How to disable the «exe compression» in order to avoid false (virus) positives

[Bitbeisser]

Just made a couple of quick tests before leaving the house:

- on my local PC here, running AVast! as the AV, those files from timovjl come up clean.
- on another PC, running AVG, likewise no problem with a local scan
- sending those files as attachments to my own email server, which has a plug-in to scan for viruses with ClamAV, results in a error message because of the attachments (error message in this case is a bit vague though)
- scanning those files on the same server locally with ClamWin (which uses the very same ClamAV engine!) comes up clean again... WTF?

Definitely something that the folks at ClamAV/SourceFire need to look at I guess...

Ralf

[Joris Claassen]

From « http://www.clamav.net/lang/en/sendvirus/submit-fp/ »

Please do not report false positives for PUA.* signatures because they are automatically rejected (What is PUA?).

So I think the Clamav folks are not willing to cooperate at all!

[CommonTater]

From « http://www.clamav.net/lang/en/sendvirus/submit-fp/ »

Please do not report false positives for PUA.* signatures because they are automatically rejected (What is PUA?).

So I think the Clamav folks are not willing to cooperate at all!

  You give up too easily...

Try writing to jesler@sourcefire.com ... attach the projects Timo provided and give a thorough description of the problem...  Lets hope you get a favourable response because this is their fault and it's not funny.  It will affect the distribution of many people's work (including my own).
 

 

Update... got a reply from sourcefire...
 

The following message to <jesler@sourcefire.com> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 552-'5.7.0 Our system detected an illegal attachment on your
message. Please\n5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to\n5.7.0
review our attachment guidelines. tu10si5762653pbc.321'

 
Renaming the .zip files as .txt appears to have gotten them past GMail's paranoia...
 

 



Update2 : Reply from Joel Esler... (Highlights, mine)
 
ClamAV is not flagging your software as malicious.  ClamAV is simply just identifying the packer used to pack
the software into an executable form.  This is off by default in our product, and has to be explicitly enabled.
Recently we've become aware that certain file scanning sites (like Virustotal) scan using this option enabled.
We have been in contact with Virustotal to remove this functionality on their site, and they have assured us
that they will.
Again, we are NOT flagging your product as malicious, we are simply providing information as to the packer of
the software. 

$ clamscan HelloC-v*
HelloC-v65.txt: OK
HelloC-v6.txt: OK
HelloC-v7.txt: OK
----------- SCAN SUMMARY -----------
Known viruses: 1278845
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.12 MB
Data read: 0.04 MB (ratio 3.33:1)
Time: 6.123 sec (0 m 6 s)

$ clamscan --detect-pua=yes HelloC-v*
HelloC-v65.txt: PUA.Win32.Packer.PellesC400450Ex-1 FOUND
HelloC-v6.txt: PUA.Win32.Packer.PellesC400450Ex-1 FOUND
HelloC-v7.txt: PUA.Win32.Packer.PellesC400450Ex-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1284100
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 3
Infected files: 3
Data scanned: 0.08 MB
Data read: 0.04 MB (ratio 2.33:1)
Time: 3.344 sec (0 m 3 s)
=========================
 
Based on this it would appear to be the settings on some servers that's the problem...
 

[CommonTater]

Last update on this issue... ClamAV is going to remove the signature that tags Pelles C as a virus.

======================================================

> Really, Joel, in all due respect this whole problem was 100% preventable
> with nothing more dramatic than a bit of foresight. Seriously, you have to
> know that someone is not going to know what a "PUA" is and decide to enable
> it "just in case"...


I can see your point there.  I'll drop the signature for your particular packer.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

[Joris Claassen]

New development in the AV world.

