Everything you need to know about virus scanners

Recently, I wanted to download files from github from my first repository;) and suddenly it turned out that Yandex browser swears that they are infected with a virus.

No, no, it’s not in the github! )

Download the repository via Download.ZIP

And then suddenly

Moreover, the wise Yandex browser does not allow you to open the archive (!)
This can be done via Downloads-Open Folder

Wow, how are you! The “Be careful” window appears for a couple of seconds and you need to have time to poke on the “Unblock” button
But what, Yandex is so harsh that it crawls into standard file dialogs and adds its horror stories there?

I checked the files on VirusTotal and realized that this is a topic for a separate post. In short, depending on the degree of packaging of the executable file with UPX, the number of antiviruses that have detected a Trojan in the file changes.
The problem is related to the RAPIDQx.LIB files which are executable files of the Rapid-Q Basic programming language interpreter.
This interpreter, along with the program bytecode, is embedded in the final exe file.
Sometime in the early 2000s, someone wrote something like a virus in that language. Accordingly, the signatures of the executable file got into anti-virus databases. And since the executable file is an interpreter, then in the future all the executables containing the interpreter began to be detected as viruses. After correspondence with some vendors, these signatures were partially cut out of the databases, but over time they appeared there again.
But that’s not the point.
RAPIDQx.LIB files are UPX packaged. You can set a different degree of compression when packing, and it turns out that the number of antiviruses that detect a Trojan in a file depends on this.
For example, I repacked one of the files with different compression ratios with UPX and got the result )

And who would be okay, but Kaspersky!
Here we play

We don’t play here

I checked with the latest Kaspersky Removal Tool – it didn’t find anything at all.

Ah, an amazing thing!

Ah, an amazing thing!

So, how can you get rid of false positives? Apparently the most realistic way is to pick up a packer for the executable, such that there are no positives. Correspondence with vendors is meaningless.

Ah, no, the Removal Tool found one file.
File: C:\balan\RQIDE\lib4\RAPIDQ4-0.LIB
Object discovered using KSN
MD5: 972862F88F37B4462D1EB528C153DBCF
SHA256: 7B5F0EC4BAE8C23FD7A0129642B04548B4E95CE6CDDD2B0DDD0BC0567E7F4D03

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *