Author Topic: [FREE version] UNLZEXE is actually a False Positive... [FIXED]  (Read 4587 times)

0 Members and 1 Guest are viewing this topic.

Offline Hamtaro126

  • Newbie
  • *
  • Posts: 13
[FREE version] UNLZEXE is actually a False Positive... [FIXED]
« on: January 03, 2013, 02:12:48 PM »
I am a fan of Avast (Free Version) since my family loves using it, so I made my own, solo account for needs that are personally satisfying...

Today, I still received (and confirmed it is) a false-positive on a .EXE Decompressor named UNLZEXE for Win32, of which I tried submitting to Avast's service, but it failed for some reason! UNLZEXE has the same genre of false-positives as [UPX] back then, and wasn't seen until recently with UNLZEXE!

It should not be detected as anything, on mine it says [Win32:MalwareGen] falsely.

UNLZEXE is, should be, and always clean! Link can be PM'd or Posted if needed

EDIT: See post for more info, since it is now verified as a Backdoor!

EDIT2: Now truely verified as a false positive, so I am right, not a backdoor!
« Last Edit: January 04, 2013, 11:55:33 AM by Hamtaro126 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82558
  • No support PMs thanks
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #1 on: January 03, 2013, 02:19:33 PM »
Have you checked it at virus total as you will possibly find that it isn't only avast finds it at least suspect.

Don't know how you tried to submit it, from the virus chest, submit to virus lab or using the on-line contact form, http://www.avast.com/contact-form.php?loadStyles or submission to virus (at) avast (dot) com as a possible false positive ?
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4257.552) UI-1.0.440/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Hamtaro126

  • Newbie
  • *
  • Posts: 13
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #2 on: January 03, 2013, 02:35:12 PM »
Virus Total: Mostly Clean, Three Unrated: SecureBrain, WePawet and URLQuery

I used the Red Warning box (Three Dings) to report the False Positive!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36436
  • Weihrauch Airguns
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #3 on: January 03, 2013, 03:12:55 PM »
Virus Total: Mostly Clean, Three Unrated: SecureBrain, WePawet and URLQuery

I used the Red Warning box (Three Dings) to report the False Positive!
coud you give us the linj to the scan result?
anyway...it looks as you are doing a URL scan...and not a file scan, is it not a file you have problems with?

Offline Hamtaro126

  • Newbie
  • *
  • Posts: 13
« Last Edit: January 03, 2013, 03:50:10 PM by Hamtaro126 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36436
  • Weihrauch Airguns
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #5 on: January 03, 2013, 03:54:33 PM »
hmmmmm....not sure

First seen by VirusTotal
 2012-07-21 18:55:52 UTC ( 5 måneder, 2 uker ago )


« Last Edit: January 03, 2013, 04:07:17 PM by Pondus »

Offline Hamtaro126

  • Newbie
  • *
  • Posts: 13
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #6 on: January 03, 2013, 04:37:19 PM »
hmmmmm....not sure

First seen by VirusTotal
 2012-07-21 18:55:52 UTC ( 5 måneder, 2 uker ago )

Then please go ahead and study the file then since it is suspicious-looking, I guess. Safety is still key to everyone!

EDIT: I looked for suspicious code in XVI32 hex editor, Nothing is seemingly bad-looking, But in case... Keep an eye on it!
« Last Edit: January 03, 2013, 04:40:08 PM by Hamtaro126 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36436
  • Weihrauch Airguns
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #7 on: January 03, 2013, 05:09:21 PM »
This is the response from Sophos lab

Quote
The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.
 
•unlzexe.exe -- identity created/updated (New detection Troj/Bdoor-BEQ)
•readme.txt.zip -- archive file
•readme.txt -- non-malicious
•unlzexe.exe.zip -- archive file

attached pic of ThreatExpert report

« Last Edit: January 03, 2013, 10:59:29 PM by Pondus »

Offline Hamtaro126

  • Newbie
  • *
  • Posts: 13
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #8 on: January 03, 2013, 05:52:30 PM »
Thanks for verifying this!  ;D

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36436
  • Weihrauch Airguns
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #9 on: January 04, 2013, 09:17:20 AM »
and Norman lab say

Quote
Hi Pondus  ,
                    The File cna be run in console , command prompt and result can be seen . There is no malicious behavior seen in the binary . Hence the detection has been removed from the Definitions

FP Case closed. FP Confirmed



consider what you find at the website, and whats written in the readme file the program sure looks OK to me
but then again, i am not the expert   ::)

also uploaded it to Malwarebytes and they have not added detection for it...



« Last Edit: January 04, 2013, 04:14:05 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36436
  • Weihrauch Airguns
Re: [FREE version] UNLZEXE is actually a False Positive...
« Reply #10 on: January 04, 2013, 10:18:24 AM »
well....after telling Sophos lab about Norman labs result...... we got new response   ;D


Quote
Hi Pondus,

SophosLabs have analysed the file further and have now confirmed that the file that you sent to us for analysis is not malicious.

« Last Edit: January 04, 2013, 04:14:15 PM by Pondus »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2120
Hello,
false positive will be fixed in next VPS update.

Milos