Hello and all the niceties.
First of all, I'm a PHP developer. A few years back I've taken a liking to developing Win32 applications (simple stuff, on a when-needed basis) in the PHP4 language. To that end I got a program called Bamcompile, which essentially encodes .php files into a form of bytecode, and then attaches them to a copy of itself (along with PHP extension .dlls) to form an executable. The Bamcompile program in itself is a modified PHP 4.4.4 executable "packed" with a .php file to do its job (extract its base and UPX, combine files and then compress them with UPX).
In various anti-virus software all of the programs created through this process have been reported, on numerous occasions, as some forms of a trojan. Interestingly enough, when I changed my UPX version to a newer one, the definition/type detected changed as well.
Anyway, this sounds like a false positive, but I cannot be sure. If Bamcompile itself is free of this (it's on bambalam.se/bamcompile), where could I submit some files to be tested? A few of my programs created this way are available at https://eter.sytes.net/projects/ if this would make things faster.
I've searched the forums on how to submit code for review, but found nothing (maybe I didn't search far enough?). The ContactUs page directed me here, so I guess that's why I am. If I erred, please point me in the right direction.
I'd really like to know if this is a false positive (different AV soft detect it as something else between them) - I'm pretty sure it is, but I'd like to take this chance to be absolutely SURE not to supply virus-infected files to my users.
EDIT:
I just wanted to point out, that although the program is reported as being some form of malware, even if it is infected (and was, from the get-go), it exhibits no signs of malicious activity. In fact, I've noticed no problems (and other users haven't as well). I mean, it wouldn't mean much in my case, seeing as I'm behind a NAT with UPnP disabled/unavailable - no cracker/master could connect to me easily even if he or she was notified of activation... but not many of my users have such a setup, most of them are connected directly to the internet, and I've had no reports of malicious behavior.
Some of my users are so-called "power users", even programmers themselves, and yet even they have not included any signs of problems in their beta reports.
That is why I am inclined to belive this to be a false positive. This should be checked (maybe it's UPX?), and - if possible - an exception should be added to the next ClamWin db update.
I somehow didn't know of this, and thus didn't know to check THEIR web site for a submissions area. This is helpful.
