UPX packed PE/COFF executable detected (UPX_Packed_Executable)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology, RealSecure Server Sensor, RealSecure Network, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection:

This signature detects PE/COFF executable files that have been packed using the UPX tool. While the presence of a UPX packed executable does not in itself represent an attack, it can be considered an anomaly. The UPX tool is commonly used to pack trojans and malware, while it is somewhat uncommon for the tool to be used to distribute legitimate commercial software. The file should be examined to determine if it constitutes malware.

Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology, RealSecure Server Sensor, RealSecure Network, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection: Legitimate software packed using UPX will trigger this signature.

Default risk level

 Low

Sensors that have this signature

Proventia Network IPS: XPU 1.42, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: XPU 24.2, Proventia Network MFS: XPU 1.41, Proventia Server IPS for Linux technology: 1.0, RealSecure Server Sensor: XPU 24.2, RealSecure Network: XPU 24.2, BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE PC Protection: 3.6cpa

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Suspicious Activity

Vulnerability description

How to remove this vulnerability

References