I’m a new user of CIS and I noticed that I get many false positives on exe/dll files compressed with some “exotic” packers… I think a good AV should be able to unpack “runtime packers” or at least tell that that file is packed (not suggest to be an unknown malware).
Here’s a list of false positives I found (unpacked files are clean). I used PEiD to get the info.
(Virus Signature Database Version: 1021 / Heuristic level: LOW)
Packed with PECompact
- Unclassified Malware[at]8342523
- Unclassified Malware[at]8316369
- Unclassified Malware[at]8314783
- Unclassified Malware[at]8302806
- Unclassified Malware[at]8351666 (pec2codec_lzma.dll)
- Unclassified Malware[at]8351669 (pec2rsrc_brazilian.dll)
- Unclassified Malware[at]8351668 (pec2rsrc_japanese.dll)
- Unclassified Malware[at]8351670 (pec2rsrc_polish.dll)
- Unclassified Malware[at]8351667 (PEHideText.exe)
Packed with FSG
- Unclassified Malware[at]8519599
- Unclassified Malware[at]8375233
- Unclassified Malware[at]8375178
- Unclassified Malware[at]8330296
- Unclassified Malware[at]8402469
- Unclassified Malware[at]8375216
- Unclassified Malware[at]8375172
Packed with PESpin
- Unclassified Malware[at]8411890
Packed with Winkript
- Unclassified Malware[at]8375217
- Unclassified Malware[at]8375221
Packed with nSPack
- Unclassified Malware[at]8362369
- Unclassified Malware[at]8378765
- Unclassified Malware[at]8309756
Packed with Neolite
- Unclassified Malware[at]8375205
Packed with MEW
- Unclassified Malware[at]8375198
- Unclassified Malware[at]8375173
- Unclassified Malware[at]8375221
- Unclassified Malware[at]8375194
Packed with DEF
- Unclassified Malware[at]8375181
Packed with .BJFNT
- Unclassified Malware[at]8375199
Packed with Simple UPX Cryptor
- Unclassified Malware[at]6424104
Packed with PEtite
- Unclassified Malware[at]8375210
Packed with ASPack
- Unclassified Malware[at]8375204
Packed with yoda’s cryptor
- Unclassified Malware[at]8331071
- Unclassified Malware[at]8332940
Packed with Upack
- Unclassified Malware[at]5231028
- Unclassified Malware[at]8375187
- Unclassified Malware[at]5949224