Author Topic: [False positive] Win32:VBMod [Trj]B  (Read 9670 times)

0 Members and 1 Guest are viewing this topic.

SmartCoder

  • Guest
[False positive] Win32:VBMod [Trj]B
« on: June 15, 2010, 10:56:10 PM »
1- Compile a blank project;
2- Add 1 or more sections with any appropriate tool (for example CFF explorer).

Result: Win32:VBMod [Trj] B  (since few days ago)

Being a programmer, I find quite ridicolous detecting my applications just because I add a section to them! There is absolutely no malicious code, just one section more that can be used for many purposes.

Mind to fix this FP?  :)

Thanks

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: [False positive] Win32:VBMod [Trj]B
« Reply #1 on: June 15, 2010, 11:03:01 PM »
Hi SmartCoder,

Heuristics are at the crux of the problem where FPs are involved, as are certain packers/obfuscators like for instance UPX found up as heuristic malware just because it is also used by malcreants. These issues can make a decent AV less reliable, so report this as a possible FP as soon as possible.
Re: http://virscan.org/report/e31154e6d6f859524b0431631aa3a914.html
These kind of FPs come into the category automated false positives, see this article:
http://research.pandasecurity.com/automated-false-positives/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PandaResearch+%28Panda+Research%29

polonus
« Last Edit: June 15, 2010, 11:05:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

SmartCoder

  • Guest
Re: [False positive] Win32:VBMod [Trj]B
« Reply #2 on: June 15, 2010, 11:23:25 PM »
Thank you for the quick answer!

Quote
hese issues can make a decent AV less reliable, so report this as a possible FP as soon as possible.
So, you mean that we need to report each single file with an added section detected as a FP?

Thanks

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: [False positive] Win32:VBMod [Trj]B
« Reply #3 on: June 15, 2010, 11:40:04 PM »
Hi SmartCoder,

No off course not, the generic find should be no longer flagged. Send avast a mail to report the problem and they are soon to react in an upcoming signature update as the FP is that crystal clear, exclude in the scanner for now to avoid the proverbial "pain in the neck",
thanks for reporting here and welcome to the forums and hope you report bugs here if any you find,

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

SmartCoder

  • Guest
Re: [False positive] Win32:VBMod [Trj]B
« Reply #4 on: June 15, 2010, 11:59:55 PM »
Thank you very much polonus for the welcome and the clear answers! I will send an email then.
Sure I will report other FPs if I'll occurr into them, it is in the interest also of many us programmers =)

Best regards

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: [False positive] Win32:VBMod [Trj]B
« Reply #5 on: June 16, 2010, 11:36:58 AM »
Hi SmartCoder,

Win32:VBMod [Trj] means Visual Basic Modified file. Adding section to compiled Visual Basic is in 99,9% cases used in malware (VB droppers). About ~10000 new MALWARE samples are detected by Win32:VBMod [Trj] each day. I'm looking forward to your email. If you have really GOOD reason to do this, we try to find solution. But our priority is protect our users

SmartCoder

  • Guest
Re: [False positive] Win32:VBMod [Trj]B
« Reply #6 on: June 18, 2010, 04:37:10 PM »
Hello, misak

what about if we use the new blank section to save custom data into it, which the executable needs to work correctly, after compile.
It can be used if a person has not access to the source code to store custom data and values; so on execution variables can be pointed to the position of these custom values inside the file code, which get read.
But a new section with some blank space is needed to contain the written values, we can't overwrite the file code somewhere with the custom data, it would be corrupted.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: [False positive] Win32:VBMod [Trj]B
« Reply #7 on: June 18, 2010, 04:52:22 PM »
you can increase last section if you need to add something what will be mapped to current address space... there's no need to add an extra section.. anyway - such postprocessing of VB binaries "smells" and could trigger any heuristic detection by any AV engine..