Thread: RR_Updater.exe Virus Identified

Its a false positive.
Turn off the Heuristic Analysis in AVG
this will happen with any autoit script thats compiled a certain way, i can produce and turn off those errors at will depending on how i compile.

hehe we should have a sub forum for Fasle Positives, I see at least one a week it seems

Funny thing is, I run AVG and it has never done this to me with RR

Originally Posted by liquid_smoke

Its a false positive.
Turn off the Heuristic Analysis in AVG
this will happen with any autoit script thats compiled a certain way, i can produce and turn off those errors at will depending on how i compile.

Hey LS, do you know which options I need to check/uncheck when compiling to prevent this? The virus bit doesn't come up on my system since I have always keep the Heuristics turned off. Thanks

Actually... I am using Heuristic Analysis with the latest defs and it doesn't detect it.

Got this from the AutoIt Forums:

Code:

Okay, let me see if I can layout a scenario/timeline that would explain this...

Some dates are mythical:

A new version of SciTE4AutoIt3 was released 02 June 2006
(The file named UpdateDefs.exe was packed with UPX version 1.25 and some beta version of AutoIt.)

You installed SciTE4AutoIt3 on - let's say - 05 June 2006
(and AVG had no problem with the file named UpdateDefs.exe at that time)

On 12 June 2006, AVG discovers a "bad file" written in a language other than AutoIt, but packed with UPX version 1.25.

That same day, AVG releases a signature update file that marks all files packed with UPX version 1.25 as bad. It now marks all compiled AutoIt scripts as bad. Some person(s) sends one or more false positive report(s) to AVG with respect to AutoIt files. AVG modifies the sig file to look for a combination of the UPX packer and a signature unique to the version(s) of AutoIt submitted as a false positive(s).

On 13 June 2006, you download/install the latest sig file and scan your HD. It flags UpdateDefs.exe because it was packed with UPX version 1.25 and a version of AutoIt not submitted as a false positive.


If you are still awake...
I do not use complied AutoIt scripts except to give to others. (Okay, I use one or two that are not critical.) I've had all compiled AutoIt3 scripts be flagged by AVG, then I restore them after the next AVG update (restored from a server running trendmicro AV) and they are okay... then about a month later - they are marked as bad again (and nothing changed on my end). This cycle continued until I uninstalled AVG and stopped recommending it to those I support. I had no fear of the scripts since I wrote them and for comparison - I kept Symantec's corporate version AV software running (and set to the highest heuristic level). SAV never flagged an AutoIt related file.

I now install avast where I can, but I cannot keep as close of an eye on its performance track record because it will not install along side of SAV corp edition.

I will give AVG credit for fast updates (but perhaps they are too aggressive)... more than once, AVG caught a "bad file" coming in thru e-mail several hours before SAV released a sig file for that same file (and I update the sig file for SAV every hour).

Add to the mix the fact that there are some "bad files" made with AutoIt3 and you can see how AVG might revert back to triggering off of the UPX pack only until further effort can be put into past AutoIt related false positive reports and until new false positive reports come in.

A new version of UPX (2.01) was released on 06 June 2006... maybe packing UpdateDefs.au3 with that version will make your AVG software happy. [I think that is what JdeB was saying in his post.] Or just wait for a better sig file from AVG.

It seems the UPX (exe compressor) is what's throwing the false negatives...

So basically, make sure you have the latest AVG defs, I'll make sure I'm using the latest AutoIt compilation defs and it should all work

@LS If you still know which options are best to check/uncheck when compiling, I'm sure that would help as well. Cheers

Ok, I'm running AVG with the latest defs (10/24/2006 3:31pm) with heuristic analysis. Did NOT detect the updater as a virus. Try this version and see if it is still throwing a detection. I downloaded the latest Autoit / Scite program/updates/compiler. So that should help. Let me know.