PAR::Packer generated EXE that was detected as a trojan...

vitoco has asked for the wisdom of the Perl Monks concerning the following question:

Hello... I've build an EXE file to be run in a 32bit version of Windows, using pp on a fresh install of Strawberry in a WinXP x86 virtual machine that I have in my Win10 x64 PC. To test the build, I copied the EXE to my real machine and suddently all stopped. Windows Defender deleted the EXE and notified me that a virus was detected: "Trojan:Win32/Skeeyah.A!rfn". I tried copying the file previously renamed to ZIP, and it was also deleted. Argh!

AFAIK, pp generates an EXE that has two parts: a runtime and a directory structure with all the modules dependencies that it is extracted to a temp dir cache. When the EXE is renamed to ZIP, only some of the files are available to extract into a folder. So, I unpacked the ZIP contents to a folder in WinXP, repacked it again and copied that recompressed folder to Win10 successfully, and also extracted all the files... it was not one of that group. Then I did the same with the cache folders I've found in WinXP, and copied them successfully again. So, there is something extra in the original EXE that has a signature that Windows Defender recognizes as a virus/trojan.

What other thing could I do to bypass this issue? I don't think that PAR::Packer is generating a "corrupted" EXE, at least I suppose that my WinXP VM is not infected and PAR is being an inocent victim of it.

Comment on PAR::Packer generated EXE that was detected as a trojan...

Replies are listed 'Best First'.
Re: PAR::Packer generated EXE that was detected as a trojan... by marto (Cardinal) on Sep 15, 2018 at 06:18 UTC
It's not corruption. Think of pp as creating a self extracting executable. For a while pp installation failed for me on windows at the test phase, because rapidly creating exes which self extract and ran elsewhere on the system (a temp directory) triggered some rule within the AV product as something malicious. You could try specifying the target temp directory and maybe whitelist this within the product. This sort of thing has come up a few times (Sophos hates PAR::Packer!,Super Search for more). Do both systems use the same av version and definition file?	[reply]
Re^2: PAR::Packer generated EXE that was detected as a trojan... by swl (Parson) on Sep 15, 2018 at 07:35 UTC
I get the same issues with Symantec Endpoint Protection. I added an exception for it in my system so it does not pester me now. Or possibly it is whitelisted in the upgrade I ran recently. Regardless, I installed PAR::Packer under Strawberry Perl 5.28.0 a few hours ago and there were no issues flagged by the AV system.	[reply]
Re^3: PAR::Packer generated EXE that was detected as a trojan... by vitoco (Hermit) on Sep 15, 2018 at 18:46 UTC
I installed a new Win7 x86 in VMWare with Strawberry Perl 5.28.0.1 and built my EXE using pp. Guess what? It was also detected as a trojan in my Win10 x64 machine by Windows Defender!!! As my real box has the same version of Strawberry Perl and can generate EXE files OK, without being detected as trojan by the same machine, I think that it is something to do with x86 versions of generated executables... I'll try the notification to Windows Defender team road.	[reply]
Re: PAR::Packer generated EXE that was detected as a trojan... by LanX (Saint) on Sep 15, 2018 at 00:30 UTC
Maybe of help, I remember virus checkers complaining about a module in a mini-CPAN mirror. Turned out to be a test-file checking if the module Mail::ClamAV detects a virus signature. Probably something similar in your dependencies? Cheers Rolf _{(addicted to the Perl Programming Language :) Wikisyntax for the Monastery FootballPerl is like chess, only without the dice}	[reply]
Re^2: PAR::Packer generated EXE that was detected as a trojan... by vitoco (Hermit) on Sep 15, 2018 at 01:03 UTC
Probably, but it seems that none of it was, as I deliberately packed the cache dirs from the x86 VM when I tested it succesfully, then copied them to the x64 machine with Windows Defender and I got no warnings.	[reply]
Re: PAR::Packer generated EXE that was detected as a trojan... by Anonymous Monk on Sep 15, 2018 at 00:29 UTC
What other thing could I do to bypass this issue? I don't think that PAR::Packer is generating a "corrupted" EXE, at least I suppose that my WinXP VM is not infected and PAR is being an inocent victim of it. Send the file to windows defender software team, tell'em it has no virus, they'll figure out the false positive, update their stuff, so its no longer detected as a false positive	[reply]
Re^2: PAR::Packer generated EXE that was detected as a trojan... by vitoco (Hermit) on Sep 15, 2018 at 01:07 UTC
Thanks for the idea, but I'll do first some tests by "compiling" some other random scripts from myself to see if this persists. My program is WIP and it will continue changing during the following weeks.	[reply]
Re^3: PAR::Packer generated EXE that was detected as a trojan... by vitoco (Hermit) on Sep 15, 2018 at 02:15 UTC
Unfortunately, the EXE for every perl script I provided was detected as a virus by the other system. Even an empty file!!! The next step is to try a fresh strawberry perl installation on another fresh VM. Probably my WinXP was infected, because I recall that I used it as a honeypot years ago.	[reply]
Re^4: PAR::Packer generated EXE that was detected as a trojan... by marto (Cardinal) on Sep 15, 2018 at 06:22 UTC
Re^4: PAR::Packer generated EXE that was detected as a trojan... by jekyl (Initiate) on Mar 12, 2019 at 00:15 UTC
Re^5: PAR::Packer generated EXE that was detected as a trojan... by haukex (Archbishop) on Mar 12, 2019 at 09:03 UTC
Some notes below your chosen depth have not been shown here


XP is just a number
	PerlMonks