Possible Major False Postive(s); Possible Seriously Protected Malware

This is regarding a file that returned a large number of hits at Virustotal, but I believe to actually be a Massive False Positive. A few were of the ‘Generic’ variety results; more commonly associated with FP’s. Majority wise, most of the AV’s listed returned results that are based on the protection software the file employs. In this case, one of the protection software packages used is a known stolen version of Legit file protection software package.

The file is protected by at least the following protection software Packers:
1.) PESTUB. 2.) Fly-Code. 3.) VMPROTECT.
Combine all 3 of those together, and you have yourself a wonderful protection pack for you software.

Here are three links, one is a CAMAS submission report - where I just uploaded it before making this post - , one is to the Virustotal report, and one is to a GSI Sandbox report. Though it’s just a general GSI Sandbox public report, not a good one lol. Possibly it could help(?). In order of my above statement:




The CAMAS report doesn’t actually report anything at all besides the files size, the usual checksums / hashes, and that ‘Process’ is ‘Active’. Absolutely nothing else; kind of understandable really. Though the webpage refreshed consistently for around 15 minutes before displaying the “Finished Report”. So Analyzing it for 15 minutes…

Could / Would Yah’ll take a look at it for me?

[Edit:] Additionally uploaded file to Comodo Antivirus Database | Submit Files for Malware Analysis.
" Your File was uploaded successfully and will shortly undergo analysis by Comodo technicians. "

Hi RGentle,

We have checked the reported file and it was found to be a keygen.Generally Keygens,Patchers, loaders, trainers won’t be seen as goodware. If you plan to use this file further, you can add it to exclusion list.


Thank you very, very much Vaishnavi. Heh, I pretty much figured that it was a keygen by it’s file name. Lol. So long as it ain’t doing anything malicious, I’m quite happy. I can now go back to attempting to reverse engineer the VMProtect protection bit with peace of mind. Wasn’t too worried about the Fly part, nor PESTUB. Heh, hate getting infected while decomp’ing and such. sighs :-TU :-TU :-TU