Re: Free Encoder Pack Reply #26 – 2017-05-16 20:31:48 This is a new low for anti-virus software. Are they overcompensating for their failure to detect WannaCry in time by making their products suspicious of anything not whitelisted?It's a false positive.
Re: Free Encoder Pack Reply #27 – 2017-05-16 20:53:46 It has nothing to do with wannacry, antivirus is signature based, it is normal that they do not detect a new malware like wannacry.Might be false positive for foobar has only 2 AV trigger, but already a bit suspicious... However for the latest encoder pack it is very suspicious. I just tested the 2 previous one, and 3 AV are alerting. Here are some sandbox analysis for the latest one. Are you the developer "Case" ? why is it doing something with sc.exe as it is only meant to copy files to the correct places ??Suspicious ActivitiesMalware detected ( Gen:Variant.Graftor.361717 )Malware signature matched ( Trojan.Win32.Generic.W.gvaof )Processes Spawned or Interacted withC:\Windows\System32\sc.exe (Terminated ,Started)Files ChangedC:\Users\admin\AppData\Local\Temp\nsn1061.tmp (Created ,Deleted)C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp (Created ,Modified)C:\Windows\Temp\UACGateway.out (Created)Registry Keys ModifiedHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName (Deleted)HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass (Deleted)00:00:12Registry DeletedC:\Windows\System32\cmd.exe Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass00:00:12Registry DeletedC:\Windows\System32\cmd.exe Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName00:00:15Process CreationC:\Windows\System32\consent.exe Created C:\Windows\System32\sc.exe00:00:15Process TerminationC:\Windows\System32\consent.exe Terminated C:\Windows\System32\sc.exe00:00:16File CreateC:\Windows\System32\consent.exe Created C:\Windows\Temp\UACGateway.out00:00:20File CreateC:\te_files\emulatedFile25030_1.exe Created C:\Users\admin\AppData\Local\Temp\nsn1061.tmp00:00:24File DeleteC:\te_files\emulatedFile25030_1.exe Deleted C:\Users\admin\AppData\Local\Temp\nsn1061.tmp00:00:24File CreateC:\te_files\emulatedFile25030_1.exe Created C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp00:00:24File WriteC:\te_files\emulatedFile25030_1.exe Wrote To C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp
Re: Free Encoder Pack Reply #28 – 2017-05-16 21:04:53 The new included lame.exe is causing those false positives, they're targeting mp3 encoders maybe? https://www.virustotal.com/en/file/25acdb23cdd0909b42a46c9650dd0cf1dad86d0411aa9e547e5c726b7db8cd67/analysis/1494964952/ Last Edit: 2017-05-16 21:07:44 by Shinsekai
Re: Free Encoder Pack Reply #29 – 2017-05-16 21:44:09 interesting... didn't go to the individual file level. But personally I do not think this is false positive. 12 AV positive on virustotal is bad. I just checked lame.exe version 3.99 release 5 downloaded from elsewhere (hard to find which is the official site) and it has no alerts. Hoperfully I use only flac and ogg :-)
Re: Free Encoder Pack Reply #30 – 2017-05-16 21:51:37 Yeah, from RareWares (0 / 60):https://www.virustotal.com/en/file/cc83240bb736ecbb54b7cfc40b6a98eb0c35702dd1c79e165ad8849fe66a8ccc/analysis/ Last Edit: 2017-05-16 21:54:51 by Shinsekai
Re: Free Encoder Pack Reply #31 – 2017-05-17 05:45:33 Quote from: tomtom76 on 2017-05-16 20:53:46It has nothing to do with wannacry, antivirus is signature based, it is normal that they do not detect a new malware like wannacry.They use signatures because they are fast, but all better products have behavior based analysis for threats too. Quote from: tomtom76 on 2017-05-16 20:53:46Are you the developer "Case" ? why is it doing something with sc.exe as it is only meant to copy files to the correct places ??I scripted the installer. It doesn't touch sc.exe. Your report showed everything that was happening on the machine, not just what the installer does. The installer literally only asks the OS to elevate itself, reads foobar2000 install dir from the registry and checks if foobar2000.exe exists in that location. If the key is missing it checks the two default install locations under Program Files and Desktop. If foobar2000 install dir appears to be found it allows extracting the files.Quote from: tomtom76 on 2017-05-16 20:53:46But personally I do not think this is false positive. 12 AV positive on virustotal is bad. I just checked lame.exe version 3.99 release 5 downloaded from elsewhere (hard to find which is the official site) and it has no alerts. Hoperfully I use only flac and ogg :-)It is a false positive. The lame.exe in the pack is my Visual Studio 2017 compile so I can be sure it doesn't require SSE2 or other new instructions. Fingerprint matching is way too prone to false positives and I really wish anti-virus makers would stop using them so broadly.Would be great if you submitted the file for analysis to all companies that falsely detect it so they can fix their software. I reported the false positive to F-Secure last night before going to bed and they fixed their detection during the night.
Re: Free Encoder Pack Reply #32 – 2017-05-19 07:55:26 I reported the false positives to the remaining companies apart from Palo Alto Networks. From what I saw they only want to deal with companies using their products.Now only one scanner has yet to fix their lame.exe detection. Four products are still having issues with the installer.Not sure McAfee submission ever made it past their automatic ignore rules as different support pages had contradicting requirements for submission. Either way I hope this proves there is no malware in the encoder pack. Last Edit: 2017-05-19 08:04:38 by Case
Re: Free Encoder Pack Reply #34 – 2017-05-31 11:47:37 Free Encoder Pack updated with opusenc using libopus 1.1.5. This compile detects CPU instructions at runtime and works without SSE.
Re: Free Encoder Pack Reply #36 – 2017-06-22 10:48:45 Quote from: Case on 2017-06-22 06:11:08Pack updated with Opus 1.2.BTW, does it still works without SSE? It seems that other compiles are either 64-bit or require SSE2.
Re: Free Encoder Pack Reply #37 – 2017-06-22 12:01:32 It does. I verified it working on an emulated Pentium II.