PETools detected as malware

[minexew]

See https://www.virustotal.com/#/file/8fd1a1cc1a253fd58693c181895d392ba20fc2a638aaecbc2e8f5d004db8fc27/detection
Why is this?

[upiter]

Generic answer

You may see many false detections because antivirus technologies suck.

More complex answer

As you can see, PE Tools main executable is not packed, code is clean, no virtual machines, no encrypted code parts, no obfuscation. But many antivirus engines can't handle even such easy case.

The main reason why AV could treat PE Tools as risky software because of it's features list:

PE Editor

• PE and DOS Headers Editor
• PE Sections Editor
• PE Directory Viewer and Editor
• Export Directory Editor
• Import Directory Editor
• Resource Directory Viewer
• Exception Directory Viewer
• Relocation Directory Viewer
• Debug Directory Viewer
• TLS Directory Editor
• Load Config Directory Editor
• Bound Directory Editor

Process Viewer and Manager

• Show basic process information
• Show process modules

PE Dumper

• Running process dumper

PE Rebuilder

• Dump Fixer
• Relocation Wiper
• Resource Directory Rebuilder
• PE file Validation
• Imports Binder
• ImageBase Changer

Possible solutions

• Inform antivirus company that produced weak antivirus with paranoid engine about false detection: by email or forum
• Trust professional antivirus which doesn't mark PE Tools as threat
• Analyse PE Tools features with disassembler like Cutter / Binary Ninja / IDA and decide yourself
• Don't use PE Tools in real world environment, only in safe VM conditions

[djdron]

So where is project source code to view & research ?
Analyse code with disassembler? No, thanks.
What is a reason to place project on GitHub without source?
Chrome/Microsoft antivirus detects it as trojan.
Old version which i have 1.5.800.2006 RC7 is not detected.

[upiter]

So where is project source code to view & research ?

It's not published, sorry.
You may find leaked/published sources of and old version, then fix bugs and add new features by yourself.

Analyse code with disassembler? No, thanks.

It's your choice. Trust antivirus.

What is a reason to place project on GitHub without source?

As an issue tracker.

Chrome/Microsoft antivirus detects it as trojan.

We don't care. See previous answer. Just don't use new version.
If you trust Chrome/Microsoft antivirus then remove new PE Tools version and be safe.

Old version which i have 1.5.800.2006 RC7 is not detected.

Great news. Use it.

[ada-s4c]

Old version which i have 1.5.800.2006 RC7 is not detected.
Great news. Use it.

Not ideal for the user, but that's fair.

[upiter]

Not ideal for the user, but that's fair.

Well, after visiting the link in first post, you can get two lists:

1. Antiviral products that suck don't do their job well (false detections)

   • Some of them treat PE Tools as "Unsafe", "Possible Threat"
   • Some of them treat PE Tools as "PUP" (Potentially Unwanted Programs)

2. Antiviral products that do their job well (no false detections)

List of products that treat PE Tools as clean software:

• Avira (no cloud)
• Baidu
• CMC
• Cynet
• Cyren
• DrWeb
• F-Secure
• K7AntiVirus
• K7GW
• Kaspersky
• NANO-Antivirus
• Palo Alto Networks
• QuickHeal
• SentinelOne (Static ML)
• TACHYON
• TEHTRIS
• Trapmine
• VBA32
• VirIT
• Zillya
• ZoneAlarm by Check Point
• Zoner

I recommend to read my first comment, especially block "Possible solutions".

I hope that if every confused researcher instead of complaining here, will push AV-companies to do their job well, then we'll have more adequate AV products and services.