14 February 2008

BitDefender Antivirus software false positive Packer.XComp.A

4 comments
Sehr geehrte Blog Leser

Bitdefender Antivirus Signaturen ab den 13. Februar 2008 zeigen die mit dem Exe Packer: XComp/XPack freeware PE32-imagefile packer/rebuilder von JoKo, Version 0.98 sowie 0.97 kompremierten Dateien als Virus Packer.XComp.A an.
Info: http://www.soft-lab.de/joko/ExePack.htm

Dies betrifft nicht nur einige gepackten Dateien hier sondern ganze Software Portale sowie einige Freeware Entwickler die ihre Programme damit gepackt haben um den sozusagenden Monopol auf dem Freeware Sektor "UPX" zu umgehen oder den Packer XComp ganz einfach als eine Alternative verwenden, aber auch bei einigen Dateien eine bessere Leistung mit XComp bringen.

Weshalb ein Virus Namens Packer.XComp.A von Bitdefender der Firma Softwin aus Romaenien ins Leben gerufen wird ist unklar jedoch vermutlich an dessen Entwickler Position an schlichtweg mangelndes Wissen wie die mit XComp/XPack gepackten Programme entpackt werden koennen oder an einer fehlenden Scan engine die das zum derzeitigen Zeitpunkt verarbeiten kann.

Falls Bitdefender als Antivirus Loesung eingesetzt wird und nunmehr mit den updates jene false positive Meldung zeigt, bietet sich folgende Loesung an:

- AV wechseln was unumgaenglich ist wenn ganze Verzeichnisse oder sehr viele Dateien mit XComp gepackt wurden, da Bitdefender keine Filter Einstellungen fuer die Erkennung einer einzelner Virus Signature anbietet mangels Einstellungs Moeglichkeiten. Jedoch fast alle anderen AntiVirus Loesungen insbesondere Symantec Corporate Client/Server bieten dies an.

- Die betroffenen Dateien entpacken mit RL!dePacker von http://ap0x.jezgra.net
einige universal unpacker insbesonder mit upx Leistungmerkmalen koennen eventuell
eine alternative zur RL!dePacker darstellen.

XComp/Xpack setzt keinerlei Software Schutz Mechanismen ein jedoch hat Bitdefender scheinbar mangels einer Scan engine dies als Virus abgezeichnet.

Anzumerken ist das scheinbar Business und Freeware in Rumänien auf ein unerklaerliches Ansehen fuehrt. Insbesondere wenn es sich bei einer Freeware Seite ohne Werbung handelt koennte es den Entwicklern dort zu den Entschluss bringen das es sich dann nur um irgend etwas schadhaftes handeln muss, insbesondere bei Komprimierungs Software.

Wir setzten BitDefender seit ueber 2 Jahren ein und komprimierten saemtlichen Verzeichnissen im Vergleich zu UPX und PECompact mit der bereits mehr als ein Jahr alten Version von XComp/XPack jedoch ist dessen Produkt BitDefender Business Security gestern mit einer Loeschaktion darueber gegangen.


Test Datei BitTorrent.exe upx -d und mit Xcomp gepackt:
bittorrent.exe [568.27 KB]
Ergebniss: http://www.virustotal.com/ro/analisis/d7580b66560471ce5f5aafe7a9ae786d
Ein toles Beispiel upx.exe gepackt mit XComp 265.19 KB
upx.exe false positive packed with Packer.XComp.A

With the question I ask my self about AntiVirus Firms and there Security Products:
Are
the most packers listed for example in ExeInfo PE ver. 0.0.1.8 E - ( 360 sign ) by A.S.L. really virus producer or just flop drag n drop signature from the packers, because some people pack with them viruses together into files, these packers/compressors are as virus idented in them positive Virus Databases just like Packer.XComp.A.

Logical it saves a lot of time to put whole packers by string / signature in AV Database as examine the truth inside the packed files and control new/old packer/compression program(s)mers if it's Freeware but not opensource must and should it be on sourceforge.net hosting or a commercial pack/compressor by AV Companies to match in them concepts ?!??!!!

If this is true, I think, maybe the AV Security systems needs to get reformed not only in following reports by language localized PC Magazines AV vs. AV, false positive % / Price value, Quality of research Labs.
Support/Forum/Phone:...Thanks for the advanced friendly English Language knowledge together with the basic product and computer knowledge, just like from a teaching books by the support- or was it the sales team.
Not by asking the simply Questions but by these kind of difficult Questions where they have no answers
..!

