3 years ago The nightly went from about 6 to 11 detected, including the big ones like Microsoft, Kasperky, McAfee, Sophos
Thanks for letting me know. I sent a bunch of false positive reports and now it's back at 6 detections.
iGom
commented
3 years ago Windows Defender UniExtract 2.0.0 RC 3 Trojan:Script/Woreflint.A!cl file: C:\Users\iGom\Downloads\UniExtractRC3.zip
iGom
commented
3 years ago Windows Defender UniExtract 2.0.0 RC 3 while updating to RC 4 Trojan:Win32/Azden.A!cl
file: C:\Users\iGom\AppData\Local\Microsoft\Windows\INetCache\IE\17BBYC0C\UniExtract[1].exe file: C:\Users\iGom\Downloads\UniExtractRC3\UniExtract\UniExtract.exe
packeterrors
commented
3 years ago Tested on 11/1/2020
Due to the size of the file only VirusTotal scans it.
Alibaba: TrojanDownloader:Win32/Generic.d8e526a0 Comodo: Malware@#2o7650syxru6b Gridinsoft: Trojan.Win32.Agent.dg Jiangmin: Trojan.DTStealer.h Rising: Trojan.Generic@ML.81 (RDML:7beaJz6snfU7S SentinelOne (Static ML): DFI - Suspicious Archive Sophos AV: ForceLibrary (PUA) Sophos ML: ForceLibrary (PUA) Zillya: Adware.OutBrowse.Win32.94827
Other scan sites
AntiScan.Me: https://antiscan.me/ Any run: https://any.run/ BitBaan MALab: https://lab.bitbaan.com/ Hybrid-Analysis: https://hybrid-analysis.com/ Metascan Online: https://metadefender.opswat.com/ VirSCAN: https://www.virscan.org/ VirusTotal: https://www.virustotal.com/
robross0606
commented
2 years ago Latest Avast is seeing UniExtract.exe as an idp.generic virus.
Rekrii
commented
2 years ago Still getting PUP detections in (a fully patched) Windows Defender:
RommelSanchez
commented
2 years ago I think if you just submit the file to VirusTotal, it will give you a breakdown on the various different tools.
There's also an FAQ for devs: https://www.virustotal.com/en/faq/ (see "VirusTotal is detecting a legitimate software I have developed, please remove the detections")
A suggestion for users can be give a positive vote in VirusTotal page, for example https://www.virustotal.com/gui/file/2dc61c2a5e5f17725697c2ac1ba1395951e6eb613167fd489a64dc3bb3182715/detection for version 2.0.0 RC 3.
Eric666-tester
commented
2 years ago Hi, I just got a false positive on PEiD.exe by SentinelOne software. I guess it's a false positive, it has been identified as malicious at virustotal in the past and redeemed again. Using 2.0.0 RC 3 VirusTotal link: https://www.virustotal.com/gui/file/e13171d50f45a79bc09b9e4b9ffa38eb02301aca94a1867a9bf8acccc3759030/detection
Dragodraki
commented
2 years ago Hi there,
Is there any possibillity to make future versions getting less harmful results, please? I know the software isn't a risk, but other people and AVs won't...
CeruleanSky
commented
2 years ago @Dragodraki Not really. Viruses use scripts to and other ways to decompress their malicious payloads in hopes of avoiding detection. UniExtract has lots of scripts and utilities to decompress files and antivirus vendors sometimes make their templates loose in hopes of catching variations, but in this case they will occasionally catch Uniextract's legitimate methods as falsely being that malware.
While better vendors make attempts to ensure new virus definitions don't cause regressions, even that can be error prone, and unfortunately it is usually on the makers and users of legitimate programs to notify the virus makers of their mistakes after the fact, as they can't fix what they are not aware of being broken.
Dragodraki
commented
2 years ago @CeruleanSky Thank you for explanation. Yes, I'm aware of that. Indeed I mean these scripts - maybe they can be changed to not seem so aggressive?
Urizha
commented
7 months ago SentinelOne flagging these:
OurMajesty
commented
4 days ago Trojan:Win32/Leonem
Detected by Microsoft Defender Antivirus
Universal Extractor (or parts of it) sometimes get flagged as malicious by security software.
Of course, Universal Extractor is safe. If you have some programming skills, you can even verify that yourself by looking at the source code. However, some anti-malware tools are over-sensitive and flag programs as malicious if they are not sure.
Here's what you can do, if your anti-malware software complains about Universal Extractor:
Send a false-positive report
The easiest way of fixing the problem is to send the file to the developer of your security software. Depending on your anti-malware program, this can be done either from within the software (there might be a link/button in the 'malware detected' message box), using a web form or via email. If you are unsure how it works, a simple web search should give you all information you need.
Or comment here
Alternatively, you can add a comment here. Please include the version of Universal Extractor, the name of your security software and which file was detected (
UniExtract.exeor something else?).Notes
It is very likely that even after sending a false-positive report the file in question will be flagged as malicious again after updating Universal Extractor (or your anti-malware software). This happens because whitelisting is done only for one specific version of a program. There is nothing we can do about it, except sending false-positive reports after every update.