Thursday, November 9, 2017

False antivirus reports on installers created with WinRAR


I recently observed that Setup files created with WinRar have a high false positive detection rate from antiviruses.
Here are the conclusions of some test I made, in order to reduce the false positive rate:

RAR version    SFX module     Detection ratio
WinRar 3.11      32bit             1/66
WinRar 4.2       32bit?            3/66
WinRar 5.50      32bit             6/67
WinRar 5.50      64bit             1/67

Notes:
The detection ratio is not affected by the 32/64 bit version of WinRAR program at all.
However, it is strongly affected by the SFX module used.

The test file created with WinRar was named Setup.exe and it contained a single URL file in it.
In one test, the Setup file was packed with UPX. This reduced the detection ratio from:
 8 false positives to only 4
 6 false positives to 6 (no reduction), in other case

A program built in Delphi raises more false positives if the 'Compiler optimizations' is on.
Posted by at
Labels:

2 comments:

  1. AnonymousJuly 18, 2019 at 3:31 PM

    Using WinRar 5.71 64-bit is giving me a very high detection, which is how I found this list. Trying WinRar 3.11 worked for me. Thank you.

    ReplyDelete
  2. AnonymousJune 17, 2021 at 1:45 PM

    Also I noticed that hiding the extraction dialogs will increase the false positive detection rate. With Zip 64bit and WinRAR 6.02 while keeping the dialogs on, I was able to create a SFX that will unpack my small program to a temp location and execute an exe together with its dlls while achieving a detection rate of 0/66. The only downside is that now on launch the extraction dialog will show up for a second, but that is not really a problem.

    I also tried ILMerge, Costura.Fody and 7zip and they all created false positives.

    ReplyDelete

Subscribe to: Post Comments (Atom)