After lot of testing, its incredible, as soon doing in files other signatures, up to all AV's playing crazy and show different results - Such things like Anti Cheat mechanism is not known. You can scare unwonted users if you do just the signature from a virus into files but not the virus by self. A very private kind of protection.

13 February 2008

BitDefender Antivirus software false positive detections Packer.XComp.A

9 comments
http://www.bitdefender.com/site/VirusInfo/
http://news.bitdefender.com/site/browseCategory/1/Security-News.html

False positive exe Packer Compressor XComp098, XComp097 (XComp & XPack) nfo:
XComp/XPack: A freeware PE32-imagefile packer/rebuilder
(c)2007 JoKo, Version 0.98 02/18/2007
http://www.soft-lab.de/joko/ExePack.htm

shown by:
BitDefender 7.2 2008.02.13 Packer.XComp.A

Here a test using uTorrent.exe packed with Xcomp0.98 + a injected DLL using PECompact before: http://www.virustotal.com/analisis/a98615218abef2d02a5f6507a24edda5
A deep analysis to the real target which is negative (no backdoor or any kind of a Virus), the dll failed by all AV's.

Since signature updates from today, 14. Feb. 2008 using BitDefender Enterprise Solution for Windows Server and standalone editions (German Versions).

BitDefender Labs Defense Center sucks. they are unable to integrate good unpacking engines for software protectors, result False positive on mass!!!

a UPX variant Packer / unpack engine unrecognized or Bitdefender is unable to unpack and check the files, while Bitdefender skip deep scanning/checking inside Armadillo and Thermida packed files as well by embedded, injected dll's in PECompact scanning.



================================================================

Thermida - Armadillo Protectors:


Sample of background activities by a possible true positive activity by BitDefender Labs Romania does not well monitor packed/protected file automatically installed non pnp system drivers:

Commercial anti-cracking product from Oreans Technologies for Shareware applications...

Shareware protector like Thermida and Armadillo.
Oceans Thermida and Armadillo exe packer/protectors adds and run a system service as non plug and play device driver hidden and registry values with no modify, delete access with the admin account to the windows registry key entries.

Themida is the evolution of Xprotector. Oreans.sys the faulting driver. It is part of Xprotector, Thermida which is a software protection scheme used by some shareware programs.
I've downloaded Themida from www.oreans.com and started to check.

Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys). Winlicense driver loaded in memory. No way to read from Process Memory.
Thermidia and Armadillo exe packer have the option to easy embedded a nag/splash screen with possibility to attach with certain tools in picture bmp or jpg files a virus/backdoor and other files to the file exe,dll,... by packing/protecting against code view.

Oreans.sys, xprotector.sys you will found under control Panel > Hardware > show hidden devices > non plug and play devices.
Run uninstall this "security" background services. After that its not done you need to edit the registry but the Keys are locked. Right click set access control to be able to delete
as admin the registry entries, see attachment how to get ripped from it.

Also applied for newer Armadillo www.siliconrealms.com
by Digital River, Inc
see wikipedia Digital River

It will run after the very first execution of an Thermidia, Armadillo, injected, packed exe or dll file with windows start up in the background as non-pnp driver service. The Driver Service and sys files are absorbed from the packed file and automatically installed as soon the protected file run the first time.

Service (registry key): XPROTECTOR and others used by Armadillo SoftwarePassport siliconrealms ( = Digital River ) and Oreans Technologies, Themida®, WinLicense®, Code Virtualizer®,...
Display name: XPROTECTOR
Image path: C:\WINDOWS\system32\drivers\Oreans.sys
*.sys file are not signed or show any version info.
Oreans driver loaded in memory by system start.

Access via Control Panel > System properties > hidden devices > non pnp > check the entries and click uninstall.

Image path: %windir%\system32\drivers\Oreans.sys
search in the windows registry for: XPROTECTOR
and Oreans.sys etc...

