Pages

Sunday, December 21, 2008

PECompact v2.98

PECompact v2.98 is a fast exe compressor with a very good compression ratio.

Executable compressors work by compressing selected portions of executables. At runtime, compressed executables are decompressed and reconstructed directly into their virtual image (memory) so that no data is ever written to the disk. The executable can therefore be run exactly as it was before without the user even knowing it was compressed.

PECompact2 is a next generation win32 executable/module compressor. Commonly termed an 'executable packer', such utilities compress executables and modules (i.e. *.EXE, *.DLL, *.OCX, *.SCR). At runtime the compressed modules are rapidly decompressed in memory.

Dear all
PeCompact by Jeremy Collake is not a Virus if applications compressed with PECompact shown up a Virus allert its FALSE POSITIVE You are save to ignore it. Im using it over many years!!!
Same problem with false positive by compressed exe and dll files using mpress by matcode. All our Applejuice Hacks are listed as false positive! Same with the files compressed with XComp and XPack by JoKo. It is a horror as after one year on AV Firm was found for them 'as new packer known' and add it to the database near all other AV firms did follow within 3 months. Non AV who show it as positive virus is able to manual unpack the compressed applications or the packer by self to analyze it in unpacked conditions. Ollydbg unpacking scripts exist which does the job very well and all the fileslisted as virus shown in propper unpacked conditions negative - no virus found. Means some AV automatically unpacking engines sucks to scan through the files deep enough. Experimental tested by sticking another pe signature in a file and it show random a complete different virus kind as before. The logic is far if a German File compressor freeware Programmer add to the compression tool a Brazillian banker trojan (non file ever did connect online with all firewall logs) which the Japanese AV shown up as positive trojan. I have the fixed meaning that Virus researcher/reporter have no idea about pe file structure, file compressions, packer and unpacking that the result of possible virus found never got analysed before showing up compressed files as false positive from one to another AV around the globe.
Here some results of scanners which show a typical false positive:
http://www.virustotal.com/de/analisis/ad44974f814eb2389220c8966f155e3c under it is NOD32, BitDefender. AV Scanners from Kaspersky, Avast, and Comodo, Panda and Ikarus did correct it and can scan the packed files. Kaspersky can even scan the Packer by self and don't show the false positive anymore.
http://www.virustotal.com/analisis/b92b11f1c9f24387d77523a674edf5da
Last not least even UPX compressed files can sometimes shown up as false positive by some AV's if a single letter (byte) in the file header get changed. One/Two byte(s) can not be a virus!
The most strange thing is if use ASPACK original and pack some files with aspack (not asprotect!), 85% files show after compressing, by self packed/compressed files on harddisk as virus while commercial applications done with the same packer aspack do not show a virus at all (HiDownload for example). Comes the question to myself if each packed application need exclude rules in many Antivirus programs.

Believe or not, I go without activated Antivirus protection in background. My protection are routers with firewalls in Network connection. Windows hosts file (from a free good update service), MS Windows Defender, Network activity monitor in/outgoing, Folder change watcher, One eye on the registry if run a new application outside Sandbox, prozess explorer (sysinternals and nirsoft have good diag/monitoring tools) or what's running. For checks between run tools like Spybot Search & Destroy or XoftSpySE. Never run unknown setups if tools like Universal Extractor can unpack the setup/installers, from the setup script file take the instruction (regkeys,...).

I am a fan of small files, as long the performance is good - near the same as not compressed.


Homepage: http://bitsum.blogspot.com/
Produc site: http://www.bitsum.com/pecompact.php

Student Version via email request from program Author

2.98

* Change.Package: Moved more plug-ins to the registered build only.
* Change.GUI: Updated Russian translation.

2.96

* Fix.Core: Fixed compression of executables with MUI resources (i.e. Vista's notepad.exe). In previous builds, affected executables would fail to start after compression.
* Change.EAD.Loader: Updated, some more protection code added.
* Change.EAD.Loader: Changed name so it appears more descriptive and correct.
* Installer.Change: Trial verison no longer includes cipher codecs.
* Installer.Removal: Removed PEHideText from trial version.
* Installer.Removal: No longer publicly distributing student version due to abuse by malware authors. Freeware authors and acedemics can obtain a freeware license for PECompact by emailing: support # bitsum . com ( replace # with @ )
* Post-release updates:
* [.1] Fix.GUI: Fixed accidentally broken project file and saved settings format.

1 comment:

Post a Comment