I happen to start a scan today (during lunch/diner; Comodo) which resulted in

    UnclassifiedMalware@285363702  ...\HelloC-v7.zip|HelloC.exe

I notified Comodo that this is a false positive. So I wonder what will happen in a few days during a new scan ...
Unzipping caused Comodo to freak out.  (Also a flash message appeared -maybe by Universal Extractor- claiming that the zip contains strange characters in the path name. The message doesn't appear again when re-unzipping [?!])
Scan on resulting files: no threats found.
Scan on zip file HelloC-v7.zip:  UnclassifiedMalware@285363702.

[CommonTater]

New development in the AV world.

I happen to start a scan today (during lunch/diner; Comodo) which resulted in

    UnclassifiedMalware@285363702  ...\HelloC-v7.zip|HelloC.exe

I notified Comodo that this is a false positive. So I wonder what will happen in a few days during a new scan ...
Unzipping caused Comodo to freak out.  (Also a flash message appeared -maybe by Universal Extractor- claiming that the zip contains strange characters in the path name. The message doesn't appear again when re-unzipping [?!])
Scan on resulting files: no threats found.
Scan on zip file HelloC-v7.zip:  UnclassifiedMalware@285363702.

Did it not react to 6.0 and 6.5 versions?
 
I would like you to try something with the same files... recompile the EXE with optimizations off and try it again... I know this seems like an unlikely cause but given events in another thread, we shouldn't write it off as a possibility.

This is getting to be a real annoyance...  I had one of my "small utilities" (a text file converter; various unicodes to utf8) stripped by an ISP last Wednesday and they didn't seem at all interested in fixing the problem, even when I sent them a copy to examine.  I ended up sending a cd to the client via overnight courier at my own expense. ( and who uses cd's anymore?)
 

[Joris Claassen]

From http://pellesc.de/index.php?page=download&lang=en&version=7.00

    Please uninstall any older version of Pelles C before installing version 7.00.

So you mean: only play with different optimizations/settings for the 6.0 version?

I • made 10 different versions:

      -Tx86-coff -MT -Os -Ob1 -fpprecise -W0 -Gz -Ze -Zx -Go -Gn -J
      -Tx86-coff -MT -Os -Ox -Ob1 -fpfast -W0 -Gz -Ze -Zx -Go -Gn -J
      -Tx86-coff -MT -Ot -Ox -Ob1 -fpfast -W0 -Gz -Go -Gn
      -Tx86-coff -Ot -Ob1 -fpprecise -W0 -Gd
      -Tx86-coff -MT -Ob0 -fpprecise -W0 -Gr -Ze -Gn
      -Tx86-coff -MD -Ot -Ob1 -fpprecise -W0 -Gd -Zx -J
      -Tx86-coff -MT -Ot -Ob1 -fpprecise -W0 -Gd -Zx -J
      -Tx86-coff -MD -Ot -Ob1 -fpprecise -W0 -Gz -Ze -Zx -Go -Gn -J
      -Tx86-coff -MT -Ot -Ob1 -fpprecise -W0 -Gz -Ze -Zx -Go -Gn -J
      as wince(!) +  -Tx86-coff -MT -Ob0 -fpprecise -W0 -Gd -Ze -Gn  +  -AIA32 -Gr

  • scanned them all with Comodo: no threat(s) found
  • sent them one at a time to the e-mail address at the server using Clamav scanner: all e-mails arrived.

Although

     -Tx86-coff -MT -Os -Ob1 -fpprecise -W0 -Gz -Ze -Zx -Go -Gn -J
     -Tx86-coff -MT -Os -Ox -Ob1 -fpfast -W0 -Gz -Ze -Zx -Go -Gn -J

needed much more time to be sent (but that can also be caused by network or server load ...)


So I rescanned «HelloC-v7.zip» with Comodo: same UnclassifiedMalware threat recognized.
Sending «HelloC-v7.zip» to the Clamav-using e-mail server: no threat found.
Resending the original e-mail which made me start this discussion to the same e-mail server: no threat found. So the false positive by Clamav seems to be fixed (unless someone has changed the settings on this server).

[CommonTater]

    Please uninstall any older version of Pelles C before installing version 7.00.

