Jump to content
Tuts 4 You

a packer


Recommended Posts

Hi

For an average computer user like me itś nearly impossible to know what is what so I decided to try and ask the experienced.

If I understood it right, a packer is often recognized by virus-detectors as a malware although its not definitive the case. I wanted to install a software, 2 of itś files were defined by clamAv as a PUA.Win32.Packer.Upolyx-5 / PUA.Win32.Packer.Anti-4. Is it really a malware, is there a way I can find it out? probably I sound naive but how do you estimate the chance that these packer is really infected?

Thanks

Amaranti

Edited by amaranti
Link to comment

Try at least with another AV if possible to confirm there is a malware inside your files. There is the possibility of a false positive.

Anyway, there are good tools to detect lots of packers, like ProtectionId, RDG Packer Detector, PEiD... it would be a good idea trying also these tools on your files to get a more complete information.

Good luck

Nacho_dj

Link to comment
chickenbutt

AVs are signature engines, some with ineffective real-time monitoring(HIPS). This is likely a false-positive, but you won't know till you analyze it through RCE or sandbox differentials.

Link to comment

Thanks for your answers! ClamAv was the only AV , out of 42, in Virustotal´s website wich reported a malware.

I run PEiD and it detected: UPX 0.80 - 1.24 DLL -> Markus & Laszlo

So I still don´t know if it´s safe or not, what would you do in such a case? somehow I have to further analyze it, or simply trust and install it... (or start studying your tutorials here...)

Link to comment

So I still don´t know if it´s safe or not, what would you do in such a case?

If in doubt - run it in a Sandboxie or inside virtual machine like VMWare.

"PUA" means Potentially Unwanted Application. Something that standard office user never needs on his computer. It does not mean that software is malicious.

"Win32.Packer" means that antivirus detected a suspicious packer that is rarely (or never) used in proper commercial software. It does not mean that software is malicious.

Last but not least - if only one AV is detecting it on VirusTotal, it's a pretty good sign indicator of False Positive.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...