.tmp file gives false positive

Issues related to Enigma Virtual Box
Post Reply
Doc
Posts: 5
Joined: Wed Jul 06, 2011 3:04 pm

.tmp file gives false positive

Post by Doc »

I tested latest EVB 3.30.
One and more .tmp files under C:\Users\User\AppData\Local\Temp gives false positives with AVG 2012 free edition.
The generated exe itself is tested clean and runs without problems. But after start the app creates some .tmp files which trigger an AVG2012 alert, see this picture:
AVG warning.png
My app itself creates a new thread which runs a SSH-tunnel program. If this second exe is included in EVB filelist, the AVG alert is triggered. If I remove this out of the EVB list and copy the tunnel app in the application folder it seems not to trigger the alert.

Are these (problematic) .tmp files really necessary?
Is this known and is there a workaround?

And besides, EVB doesn't seem to clean up its tmp files. After a few runs I have over 100 files all about 2kB in size...
You do not have the required permissions to view the files attached to this post.
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: .tmp file gives false positive

Post by Enigma »

Hi doc,

Yes, this is surely false detection and it is very frustrating that it is appearing on even tmp file. Tmp file, really, does not ANY code, it is just needed to run virtualized exe files and some of DLL files.

You may uncheck the Option - Map Executable Files With Temp File in EVB, but this way there is not guaranty that virtualized exe files will be working, but no temp files will be created.

We will try to contact to AVG team and ask to fix this false detection.

Regarding multiple tmp files - yes, some files may not be deleted, agree. But since they are located in temp folder, you should not worry about system stability and so. Tmp files are about 1500 bytes in size only, and the system will clear them itself if it will be required. Anyway, in next EVB release we will make the ability to delete temp files from the disk...
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: .tmp file gives false positive

Post by Enigma »

Also, if possible, please send this false detection sample to AVG as written there: http://www.softwareprotection.info/2011 ... -to-solve/

We will do this too and hope they solve problem more quickly.
Doc
Posts: 5
Joined: Wed Jul 06, 2011 3:04 pm

Re: .tmp file gives false positive

Post by Doc »

Enigma wrote:Also, if possible, please send this false detection sample to AVG
Yes, of course I did that, but strange it is, the .tmp files are scanned positive by my local AVG as malware but the online check after file upload says the file is clean, negative, green check. Locally I'm using the latest scanner update.

And you a right, unchecking "Map Executable Files With Temp File" breaks executing the helper exe files. I can solve this by setting "Always write to disk" for these files, but it's not nice, cause the files get visible during main application execution.
shamballa
Posts: 16
Joined: Tue Jun 08, 2010 11:13 pm

Re: .tmp file gives false positive

Post by shamballa »

Hello

Was this issue with AVG resolved? I am currently experiencing the same kind of problem with Avast, although it is not detected as Malware only as a suspicious file. This is enough to prevent how my program would need to function though as my program creates a compressed AES encrypted executable which can self decrypt.

I am working ways to integrate self deletion after failed password attempts and it uses a very small helper program made in AutoIT which will be launched virtually to do this. I suppose I could look into a .bat file to do this as well.

I have included a Screen Shot of the Warning Message that Avast displays:
Img1.PNG
This will always prevent the action from being executed and even after selecting "run normally" for the next execution of this file it will then display the same Warning Message again.
You do not have the required permissions to view the files attached to this post.
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: .tmp file gives false positive

Post by Enigma »

Hi shamballa,

Unfortunately, this issue can't be solved from our side because it is not a problem of our product but the problem of antiviruses that incorrectly detect the file as malware.

I can only recommend to submit the packed sample to avast and ask to fix false detection. As many submissions we make, then more chance the problem will never appear again.

There are written contacts for sample submission: http://www.softwareprotection.info/2011 ... -to-solve/
Post Reply