Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Impster on March 19, 2007, 05:39:10 PM

Title: Trojan-gen. {UPX!}
Post by: Impster on March 19, 2007, 05:39:10 PM

So one of my guys has written a SQL program and compiled it.  But avast keeps saying that the program is infected with UPX. Any ideas on why this would be reporting it like this?

Title: Re: Trojan-gen. {UPX!}
Post by: Lisandro on March 19, 2007, 07:24:11 PM

To know if a file is a false positive, please submit it to JOTTI (http://virusscan.jotti.org/) or  VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

Title: Re: Trojan-gen. {UPX!}
Post by: Tode on March 20, 2007, 10:22:48 AM

I also had false positives yesterday with some compiled AutoIt scripts that were packed with UPX.   I downloaded the latest AutoIt release that had a newer version of upx.exe, and recompiled the scripts.   Avast now doesn't give a false positive on them.    So I suggest you look around for a recent version of upx.exe (mine is dated December 2006), rename your existing upx.exe, put the new one in the same folder, and recompile.  You can get upx.exe as part of the AutoIt free download at http://www.autoitscript.com/ (http://www.autoitscript.com/).

Great nuisance these false positives.  Not knowing better, I did a full machine scan.  Avast found the "virus" (actually earlier versions of my compiled scripts) in lots of old system restore files, and every time, it stopped and asked me what to do.  So the PC was out of action for most of the evening.  Luckily I hadn't distributed these files to others, that would have been a real pain.

Title: Re: Trojan-gen. {UPX!}
Post by: igor on March 20, 2007, 10:29:46 AM

Can you please send us those older versions of the autoit scripts (as mentioned in Tech's post) - so that we can fix the problem?
Thanks.

Title: Re: Trojan-gen. {UPX!}
Post by: Tode on March 20, 2007, 11:51:56 AM

Quote

Can you please send us those older versions of the autoit scripts (as mentioned in Tech's post) - so that we can fix the problem?

I submitted one of the compiled scripts to Virus Total. 
Avast and some other progs found a trojan.  But AVG, F-Prot, F-Secure, Kaspersky, McAfee, Microsoft, Panda, Sophos, Symantec and a number of less well known others found nothing. 

Therefore I still think it was a false positive and will submit it to you.
Thanks.