Windows registry: search for the entries and right click access control, change ownership to get permission to delete, remove, edit.
If it fails try under windows protect mode to remove that kind of driver.
It will install by self as soon you start a application witch is protected by these exe packer/protectors and you have to do the process all over again.
Check with PEiD or EXE Info PE which files are done with Armadillo and Thermida. Not to long ago, older Versions from Oreans.sys many issues been reported by overcloaked CPU's. If newer versions have been fixed are unknown. Best you can do is delete or unpack with Ollydbg files with this kind of protectors. Since a while uTorrent and Bittorrent as well eMule mods have been by some "Modder" protected with this Shareware protectors.

Oreans.sys v1.40 (one of the latest Versions) and some registry keys: Orleans Thermida System Driver Service Non PnP Hidden device.zip 89,7 KB (91.856 bytes)

http://www.google.com/search?q=XPROTECTOR+Oreans+driver

Changing the AV Solution back to Symantec Corporate Solutions, Kaspersky, Nod32 Enterprise for server will be the only way to avoid strong false positive and get better unpacking/scan engine for types like Armadillo, Thermida + save time by unsure application to unpack them manual. More configuration options settings as well *exclude* filtes etc... are in all of them.
BitDefender Support
Unsere Support-Mitarbeiter genießen ein exklusives Training, um Anfragen von Kunden schnell und zielorientiert zu beantworten oder auch nicht wenn sie überfragt sind weichen sie gerne aus.
http://www.softwin.ro/?pagina=stiri&&stire=118 - http://www.softwin.ro/?pagina=istoric

BitDefender
BitDefender™ este producătorul românesc lider tehnologic la nivel mondial în securitatea datelor. Compania oferă soluţii inovatoare care protejează eficient împotriva ameninţărilor informatice, setând noi standarde în domeniu pentru viteza de reacţie, instalare, utilizare şi actualizare uşoară. Prezent în peste 6000 de magazine de pe cele cinci continente, BitDefender este cel mai răspândit produs românesc în întreaga lume care protejează eficient împotriva ameninţărilor a peste 41 de milioane de utilizatori individuali şi corporate din mai mult de 180 de ţări. BitDefender are sucursale în SUA, Marea Britanie, Germania, Spania şi România. Mai multe informaţii puteţi găsi vizitând site-ul: http://www.bitdefender.ro

Network Diag and Monitoring, Process Info Tools AiO

0 comments
Network Diag and Monitoring, Process Info Tools AiO
All Latest Versions for a quick Network Diag and Connection Monitoring TCP, UDP,... and Web browser Site Diag + Program Debug Diag, Process Info

  • From www.nirsoft.net
    InsideClipboard v1.04
    IPNetInfo v1.10
    MozillaCacheView v1.05
    IECookiesView v1.71
    CurrPorts v1.32
    WhoisThisDomain v1.23
    ActiveXHelper v1.12
    RegScanner v1.62
  • Freeware from XP-Antyspy.org
    xp-AntiSpy.exe
Download 13.53 MB: Network Tools and Diag.rar
Mirror1 - Mirrors2 - Mirrors3

Microsoft Patchday Februar 2008 maximum connection limit TCPIP.SYS Patch for P2P

0 comments
Connection limit patch for P2P
Microsoft Patchday Februar 2008

contents: MS08-004 - Security in Windows TCP/IP (KB946456)
It replace/update tcpip.sys for all Windows OS. You will need to run XP-Antispy to patch unlimited connection limitation after update!

Connection limit Patch now can be applied also to 64-Bit systems.

Download 75.50 KB: xp-AntiSpy.exe

eMule 0.48a Xtreme 6.1-SE2

0 comments

Changelog:
Fix: WHOIS function
Update: SPAM-filter
---------------------------
Features:
Added: HDD Protection (Skynetman)
Added: Show paused files in grey (Morph Mod)
Added: Show downloading files in color (KTS)
Added: Show Total Up/Down column in uploadlist & queuelist (iOniX Mod)
Added: Show RQR/Speed column in uploadlist (iOniX Mod)
Added: New icons from Phoenix Mod
Added: WHOIS from Downloads, Uploads and Queue windows (KTS)
Added: Automatic shared files updater (Monki)
Added: Enhanced Client Recognization (Spike2)
Added: Invisible Mode (HotKey: Alt+Z) (Morph Mod)
Added: ChunkDots (Slugfiller)
Added: ConfirmedDownload (xrmb)
Added: Connect only to servers support obfuscated connection (to prevent connect to Fake-servers) (Morph Mod) Tag:MORPH lh require obfuscated server connection
Changed: Minimum upload limits/capacities to 2 kb/s (for dial-up users)
Changed: Minimum queue size to 1000
Changed: Maximum file bufer size change to 7.5 Mb
Changed: Ban time to 24 hour
Changed: Maximum upload session time to 24 hour
Changed: Minimum upload slots to 1
Changed: Slotspeed range 1.5 kb/s <=> upload limit
Removed: Failed download ban
Removed: Global DeadSourceList
Removed: Filter clients caused an error
Removed: "received an IP: xxx.xxx.xxx.xxx, NAFC-Adapter will be checked" message
Tweaked: Some default settings (default ports, file buffer size, spamfilter...)

