Skip to main content

Topic: Free Encoder Pack (Read 6005 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.
  • darkflame23
  • [*][*][*]

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #26
This is a new low for anti-virus software. Are they overcompensating for their failure to detect WannaCry in time by making their products suspicious of anything not whitelisted?

It's a false positive.

  • tomtom76
  • [*]
Re: Free Encoder Pack
Reply #27

It has nothing to do with wannacry, antivirus is signature based, it is normal that they do not detect a new malware like wannacry.

Might be false positive for foobar has only 2 AV trigger, but already a bit suspicious... However for the latest encoder pack it is very suspicious. I just tested the 2 previous one, and 3 AV are alerting. Here are some sandbox analysis for the latest one. Are you the developer "Case" ? why is it doing something with sc.exe as it is only meant to copy files to the correct places ??

Suspicious Activities
Malware detected ( Gen:Variant.Graftor.361717 )
Malware signature matched ( Trojan.Win32.Generic.W.gvaof )

Processes Spawned or Interacted with
C:\Windows\System32\sc.exe (Terminated ,Started)

Files Changed
C:\Users\admin\AppData\Local\Temp\nsn1061.tmp (Created ,Deleted)
C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp (Created ,Modified)
C:\Windows\Temp\UACGateway.out (Created)

Registry Keys Modified
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName (Deleted)
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass (Deleted)


00:00:12
Registry Deleted
C:\Windows\System32\cmd.exe
Deleted
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
00:00:12
Registry Deleted
C:\Windows\System32\cmd.exe
Deleted
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
00:00:15
Process Creation
C:\Windows\System32\consent.exe
Created
C:\Windows\System32\sc.exe
00:00:15
Process Termination
C:\Windows\System32\consent.exe
Terminated
C:\Windows\System32\sc.exe
00:00:16
File Create
C:\Windows\System32\consent.exe
Created
C:\Windows\Temp\UACGateway.out
00:00:20
File Create
C:\te_files\emulatedFile25030_1.exe
Created
C:\Users\admin\AppData\Local\Temp\nsn1061.tmp
00:00:24
File Delete
C:\te_files\emulatedFile25030_1.exe
Deleted
C:\Users\admin\AppData\Local\Temp\nsn1061.tmp
00:00:24
File Create
C:\te_files\emulatedFile25030_1.exe
Created
C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp
00:00:24
File Write
C:\te_files\emulatedFile25030_1.exe
Wrote To
C:\Users\admin\AppData\Local\Temp\nsn10FE.tmp

  • Shinsekai
  • [*][*]
Re: Free Encoder Pack
Reply #28
The new included lame.exe is causing those false positives, they're targeting mp3 encoders maybe? :)
https://www.virustotal.com/en/file/25acdb23cdd0909b42a46c9650dd0cf1dad86d0411aa9e547e5c726b7db8cd67/analysis/1494964952/
  • Last Edit: 16 May, 2017, 04:07:44 PM by Shinsekai
| TAK pMax | QAAC ~ 192 kbps |

  • tomtom76
  • [*]
Re: Free Encoder Pack
Reply #29

interesting... didn't go to the individual file level. But personally I do not think this is false positive. 12 AV positive on virustotal is
bad. I just checked lame.exe version 3.99 release 5 downloaded from elsewhere (hard to find which is the official site) and it has no alerts. Hoperfully I use only flac and ogg  :-)

  • Shinsekai
  • [*][*]
Re: Free Encoder Pack
Reply #30
  • Last Edit: 16 May, 2017, 04:54:51 PM by Shinsekai
| TAK pMax | QAAC ~ 192 kbps |

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #31
It has nothing to do with wannacry, antivirus is signature based, it is normal that they do not detect a new malware like wannacry.
They use signatures because they are fast, but all better products have behavior based analysis for threats too.

Are you the developer "Case" ? why is it doing something with sc.exe as it is only meant to copy files to the correct places ??
I scripted the installer. It doesn't touch sc.exe. Your report showed everything that was happening on the machine, not just what the installer does. The installer literally only asks the OS to elevate itself, reads foobar2000 install dir from the registry and checks if foobar2000.exe exists in that location. If the key is missing it checks the two default install locations under Program Files and Desktop. If foobar2000 install dir appears to be found it allows extracting the files.

But personally I do not think this is false positive. 12 AV positive on virustotal is
bad. I just checked lame.exe version 3.99 release 5 downloaded from elsewhere (hard to find which is the official site) and it has no alerts. Hoperfully I use only flac and ogg  :-)
It is a false positive. The lame.exe in the pack is my Visual Studio 2017 compile so I can be sure it doesn't require SSE2 or other new instructions. Fingerprint matching is way too prone to false positives and I really wish anti-virus makers would stop using them so broadly.

Would be great if you submitted the file for analysis to all companies that falsely detect it so they can fix their software.
I reported the false positive to F-Secure last night before going to bed and they fixed their detection during the night.

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #32
I reported the false positives to the remaining companies apart from Palo Alto Networks. From what I saw they only want to deal with companies using their products.

Now only one scanner has yet to fix their lame.exe detection. Four products are still having issues with the installer.

Not sure McAfee submission ever made it past their automatic ignore rules as different support pages had contradicting requirements for submission. Either way I hope this proves there is no malware in the encoder pack.
  • Last Edit: 19 May, 2017, 03:04:38 AM by Case

  • darkflame23
  • [*][*][*]

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #34
Free Encoder Pack updated with opusenc using libopus 1.1.5. This compile detects CPU instructions at runtime and works without SSE.

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #35
Pack updated with Opus 1.2.

  • lvqcl
  • [*][*][*][*][*]
  • Developer
Re: Free Encoder Pack
Reply #36
Pack updated with Opus 1.2.
BTW, does it still works without SSE? It seems that other compiles are either 64-bit or require SSE2.

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #37
It does. I verified it working on an emulated Pentium II.

  • Case
  • [*][*][*][*][*]
  • Developer (Donating)
Re: Free Encoder Pack
Reply #38
Updated with Opus 1.2.1.