So you mean: only play with different optimizations/settings for the 6.0 version?

Yeah, I suppose I do mean that ...
 

I made 10 different versions
...
  • scanned them all with Comodo: no threat(s) found
  • sent them one at a time to the e-mail address at the server using Clamav scanner: all e-mails arrived.

That's progress... What I was trying to discover was if a code difference between optimized and non-optimized compiles might be causing the problem.  (The optimizer has it's own set of problems.)
 

So I rescanned «HelloC-v7.zip» with Comodo: same UnclassifiedMalware threat recognized.
Sending «HelloC-v7.zip» to the Clamav-using e-mail server: no threat found.
Resending the original e-mail which made me start this discussion to the same e-mail server: no threat found. So the false positive by Clamav seems to be fixed (unless someone has changed the settings on this server).

It appears Joel was true to his word.  He was nice enough to change that for us without much of a fuss.
 
Now the problem shows up with Comodo... Nice...
 
Remember when programming used to be a fun and creative undertaking?
 
 
 
 

[CommonTater]

Great news (Not)... Emsisoft's Emergency Kit on demand virus scanner has begun tagging Pelles C as infected.

[Robert]

All downloads of the Pelles C setup files with I.E. 10 on Windows 8 produces the following message

"setup.exe was reported as unsafe."

Something is really amiss with so many vendors reporting a problem.

Robert Wishlaw

[CommonTater]

All downloads of the Pelles C setup files with I.E. 10 on Windows 8 produces the following message

"setup.exe was reported as unsafe."

Something is really amiss with so many vendors reporting a problem.

Robert Wishlaw

Hi Robert...
This is the first time I've heard anyone say the setup for Pelles C itself was a problem.  Up to now it's mostly been programs written in Pelles C.

But yes, I agree this is not good at all...
 
All versions were tagged or just version 7?

[Robert]

All downloads of the Pelles C setup files with I.E. 10 on Windows 8 produces the following message

"setup.exe was reported as unsafe."

Something is really amiss with so many vendors reporting a problem.

Robert Wishlaw

Hi Robert...
This is the first time I've heard anyone say the setup for Pelles C itself was a problem.  Up to now it's mostly been programs written in Pelles C.

But yes, I agree this is not good at all...
 
All versions were tagged or just version 7?

Hi Tater:

On the download site

http://smorgasbordet.com/pellesc/download.htm

only Version 7 setups are available. Both 32 and 64bit setups and add in SDKs were flagged as unsafe.

Robert Wishlaw

[Stefan Pendl]

Both 32 and 64bit setups and add in SDKs were flagged as unsafe.

This might just be due to the missing certificate as mentioned at the top of that page.

[CommonTater]

Hi Tater:
On the download site
http://smorgasbordet.com/pellesc/download.htm
only Version 7 setups are available. Both 32 and 64bit setups and add in SDKs were flagged as unsafe.

Robert Wishlaw

You can access old versions all the way back to 2.8 on the mirror site ... HERE
 
It would be nice to know if it's version 7, some versions or all versions...
 
Although it may simply be as Stephan said... the lack of a certificate.
 
(Oh how I hanker for simpler times...)
 

[Robert]

Hi Tater:
On the download site
http://smorgasbordet.com/pellesc/download.htm
only Version 7 setups are available. Both 32 and 64bit setups and add in SDKs were flagged as unsafe.

Robert Wishlaw

You can access old versions all the way back to 2.8 on the mirror site ... HERE
 
It would be nice to know if it's version 7, some versions or all versions...
 
Although it may simply be as Stephan said... the lack of a certificate.
 
(Oh how I hanker for simpler times...)

I just installed Windows 8 RTM Enterprise and the Pelles C 7 setup64.exe downloads from both Christian Heffner's and the Smorgasbordet sites are flagged as

"The signature of setup64.exe is corrupt or invalid."

Thank you for the link to the old versions. The 6.5 RC4 download does not raise any warnings.

Robert Wishlaw