An important message to users of 40H utility tools

[Norm Pollock]

Hi,

I was recently informed that the latest version of Avast anti-virus was turning up a warning/suspiciion about the 40H programs. This was NOT corroborated by AVG and many other A/V programs.

However I investigated it further and found out that a compacting program that I have been using (exe32pack.exe) for many years without prior incident, was the cause of the problem. I removed it, and recompiled all 80 programs. The new executables have all passed analysis by all the 50+ A/V programs on virustotal.com (an excellent site).

The download site is

http://www.hoflink.com/~npollock/chess.html

-Norm

[Charly]

Hi,

Many thanks for your tools !

Avira anti virus was always warning me with the previous version of 40H and put all the files in quarantine. (this was still true few weeks ago).

Now I'm with Trend Micro internet security, and I downloaded the new version of 40H utility tools.

I launched a scan and no problem was detected with the new anti virus.

So, many thanks !

[Ferdy]

Thanks.
I can't access the link so far.

[Norm Pollock]

Based on virustotal.com two days ago, only about 1 in 11 anti-virus programs consider "exe32pack.exe" to be a potential threat. It supposedly could be used to clandestinely hide a virus/malware. And as mentioned with Avira, Avast also puts threats into quarantine.

Check out virustotal.com . Every download should be analyzed there before use. If this incident teaches us one thing, it is that you should not just go by 1, 2 or 3 anti-virus programs, it is better to go by 50+.

The compacting program was used to compact each executable from 5M to 1M. When first used, hard drives had much smaller capacity so that was a factor. Now I'm assuming everyone has at least a 500G drive and file size is not an issue.

Ironically, the 5M executable loads and executes faster because the 1M had to also unpack itself before execution. Another irony is that the "7z" files used to download are 60% smaller even though the individual files are 500% bigger.

[mar]

Based on virustotal.com two days ago, only about 1 in 11 anti-virus programs consider "exe32pack.exe" to be a potential threat. It supposedly could be used to clandestinely hide a virus/malware. And as mentioned with Avira, Avast also puts threats into quarantine.

This is the reason why I stopped using executable compressors a long time ago.
Unfortunately packers are very popular among idiots who write malware.

AV vendors have to maximize true positive/false positive ratio, they also need to scan fast, this is why I guess they detect by signature in this case.
Even when using heuristics it's impossible to emulate several layers of "protection" in time budget (you can't spend a minute scanning a single executable), also it's possible to fool emulators.
This is why it becomes more and more popular to use behavioral analysis as well which can bypass any such protection.
The drawback is that this dynamic analysis only triggers when you run the process and when it does something suspicious.

[tttony]

First time I read about exe32pack.exe, searching with google, I can't find the official website, also it seems an old program

If you want to use an excutable packer, I recommend UPX --> http://upx.sourceforge.net/ it's open source, I dont know if AV detect as virus but it does the job compressing the .exe files

[Jesse Gersenson]

First time I read about exe32pack.exe, searching with google, I can't find the official website, also it seems an old program

If you want to use an excutable packer, I recommend UPX --> http://upx.sourceforge.net/ it's open source, I dont know if AV detect as virus but it does the job compressing the .exe files

UPX also triggers anti-virus programs. Komodo was using upx during it's recent 9.3 release and a number of people wrote saying it caused their anti-virus program to reject the file.