Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.exe Is Mislabeled As Malware - What Should I Do?


  • Please log in to reply
2 replies to this topic

#1 FewdpewGames

FewdpewGames

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 01 July 2016 - 10:55 PM

Hello everyone! This is Eric. Please excuse me if I am posting in the wrong section. But basically, I am a game developer(With Unity), and I made an installer with inno setup to install the game executable. Everything is fine, until I added a pascal script, which checks registry value located here: 

Software\Microsoft\Windows\CurrentVersion\Uninstall\{App_ID}

Which stores a version id. If the installed version is older than the one that is installing, it automatically runs the unin000.exe for the old executable, which uninstall the program. And this caused no problem with Avast, until I submitted it to virustotal, which reports it as a malware:

 

Qihoo-360 HEUR/QVM06.1.0000.Malware.Gen

Now, Qihoo-360 is the only anti-virus reporting this as a malware. And I don't have this issue before adding the uninstall script. What should I do to fix the false-positive? Is there a way to report this as false-positive? The report page on their website only supports up to 20MB file. And this file is arround 68MB compressed(lzma2/ultra). And what should I do for all future versions as well? Do I have report all future versions as false-positives as well? Thanks everyone!

---------------------------------------------

Virus Scans:

 

https://www.hybrid-analysis.com/sample/f59ca4119be61302503952694295b1f052076e2181cea030cedddae50cd2a5cd

 

https://virustotal.com/en/file/f59ca4119be61302503952694295b1f052076e2181cea030cedddae50cd2a5cd/analysis/1467430518/


Edited by hamluis, 02 July 2016 - 06:56 AM.
Fixed link - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 PM

Posted 02 July 2016 - 05:59 AM

If you suspect a file was falsely detected, then you should submit a sample to the anti-virus's lab for analysis. Most anti-virus vendors have instructions for sample file submissions posted on their web sites. Once a file is received, a researcher can examine it in more detail and provide a report letting you know the results. If the file is confirmed as a false detection, the vendor usually corrects the detection in the next database definition update they release.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 06 July 2016 - 03:41 PM

Qihoo-360 is a Chinese company making security software like AV.

 

When I see false positives in VirusTotal reports, Qihoo-360 appears a bit more often than other AVs.

 

As far as I know their biggest market is China, I don't know if that is your market too.

 

I noticed that the file you submitted to VirusTotal is not digitally signed.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users