6

I Have been trying out different EXE packers recently. I tried out ASPack, UPX, mPress etc.. While trying out half a dozen packers, i observed that most of the packed EXE's can trigger false virus signatures. Even UPX is no exception. Still, my choice is UPX. Can anybody, please, suggest me what is the best possible compression / packing method available in UPX.?

I am quite satisfied with UPX --lzma myEXE.eXE still, would love to hear for you people on this. I am not comfortable with UPX --ultra --brute myEXE.EXE since it eats up hours to do the trick.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
jimsweb
  • 1,082
  • 2
  • 17
  • 37
  • 1
    --ultra--brute is the best and you already know this, maybe you should change the question to "alternatives to --all-filters" or something like that... – Anders Jan 20 '12 at 06:27
  • 1
    So why mention the false positives of malware scanners? Does that have anything to do with your question? – Joey Jan 20 '12 at 07:27
  • no. I was just mentioning that packers like ASpack makes some of the AV to think in that way. Not sure why it so. – jimsweb Jan 20 '12 at 17:35

1 Answers1

17

I used UPX a lot, and there was not a big difference between the versions.

The latest --lzma setting produces very good results, and --ultra --brute is indeed not worth the time spent. At best, 1% of better compression rate... you should better subsample your internal bitmaps or refactorize the code.

But, especially with Delphi applications, I do not use UPX any more. You spoke about anti-virus software false positive, and it is a huge problem. For instance, it sounds like if some "cheap" anti-virus software introduced very simple (and false) heuristic patterns, like "UPX+Delphi=potential malware" or "Delphi+size<300KB=potential malware".

If you try to submit such executable files to http://virustotal.com, you'll find out that about 8% of the anti-virus engines are doing such wrong guess.

I've seen some of my web sites flagged as "malware URI", because of this. I've seen some customers complaining about my deliveries to be infecting their computers. Not worth it.

To reduce the executable size, I therefore rely rather:

Arnaud Bouchez
  • 42,305
  • 3
  • 71
  • 159
  • 4
    +1 very good answer, I'm actually against compressing executables, let's be honest, nowdays it's not really a problem to have even a 20MB executable if necessary... –  Jan 20 '12 at 09:00
  • 2
    You can also deliver your EXEs via 7Zip files or LZMA-compressed installers, that'll reduce the size to comparable levels without the hassle. – Eric Grange Jan 20 '12 at 10:26
  • 1
    I think Dorin's remark is even more important than the answer. First ask yourself WHY do I compress my 1MB exe that sits on a 2TB harddisk and is subsequently loaded into 4GB of memory only PARTIALLY? – Marco van de Voort Jan 20 '12 at 11:18
  • 2
    @MarcovandeVoort You're right, and it's worth saying that UPX will uncompress then store the whole executable in RAM, whereas without UPX, it will be mapped by 4 KB blocks, only on need - this is what you refer to when using "loaded PARTIALLY". Some UPX in some places will use more RAM, especially over libraries (normal `.dll` are shared, whereas UPXed `.dll` are not shared among the executables which call them). So UPX is definitively not a 21th century tool. – Arnaud Bouchez Jan 20 '12 at 12:40
  • Thank you all for your invaluable comments. – jimsweb Jan 20 '12 at 17:36