Wednesday, February 13, 2008

BitDefender Antivirus software false positive detections Packer.XComp.A

False positive exe Packer Compressor XComp098, XComp097 (XComp & XPack) nfo:
XComp/XPack: A freeware PE32-imagefile packer/rebuilder
(c)2007 JoKo, Version 0.98 02/18/2007

shown by:
BitDefender 7.2 2008.02.13 Packer.XComp.A

Here a test using uTorrent.exe packed with Xcomp0.98 + a injected DLL using PECompact before:
A deep analysis to the real target which is negative (no backdoor or any kind of a Virus), the dll failed by all AV's.

Since signature updates from today, 14. Feb. 2008 using BitDefender Enterprise Solution for Windows Server and standalone editions (German Versions).

BitDefender Labs Defense Center sucks. they are unable to integrate good unpacking engines for software protectors, result False positive on mass!!!

a UPX variant Packer / unpack engine unrecognized or Bitdefender is unable to unpack and check the files, while Bitdefender skip deep scanning/checking inside Armadillo and Thermida packed files as well by embedded, injected dll's in PECompact scanning.


Thermida - Armadillo Protectors:

Sample of background activities by a possible true positive activity by BitDefender Labs Romania does not well monitor packed/protected file automatically installed non pnp system drivers:

Commercial anti-cracking product from Oreans Technologies for Shareware applications...

Shareware protector like Thermida and Armadillo.
Oceans Thermida and Armadillo exe packer/protectors adds and run a system service as non plug and play device driver hidden and registry values with no modify, delete access with the admin account to the windows registry key entries.

Themida is the evolution of Xprotector. Oreans.sys the faulting driver. It is part of Xprotector, Thermida which is a software protection scheme used by some shareware programs.
I've downloaded Themida from and started to check.

Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys). Winlicense driver loaded in memory. No way to read from Process Memory.
Thermidia and Armadillo exe packer have the option to easy embedded a nag/splash screen with possibility to attach with certain tools in picture bmp or jpg files a virus/backdoor and other files to the file exe,dll,... by packing/protecting against code view.

Oreans.sys, xprotector.sys you will found under control Panel > Hardware > show hidden devices > non plug and play devices.
Run uninstall this "security" background services. After that its not done you need to edit the registry but the Keys are locked. Right click set access control to be able to delete
as admin the registry entries, see attachment how to get ripped from it.

Also applied for newer Armadillo
by Digital River, Inc
see wikipedia Digital River

It will run after the very first execution of an Thermidia, Armadillo, injected, packed exe or dll file with windows start up in the background as non-pnp driver service. The Driver Service and sys files are absorbed from the packed file and automatically installed as soon the protected file run the first time.

Service (registry key): XPROTECTOR and others used by Armadillo SoftwarePassport siliconrealms ( = Digital River ) and Oreans Technologies, Themida®, WinLicense®, Code Virtualizer®,...
Display name: XPROTECTOR
Image path: C:\WINDOWS\system32\drivers\Oreans.sys
*.sys file are not signed or show any version info.
Oreans driver loaded in memory by system start.

Access via Control Panel > System properties > hidden devices > non pnp > check the entries and click uninstall.

Image path: %windir%\system32\drivers\Oreans.sys
search in the windows registry for: XPROTECTOR
and Oreans.sys etc...

Windows registry: search for the entries and right click access control, change ownership to get permission to delete, remove, edit.
If it fails try under windows protect mode to remove that kind of driver.
It will install by self as soon you start a application witch is protected by these exe packer/protectors and you have to do the process all over again.
Check with PEiD or EXE Info PE which files are done with Armadillo and Thermida. Not to long ago, older Versions from Oreans.sys many issues been reported by overcloaked CPU's. If newer versions have been fixed are unknown. Best you can do is delete or unpack with Ollydbg files with this kind of protectors. Since a while uTorrent and Bittorrent as well eMule mods have been by some "Modder" protected with this Shareware protectors.

Oreans.sys v1.40 (one of the latest Versions) and some registry keys: Orleans Thermida System Driver Service Non PnP Hidden 89,7 KB (91.856 bytes)

Changing the AV Solution back to Symantec Corporate Solutions, Kaspersky, Nod32 Enterprise for server will be the only way to avoid strong false positive and get better unpacking/scan engine for types like Armadillo, Thermida + save time by unsure application to unpack them manual. More configuration options settings as well *exclude* filtes etc... are in all of them.
BitDefender Support
Unsere Support-Mitarbeiter genießen ein exklusives Training, um Anfragen von Kunden schnell und zielorientiert zu beantworten oder auch nicht wenn sie überfragt sind weichen sie gerne aus. -

BitDefender™ este producătorul românesc lider tehnologic la nivel mondial în securitatea datelor. Compania oferă soluţii inovatoare care protejează eficient împotriva ameninţărilor informatice, setând noi standarde în domeniu pentru viteza de reacţie, instalare, utilizare şi actualizare uşoară. Prezent în peste 6000 de magazine de pe cele cinci continente, BitDefender este cel mai răspândit produs românesc în întreaga lume care protejează eficient împotriva ameninţărilor a peste 41 de milioane de utilizatori individuali şi corporate din mai mult de 180 de ţări. BitDefender are sucursale în SUA, Marea Britanie, Germania, Spania şi România. Mai multe informaţii puteţi găsi vizitând site-ul:


Anonymous said...

If been using XCompa for years to compress all big files. I knew the Author but he don't update it anymore. They maybe crazy at BitDefender Research Labs. There is no Virus in this packer but maybe because it's freeware and upx follow soon -:). The only thing you can do is install weekly.exe offline from February 1st and disable online updates permanent as well BitDefender Desktop Update Service LIVESRV. The update subscription you can trash.

Anonymous said...

Normal now you can delete the post about sb-innovation from last week, because it's not good for our forum if people talk that our mods contain trojans. The exe files of the leecherpacks are packed with the sam e packer...

Anonymous said...

Change the AV Protection:
choice one:
The new upcomming Prevx 2 is not bad
Also G DATA Internet Security 2008 with multi engine is much better as BD in this year!!!

Anonymous said...

use it as private packer and fuque the internet. Only sick people businesses there

Post a Comment