Jump to content
Javier

false positive on one of my product files

Recommended Posts

Hi,

I recently scanned my computer with Superantispyware Free, and I realized that it detected one of my files, that is a freeware that I distribute in my site. It detected it as Adware.Vundo/Variant-MSFake, and obviously it's a mistake (I'm the author of the compilation and I know there is not spyware there. Besides, it's a file that has been there and didn't change from 2003).

The file is the exe contained in the zip that you can download here: http://www.visual-basic.com.ar/arc/skstp.zip or from the link on the page http://www.visual-basic.com.ar/descarga-en.htm under the title "VB6 Setup program, skinned and multilingual (free)"

How do I have to do to make you correct this? Posting it here is enough?

Thanks in advance,

Javier

Share this post


Link to post
Share on other sites
Hi,

I recently scanned my computer with Superantispyware Free, and I realized that it detected one of my files, that is a freeware that I distribute in my site. It detected it as Adware.Vundo/Variant-MSFake, and obviously it's a mistake (I'm the author of the compilation and I know there is not spyware there. Besides, it's a file that has been there and didn't change from 2003).

The file is the exe contained in the zip that you can download here: http://www.visual-basic.com.ar/arc/skstp.zip or from the link on the page http://www.visual-basic.com.ar/descarga-en.htm under the title "VB6 Setup program, skinned and multilingual (free)"

How do I have to do to make you correct this? Posting it here is enough?

Thanks in advance,

Javier

Submit the false positive using the built in false positive reporting, that's the most effective way for us to handle the issue.

Share this post


Link to post
Share on other sites

Now I'm really upset.

I sent the false positive report inmediately after I wrote the first post here. You didnt correct the issue and now I have big problems.

I sent a new false positive report reclently, with this text:

"The file is the exe contained in this zip: http://www.visual-basic.com.ar/arc/skstp.zip This is the second time I try for you to fix this false positive that is causing me lot of problems.

I already informed about this issue with this tool before, and I also posted this post in your forum here: viewtopic.php?f=4&t=2672

Now I am having Google blocking not only this product, but all the products in the directory http://www.infotambo.com.ar/arc/ where the file is also hosted!

It's a big damage for me.

I also realized that you detect as malware others compilation of setup1.exe, not only mine. I'll provide more explanation in the thread of the forum that I linked above. Regards, Javier"

Well, more explanation:

I see that you are detecting other setup1.exe compilation as malware, not only this that I'm reporting.

I'll explain what setup1.exe is:

This is a setup installer that comes with Visual Basic 6 development tool. But the development package also provide the Visual Basic source code so you can adapt the installer to your needs. Let's say: to write your own personalized version of setup1.exe. The project file is setup1.vbp and is in the Visual Basic installation directory (in an inner folder).

I made a version of the installer that has a skin, and that is what my setup1.exe is, nothing more, nothing less.

So the Visual Basic developers can use it (by the way, it's freeware) as a replacement for the setup1 that comes from MS.

This inproved installer has a better look. There is no malware neither anything harmful there.

Besides my version of setup1.exe, there are others ones in the web. Other developers have made their own versions with different improvements. May be one could had writen also malware, I don't know, but you can't ban every version because one had malware!!!

You can see that now my page http://www.infotambo.com.ar/arc/ where I host the file is blocked by google, this is really crazy, I don't understand how is the chain of irresponsibility but there is something very wrong in the way you (including Google, etc) are treating malware.

Please do your part ASAP and corect it, it's urgent for me.

Thank you,

Javier

Share this post


Link to post
Share on other sites

Javier,

SUPERAntiSpyware has NOTHING to do with Google blocking your site - it would appear that more than just our softwarse is detecting your software - we will look into this - I believe it was removed from the definitions - what definition set are YOU scanning with?

Share this post


Link to post
Share on other sites

Thank you!

Now it doesn't detect the file any more.

I realized that the problem was that it is packed with UPX (http://upx.sourceforge.net/), and it is packed to reduce its size.

I see that you excluded the specific hash of the file, but if I pack the orginal file with UPX, it produces another hash and then it detects it again.

For now it's still a solution for me because I'm not planning to change it (to make a new version) soon.

But I still think there is something wrong with the euristic detection, because if I unpack the file (with UPX), it doesn't detect it, but if I pack the file, it detects it. I played with the UPX parameters to see if I could get rid of the false detection but with no luck, it always detected no matter what packing parameters I changed.

So, it makes not sense, why a file would be suspicious if it is UPX packed but unpacked it isn't?

I need the file to be packed because the file size is reduced a lot, and if I leave the file original, unpacked, it could be too large for some people (I mean, large for its application is intended for - being part of VB6 installers -).

I know that lot of malware are UPX packed, but also lot of legit software are. UPX is popular on both sides, and for a file being packed with UPX does not mean it's malware.

I've been performing some research reading articles over the internet, and I saw that many AV programs first unpack the files packed with UPX and then scan them, I know that it will increase the scan time for such files, but I still think it's the way to go.

Thank you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×