Hacker News new | ask | show | jobs
by pilif 3166 days ago
And yet... in our case, the false-positive rate went from about one a month to one a year when we stopped using UPX. For a binary that didn’t change, mind you.

You'd think that after reporting a false positive once, an AV vendor would whitelist the hash of the binary, but no. Some of them were re-detecting malware time and time again. Until we stopped using UPX.
1 comments
KGIII 3166 days ago
Could UPX put something in the header that said something akin to, 'I am not a signifier of malware, perform your check on the internal contents instead.'

Then AV companies could see that and not flag it as malware unless they had additional reason to think it was.

That doesn't seem like it'd be terribly difficult but there's a good chance I'm missing something.

link
takeda 3166 days ago
You're talking as if the AV companies don't know hat UPX is.

They know it very well, but adding code to do decompression while performing scan is more complex and will surely reduce performance.

If the AV is already slow, they might decide to just label any UPX binary, since (let's not lie) most malware will be compressed with UPX or other tools.

link
userbinator 3166 days ago
If the AV is already slow, they might decide to just label any UPX binary, since (let's not lie) most malware will be compressed with UPX or other tools.

IMHO an AV that doesn't know how to unpack UPX is almost like an AV that doesn't know how to unpack ZIP or RAR... and yet they universally do the latter.

You'd think that after reporting a false positive once, an AV vendor would whitelist the hash of the binary, but no. Some of them were re-detecting malware time and time again. Until we stopped using UPX.

I have a feeling that your false positives are caused by the fact that UPX (and other compressors) naturally create very high-entropy files, and AVs which do signature-type comparisons would like to reduce signature length as much as possible, so they also choose very high-entropy portions of malware to be as distinctive as possible while remaining short; but that also increases the chances of such sequences being found in other benign high-entropy files.

I'm almost willing to bet that your re-detections are not detecting the same malware, but new ones' signatures as the AV vendor adds them --- which coincidentally happens to match some other high-entropy portion of your binary.

Then again, the quest for speed and high detection rates (while false positive rates seem to be less of a concern) among AV vendors has lead to some massively embarrassing mistakes, like considering the mere existence of a path as detection of malware:

https://www.f-secure.com/weblog/archives/00002133.html

(The original article with the ridiculous claims has sadly vanished, but the Internet Archive remembers...)

link