ggf31416

Antivirus companies usually request to send an e-mail to their virus submission address with the subject "False Positive" and the ofending file attached as a password protected zip (Otherwise the attachment will be deleted by the scanners in the e-mail servers before it can reach the AV company. Of course, you must tell the password in the message). For the e-mail address see this thread "E-mails for submitting samples to AV companies"

The false positives seem be fixed now. Kaspersky is having bad luck with the false positives. You should ask that question in the AutoIT forums. AutoIT uses automatically UPX compression when the script is compiled.

Or u - Auto Rename To nitro322: for 7-zip you can use -aou (auto rename extracting file) or -aot (auto rename existing file).

2 MHT files in the attachment. Note that you may be asked for Internet Access to view the files. Most elements are contained in the MHT but some of them not. BTW, there is another false positive . Now it's Kaspersky: UniExtract.exe: Antivirus Version Update Result Fortinet 2.77.0.0 08.30.2006 PossibleThreat!05780 Kaspersky 4.0.2.24 08.30.2006 Backdoor.Win32.Agent.agl Panda 9.0.0.4 08.29.2006 Suspicious file File size: 223530 bytes MD5: 59ce357c2d9d4300b130d13ed991e2ab SHA1: 972b51bbd733339da595ae8d7129391a0613d040 packers: UPX Edit: Seems that the attachments don't work for zip files (Or I'm doing something wrong). I will post a link to RapidShare. Link to RapidShare: http://rapidshare.de/files/31273604/MHT.zip.html Edit 2: I received a reply from Kaspersky saying that it is a false positive and it will be fixed in next update.

ggf31416, is there any chance you can repost this file? I didn't download it when you originally posted it, and now it's expired. It sounds like a good test case to work with. Thanks. You can create a zip with multiple compression methods by yourself, but if you want an example http://rapidshare.de/files/31143658/Groff-KDB.ZIP.html (335 KB) As I already said, I would recommend to use 7-zip as secondary (or main) unpacker for zip archives (using -aos switch to don't lose time extracting existing files) if info-zip fails. BTW since 4.43 alpha 3, 7-zip supports most zips with incorrect headers, which previous versions of 7-zip refused to open. B)

Another format that currently is not supported is UHA (UHARC) UHARC 0.6b can be downloaded from ftp://ftp.elf.stuba.sk/pub/pc/pack/uharc06b.zip Older versions of UHARC can be downloaded from http://www.klaimsoft.com/forum/index.php?showtopic=25 Edit: If you want to support ZIP/Bzip2 you can do the following: extract the archive with 7-zip (using -aos, so no time is wasted extracting already existing files) if Info-Zip gives an exit code of 81.

What's antivirus are you using? If you are using AntiVir you can exclude files from the Resident Guard: Extras -> Configuration -> Guard (Expert Mode must be enabled) -> Scan -> Click the + -> Exception -> Files objects to be omitted for the Guard

Another False Positive: Now Antivir detects IsXunpack.exe as "TR/Crypt.F.Gen" Complete scanning result of "IsXunpack.exe", received in VirusTotal at 07.03.2006, 05:47:55 (CET). AntiVir TR/Crypt.F.Gen CAT-QuickHeal (Suspicious) - DNAScan Fortinet suspicious Panda Suspicious file The other 22 antivirus no virus found For comparison purposes a file compressed with Upack... Complete scanning result of "7zSD.upack", received in VirusTotal at 07.03.2006, 05:52:33 (CET). CAT-QuickHeal (Suspicious) - DNAScan Fortinet suspicious ...and a file compressed with UPX Complete scanning result of "7z.upx", received in VirusTotal at 07.03.2006, 05:54:38 (CET). Panda Suspicious file For some reason the Antivir team think that IsXunpack.exe is a real virus http://portablefreeware.com/forums/viewtopic.php?p=976

Using 7-zip (every version since 2003-04-19 - 2.30b30), Select some files, click Add, choose Format: Zip and Method: Bzip2. Almost the same for WinZip 10. Also you can use PKZIP. If you want a zip file using Store, Deflate, Deflate64 and Bzip2 (Created with KZIP, 7-zip and ZIPMIX): Test File

How about add support for Zip archives that use the Bzip2 compression method? 7-zip support it (but Info-zip not).

From http://virusscan.jotti.org/ Statistics: Last file scanned at least one scanner reported something about: LoveToBootv6.zip, detected by: Scanner Malware name AntiVir Trojan/Flood.VB.BN ArcaVir Trojan.Flooder.Yahoo.Vb.N Avast Win32:Trojan-gen. {VB} AVG Antivirus Flooder.RT BitDefender Backdoor.Genlot.AJL ClamAV X Dr.Web Tool.Yabot F-Prot Antivirus security risk or a "backdoor" program Fortinet HackerTool/Generic Kaspersky Anti-Virus IM-Flooder.Win32.VB.bn NOD32 Win32/Flooder.VB.BN Norman Virus Control W32/VBFlood.KX UNA X VirusBuster X VBA32 IM-Flooder.Win32.VB.bn Every antivirus misses some sample, but UNA seems be the only one that misses everything. However is surprisingly good detecting the EICAR test file. By the way see http://www.antisource.com/article.php/una-antivirus-ruse Edit: The Linux version of UNA doesn't work or the antivirus is useless: Statistics: Last file scanned at least one scanner reported something about: AutoTrain.exe, detected by: Scanner Malware name AntiVir Trojan/Spy.SCKeyLo.o.17 ArcaVir Trojan.Sckeylog Avast Win32:SCkeylog-B AVG Antivirus PSW.Sclog.D BitDefender Win32.Repor.A ClamAV Trojan.Spy.SCKeylog-2 Dr.Web Trojan.SCKeyLog.20 F-Prot Antivirus W32/SCkeylogger.D@pws Fortinet W32/Sckeylog.O!tr Kaspersky Anti-Virus Trojan-Spy.Win32.SCKeyLog.o NOD32 Win32/Spy.SCKeyLog.O Norman Virus Control W32/SCKeylog.E UNA X VirusBuster Trojan.Gogel.A VBA32 Trojan-Spy.Win32.SCKeyLog.o

[sarcasm]The most dangerous virus of the World!!![/sarcasm] MsgBox(0, "My First Script!", "Hello World!") Fortinet suspicious Panda Suspicious file TheHacker Trojan/Clicker.Small.ht UNA Backdoor.Rbot Others Antivirus no virus found

http://www.virustotal.com reports: AntiVir no virus found Authentium W32/Trojan.CXS Avast no virus found AVG no virus found BitDefender no virus found CAT-QuickHeal no virus found ClamAV no virus found DrWeb no virus found eTrust-InoculateIT no virus found eTrust-Vet no virus found Ewido no virus found Fortinet suspicious F-Prot destructive program named W32/Trojan.CXS Ikarus no virus found Kaspersky no virus found McAfee no virus found Microsoft no virus found NOD32v2 no virus found Norman no virus found Panda no virus found Sophos no virus found Symantec no virus found TheHacker no virus found UNA Trojan.Win32.Autoit VBA32 no virus found VirusBuster no virus found Note: Authentium and F-PROT use the same engine Edit: Removed link to full results (because they are not longer available).

Actually, this false positive (at least with AVG Free) was not caused by the heuristics. Even with the heuristics turned off the executable was misidentified as an trojan.

I reported the false positive to AVG yesterday. It's fixed with the lastest updates (Some minutes ago).