Peter's z80.eu site blog
OT again: Fooled Antivirus - Part 2 
Wednesday, November 14, 2012, 10:00 PM
Posted by Administrator
To get a clue what I mean, download an older patch program (aka crack program) as an example for blind or at least dumb Antivirus software.

Attention: You have to deactivate your Antivirus Software to unpack it (password for unpacking: novirus). After unpacking, upload both files to virustotal.com and see what happens. You need not to execute the exe files. After uploading it, you can reactivate your Antivirus Software (an alert for one of these two files will pop up).

patch_winver_unpacked.exe should give no negative results
patch_winver_upx.exe should give you a lot of negative results

But these files are virtually identical, except that patch_winver_upx.exe is packed with a modified, early UPX version.
You will be still able to unpack the second one manually, just take PE Explorer and you will have the possibility to save it uncompressed (it's done by a plugin of PE Explorer automatically).
Why is "Heaventools Software" able to do this with ease, but any Antivirus vendor is NOT able to unpack it "on the fly" ? Even if they argue that each unpack process will take additional time, it's a lot better than giving false alarms. At least, a user should have the possibility to switch "unpacking of known exepackers" on or off.

add comment ( 193 views )   |  permalink   |  related link   |   ( 3.2 / 79 )

<<First <Back | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | Next> Last>>