McMcbrad

Level 10
I think this might be helpful:

I'll try execute some of the PUPs in this archive, as I am curious.

So, after a scan 15 files were left, 110 were removed.
I tried to execute them, only 3 seem to be working:
One of them is scam software (Re-image).
1606035450321.png
1606035463777.png
1606035478370.png
1606035533583.png
1606035738555.png
1606035877954.png


Everything else crashes immediately.
 
Last edited:

danb

From VoodooShield
Verified
Developer
I think this might be helpful:

I'll try execute some of the PUPs in this archive, as I am curious.

So, after a scan 15 files were left, 110 were removed.
I tried to execute them, only 3 seem to be working:
One of them is scam software (Re-image).
View attachment 249529View attachment 249530View attachment 249531View attachment 249532View attachment 249534View attachment 249535

Everything else crashes immediately.
This is not surprising... the 94 out of 125 files that WV classified as malicious were not filtered or inspected in anyway... I simply counted them as a correct verdict. However, I inspected the files that WV missed to ensure they were 1) valid executables and 2) malicious, and this was after I scanned the malpack for duplicates. This actually works in WV's favor, but I believe it is the only fair way to run the test. So the test was not up to lab standards, but it was pretty close ;). But anyway, this would explain why some of the files are not valid executables (and did not execute). Basically, they are files that WV determined to be malicious and I counted them as a correct verdict without inspecting them further.

BTW, just curious, are they crashing with or without SBIE?
 

SeriousHoax

Level 32
Verified
Here are the samples used in the WV PUP test, feel free to install them on your computer.

hxxps://drive.google.com/file/d/1-jCMgNjCMPk2RypMnunZ49mQWEmNE8SN/view?usp=sharing
Please let me know if you understand the distinction.
I also downloaded these samples and tested WD, AVG and Emsisoft. WD has the highest detection rate among this, followed by Emsisoft and AVG. It detected 119 out of 125, 6 files were left. So, 95.2% detection. The PUP's are classified accurately as well. After checking on VT, it seems even overall among all the big guns WD has the best detection rate for this pack. These are very old samples though, from 2017.
 
Last edited by a moderator:

McMcbrad

Level 10
After on demand scan without execution? Since when Comodo started to have good signatures! :unsure:
Most of the files remaining after AVG scan won't execute, with the exception of few that look like Chinese/Turkish game clients and might not even be a PUP (just like SAP is far cry from ClipBanker). One was removed by IDP (Behavioural Blocker), majority just gives an error on execution.
COMODO uses reputation, doesn't it?
 
Last edited:

SeriousHoax

Level 32
Verified
Most of the files remaining after AVG scan won't execute, with the exception of few that look like Chinese/Turkish game clients and might not even be a PUP. One was removed by IDP (Behavioural Blocker), majority just gives an error on execution.
COMODO uses reputation, doesn't it?
Right. I noticed that too. Since these are very old samples, all AVs I think detected the obvious malicious/pup samples. The remainders are either broken or not worthy enough for them to create signatures. Some products are more or less aggressive about PUPs hence the difference.
 
Top