[kjempen]

Thanks for this great application!

If development is still ongoing, may I ask about adding support for Setup Factory installers?
There's a Setup Factory unpacker here

[nitro322]

kjempen, on Jun 7 2006, 04:58 PM, said:

Thanks for this great application!

You're welcome.

kjempen, on Jun 7 2006, 04:58 PM, said:

If development is still ongoing, may I ask about adding support for Setup Factory installers?
There's a Setup Factory unpacker here

Someone else had requested this as well. I'll look into it for the next release (still probably a few weeks out), but if I recall correctly I believe that the Setup Factory unpacker you linked to only supports older versions of the product. I'll have to do some testing, of course, but if you happen to know of a specific .exe that it will unpack it'd be a huge help of you could send me a link to it.

[ggf31416]

Today AVG Free with the last updates shows UniExtract.exe as "Trojan Horse Generic.VFI"

http://virusscan.jotti.org/ reports:

File: UniExtract.exe
Status: INFECTED/MALWARE
MD5 59ce357c2d9d4300b130d13ed991e2ab
Packers detected: UPX

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic.VFI
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Obviously it's a False Positive

This post has been edited by ggf31416: 12 June 2006 - 08:17 AM

[mr_stubble]

I have the latest version of UniversalExtractor installed on my jump drive. I had my drive connected to my PC all day yesterday with no problems. I leave at 1630.

I come in this morning (to work) and eTrust Antivirus reports:
-------------
The Win32/Ardamax.C!Trojan was detected in N:\UNIVERSAL EXTRACTOR\BIN\UNIEXTRACT.EXE.
Machine: CE****, User: ***CIC\john.doe <-- My PC name and username here
File Status: File was cured; system cure performed.
-------------
eTrust Product Version: 7.1.501
Engine Information:
InoculateIT w/ Signature Version: 23.72.35 Last update 06/12/2006 2116
Vet w/ Signature Version: 12.6.2253 Last update: 06/13/2006 0505

Hope you can get this straightened out with the AV folks. Let me know if I can do anything to help.

Great program, and thanks!

[Camarade_Tux]

You should try to download UniExtract again, unpack it (no more UPX) and scan it with your AV.
Download upx from here : http://upx.sourceforge.net/
The unpack switch is "-d".

[mr_stubble]

I'm sorry, but your steps were not entirely clear. I followed them the best I could. The eTrust AV's real time scanning monitor deletes the file every time it appears ANYWHERE on my PC.

I think contact may need to made by the developer to the AV companies having them re-check their virus definitions and stop reporting this false positive.

[Camarade_Tux]

Try this : http://rapidshare.de/files/22974307/uniext...t_noupx.7z.html
(simply unpacked uniextract.exe)

[mr_stubble]

Downloaded and extracted the file from RapidShare as instructed. I appreciate all the effort, but eTrust still detects it as a trojan and deletes it.

[Camarade_Tux]

With the same error ?

[mr_stubble]

Yes, same error. Tried again this morning using both the downloaded file from the website (uniextract121_noinst.rar) and the file you uploaded for me (uniextract121_noinst_noupx.7z) and tried to extract the file from the archive to my HDD. eTrust picks it up and deletes uniextract.exe just as it goes to the temp file for copying to the destination folder.

I tried to send the file to Computer Associates via their virus submittal program to have them take a look at it and maybe reevaluate their virus scanning engine, but I can't even extract the file long enough to archive and email it. Maybe I'll just send the whole installation archive...?

[ggf31416]

I reported the false positive to AVG yesterday. It's fixed with the lastest updates (Some minutes ago).

[nitro322]

Thanks for the virus reports. A couple people had e-mailed me about it as well, but I've been rather busy for the last week and haven't had time to work on this myself.

This has actually happened a few times in the past; not specifically to UniExtract.exe, but rather all AutoIT scripts. As Camarade_Tux pointed out, this is generally because AutoIT uses UPX to compress it's executables. UPX is also used by a lot of malware for the same purposes, so A/V vendors sometimes get a little too aggressive on there updates and end up treating ALL UPX executables as malware. I personally encountered this with AVG about a year ago, and after it deleted every AutoIT script on my system I very quickly uninstalled it and have never used it again.

ggf31416, big thanks for reporting this to AVG and getting it taken care of.

[mr_stubble]

Email from eTrust 25 minutes after I submitted the .rar archive downloaded from the website for their review:

Detection of 'Win32/Ardamax.C!Trojan' is a confirmed False Alarm and its removal will be added to today's signature release 23.72.39

Regards,

CA eTrust Antivirus Research and Response Group

Thanks for everyone's help! And thanks again for this excellent software nitro322. It has saved me many an unnecessary install. I found it especially useful on my home PC last night extract needed files from installations to update my BartPE installation.

[war59312]

Um same here with F-Prot Anti Virus:

[totoymola]

Some AV softwares are so paranoid.

Even NIS2006 detect my SFX files as trojan!

This post has been edited by totoymola: 16 June 2006 - 01:27 PM

[DigeratiPrime]

I don't think paranoid is the correct word, maybe 'stupid'.
Or do these antivirus software like false alarms?

[Camarade_Tux]

war59312, on Jun 16 2006, 09:18 PM, said:

Um same here with F-Prot Anti Virus:

Could you try my "repack" ?
http://rapidshare.de/files/22974307/uniext...t_noupx.7z.html

Also, scanned with NOD32, all options enabled, advanced heuristics (the thing that is not enabled because it is too CPU hungry ), and nothing. At least this scanner is OK.

This post has been edited by Camarade_Tux: 17 June 2006 - 01:20 AM

[war59312]

Same thing Camarade_Tux.

[Camarade_Tux]

Does it still say

Quote

(UPX)

?

[jaclaz]

DigeratiPrime said:

I don't think paranoid is the correct word, maybe 'stupid'.
Or do these antivirus software like false alarms?

Well, the problem is of course the "HEURISTIC" engine.
http://whatis.techtarget.com/definition/0,...i212246,00.html


Life is tough.

You cannot expect to increase the probability of stopping a new virus, for which there is NO signature/experience, WITHOUT risking to increase the probability of false alarms.

Decisions, always decisions.....

jaclaz

This post has been edited by jaclaz: 18 June 2006 - 09:49 AM