That's pretty much the same issue as what we have with the inordinate amount of engines that continue to see the use of UPX compression as an indicator of potential malicious behaviour (instead of just reporting on the uncompressed version of the file). I hope you can appreciate that if we go that route, then there's not much that's going to be left for legitimate application developers not to have their executable flagged as malware eventually, if all it takes is a property, that does not qualify as malware per se, to trigger a false positive.
Having empty resource sections for example is something that is seen in malware.Īnd now you have seen it in non-malware, therefore, I will argue that you should stop using that rule to qualify an executable as potential malware or, better, refine your rule so that your previous malware sample that had this property still gets flagged (through the use of other characteristics), but innocuous applications that also have this property don't.
Instead, it should be the exact opposite, with AV vendors being smart enough not to be tripped by an empty resource section when there's nothing malicious actually going on there.
So, if this is what you are going for, I am going to posit that I should not be the one who has to modify their build process so as not to trigger AV detection. The file was generated in a completely transparent fashion by MinGW through GitHub Actions, using a fairly standard build process. While I understand that you can of course only vouch for the MB engine (who, at least, is consistent there), if one is doing a proper job, then a decompressed UPX exe should produce the same results as a compressed.Īlso the file has a rcdata resource section but they are all empty. THIS is why I just don't have the time to go around every AV vendor out there and report a false positive, because, from the inconsistencies I can formally demonstrate, they are much more interested in crying wolf than anything else. The above is for the UPX decompressed version of above (executable can be found from the artifact at ). It sure does, along what I can only qualify as all the other 16 idiotic engines who clearly have no clue about what they're analysing and also report a false positive: To be more specific, the Chromebook Recovery Utility tool is reportedly crashing for some Windows 10 users.Ĭhromebook Recovery Utility, the tool to recover ChromeOS when the system is ‘broken’, is having some problems that do not allow its correct operation.Endpoint Detection & Response for Serversĭo you know if it still hits if its not upx packed? So, it doesn’t allow ChromeOS recovery on a ChromebookĬhromebook Recovery Utility tool crashing for some on Windows 10Īccording to the reports of affected users, while trying to run the recovery process with the Chromebook Recovery Utility, the tool only crashes and the window disappears. When Im using my 2nd laptop to use Chrome recovery utility and I’m putting chrome os on the USB drive a little page pops up asking if I want to allow this app the make changes on the device. I click yes and all the pages crash and disappear… When I reopen chrome it ask if I want to restore pages. Every time I open chrome recovery utility and go through the steps once that little page pops up asking if I want to allow app to make changes on device and I click yes everything crashes and disappears. One of them is to install Chromebook Recovery Utility as administrator: In addition to the above, it seems that the problem is mainly affecting users of Windows 10 OS.Īmong the reports, there are some workarounds that could help solve the issue. I have gotten it to work if you launch chrome as administrator and then install the chromebook recovery utility from within the admin chrome it then worked at least for me. If that doesn’t work for you, you can try another workaround. Iso) and then use a disk utility (like Rufus): It consists of downloading a file according to the model of your Chromebook ( from this link), change its extension (from.