To enable (default) downloading files in color add to file preferences.ini line:
EnableDownloadInColor=1
To disable downloading files in color add to file preferences.ini line:
EnableDownloadInColor=0
To show downloading files in Red add to file preferences.ini line:
DownloadColor=0
To show downloading files in Blue (default) add to file preferences.ini line:
DownloadColor=1
To show downloading files in Green add to file preferences.ini line:
DownloadColor=2
To show downloading files in Yellow add to file preferences.ini line:
DownloadColor=3
To show downloading files in Grey add to file preferences.ini line:
DownloadColor=4
To enable (default) Automatic shared files updater add to file preferences.ini line:
AutoReloadSharedFiles=1
To disable Automatic shared files updater add to file preferences.ini line:
AutoReloadSharedFiles=0
To enable (default) Invisible Mode add to file preferences.ini line:
InvisibleMode=1
To disable Invisible Mode add to file preferences.ini line:
InvisibleMode=0
To enable (default) "Connect only to servers support obfuscated connection" add to file preferences.ini line:
CryptLayerRequiredStrictServer=1
To disable "Connect only to servers support obfuscated connection" add to file preferences.ini line:
CryptLayerRequiredStrictServer=0

Homepage: ShareReactor.ru

Download: emule0.48a-Xtreme6.1-SE2-binary.zip
http://files.emule-security.net/emule/emule0.48a-Xtreme6.1-SE2-binary.zip
Soruce:
http://files.emule-security.net/emule/emule0.48a-Xtreme6.1-SE2-sources.zip

older versions
It's an older Mod, we forgot to add it to our Blog here, Твою так и не смог запустить

DLL was missing.... -:))

eMule 0.48a X-Ray 1.3

0 comments
eMule 0.48a X-Ray 1.3
Changelog:
Recode: Complete Recode of Slotcontrol (Slotspeed + Trickleslots)
Recode: Complete recode of FullChunk Calculation Method
Update: Major update of Modeless Dialogs Code
Add: New File Detail Dialog - already implemented but tagged with ModelessDlg's
Add: eMule+ Transferwnd Style - Rollup Control
Add: LowID to HighID Automatic Callback
Add: Share Filter
Add: Manual Client Management
Add: XP-Style Menus
Add: File Status Icons
Add: Only Download Complete Files
Add: Suspend Collecting
Add: UnSolicitedPartStatus - needed for StandbyDownload
Add: StandbyDownload
Add: SafeKad
Add: Anti fragmenting
Add: KadPerformance Improvements - moved some functions inline
Add: Update nodes.dat frequently
Change: Splashscreen & Sidebanner
Change: LeecherLog is static now
Remove: Removed some senseless checks for ASL & ACC
Remove: SlotRelease
Fix: Fixed minor bug around Preferences Dialog - this time for real;)
Fix: Fixed minor bug in emuledlg: do not ask exit from command prompt
Fix: Fixed minor nullpointer bug in UploadClient
Fix: Corruption Black Box Fix
Fix: Fixed bug in sockets.cpp around socket deletion
Fix: Fixed minor bug in Tweaks Preferences Page
Cleanup: Cleaned up some useless codeparts

Download BIN: eMule_v0.48a_X-Ray_v1.3-bin.rar
http://files.emule-security.net/emule/eMule_v0.48a_X-Ray_v1.3-bin.rar

SRC: eMule_v0.48a_X-Ray_v1.3-src.rar
http://files.emule-security.net/emule/eMule_v0.48a_X-Ray_v1.3-src.rar

Mirrors and older Version archive: http://www.emule-security.net/modb/files.php?cat=33

Xtreme-SE all Versions

Archive