About TCMC...

Post by *ghisler(Author) » 2008-11-06, 17:27 UTC

They probably simply don't care, because no big programs use Upack. If they did this for UPX, many more programs (including Total Commander, which is used by many 100'000 people) would fail to work, which would directly affect the sales of these scanners...

Yuta · Post by *Yuta » 2009-01-23, 16:53 UTC

ViruScan still recognises it as virus. Generic.dx
Virus definitions 4.0.5502

Is there other similar tool?

m^2 · Post by *m^2 » 2009-01-23, 17:34 UTC

I don't know of any alternative.
I really can't work on the new version.

I'll contact virus companies then.

ADDED:
Well there is alternative. AHK. Search the forum and TC wiki, it is explained somewhere.

Post by *Hacker » 2009-01-23, 18:15 UTC

Yuta wrote:ViruScan still recognises it as virus. Generic.dx
Virus definitions 4.0.5502

Is there other similar tool?

Avast, AVG, Avira, Bitdefender...

HTH
Roman

Samuel · Post by *Samuel » 2009-01-23, 20:39 UTC

Yuta wrote:Is there other similar tool?

I wrote a macro program in Ahk:
See here.

It can also handle ctrl+click on the Toolbar, but you can use it for pure macros too.

But only few people cared...

Hope it will help you.

m^2 · Post by *m^2 » 2009-01-23, 22:39 UTC

25 false positives. I reported 17. Got problems with the following:
-Authentium (they don't like my email address)
-AVG (requires forum registration. TODO)
-eSafe (no online contact)
-eTrust-Vet (support temporarily unavailable. TODO)
-Ikarus (complicated support form in german, seems to require some special file, I don't get it)
-k7 (they thought I'm a spammer)
-PCTools (couldn't find contact information)
-Symantec (their contact software crashed)

Note to self:
MA245715211

nsp · Post by *nsp » 2009-01-24, 10:39 UTC

m^2 wrote:25 false positives. I reported 17. Got problems with the following:
-Authentium (they don't like my email address)
-AVG (requires forum registration. TODO)
-eSafe (no online contact)
-eTrust-Vet (support temporarily unavailable. TODO)
-Ikarus (complicated support form in german, seems to require some special file, I don't get it)
-k7 (they thought I'm a spammer)
-PCTools (couldn't find contact information)
-Symantec (their contact software crashed)

Note to self:
MA245715211

I think that the best way is to not use upack or all PE packer that do not have uncompress feature...

I've done a small test.exe once packed with upack (on my virtual box machine), i download it to my PC and got virus warning ! (i've also done an un-winupacked version of TCMC and everything is fine for virus detection (exept that PE header is not clean)

m^2 · Post by *m^2 » 2009-01-24, 10:55 UTC

I won't give up Upack only because some idiots in AV companies think that only crapware makers use it.

nsp · Post by *nsp » 2009-01-24, 15:56 UTC

m^2 wrote:I won't give up Upack only because some idiots in AV companies think that only crapware makers use it.

I can understand your point, but you should also provide an unpacked version of your file (like ghisler do with unpacked TC).

For AV maker, upacked exe are very dificult to decompress so they give up and prefer give a false positive alert than ignoring a potential risk !

m^2 · Post by *m^2 » 2009-01-24, 16:26 UTC

Impossible. About the time when I wrote TCMC I lost a hard drive. I have a backup of it's sources, but not the latest version.

Packed exes are very easy to decompress. They come with decompressor, don't they? It's enough to extract and use it.

And AFAIK Upack uses pure LZMA, there's a free, fast and well proven decompression library available for years.

ZoSTeR · Post by *ZoSTeR » 2009-01-26, 10:48 UTC

You can unpack it with deupack 0.3 (link). I also tried the PE-Explorer plugin but it damaged the exe.

Upack doesn't have an official decompression method AFAIK.

nsp · Post by *nsp » 2009-01-26, 11:57 UTC

ZoSTeR wrote:You can unpack it with deupack 0.3 (link). I also tried the PE-Explorer plugin but it damaged the exe.

Upack doesn't have an official decompression method AFAIK.

I confirm that deupack 0.3 works and you can even repair the PE header with repairPE or XPElister... if M^2 authorize me, i can put tcmc.exe unpacked in a download area for a limited period of time...

m^2 · Post by *m^2 » 2009-01-26, 12:07 UTC

Yesterday Sombra sent ma a set of 4 unpacked versions together with a summary of VirusTotal analysis.
Even the best ones show 4 positives.
I think it's best to distribute the whole package, I asked if it's OK for him.

In the meantime I'm discussing with AV crew about packed TCMC.
F-Secure, Sophos, TrendMicro reviewed the file already and said OK, but didn't update the definitions yet.

Prevx, McAffe - both want me to buy their products, but I think we'll solve the problem another way.

The other 12 companies didn't contact me yet.

m^2 · Post by *m^2 » 2009-01-27, 08:06 UTC

I don't have a server, nsp, could you kindly upload it somewhere?

http://localhostr.com/files/392e3e/TCMC_u.7z

nsp · Post by *nsp » 2009-01-27, 08:33 UTC

m^2 wrote:I don't have a server, nsp, could you kindly upload it somewhere?
....

You can get tcmc_u.7Z on free download share

2m^2you can contact me when you want me to remove the file !