Hello,

In the file bin/yara_rules/peid.yara, the rule for PolyEnE_0_01__by_Lennart_Hedlund should be deleted because it detects false positives.

So please remove the following lines :

rule PolyEnE_0_01__by_Lennart_Hedlund
{
meta:
packer_name = "PolyEnE 0.01+ by Lennart Hedlund"
strings:
$a0 = { 60 00 00 E0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 00 00 E0 }

condition:
$a0
}

Thanks for reporting this! Could you provide some information to demonstrate what false positives are detected?

I have a few EXE files to submit.
How can I upload them to you ?
WARNING some of the files are potential malwares. Do not execute them. Just see them with an hexadecimal editor to see they are not packed by PolyEnE.

If I cannot upload you exe files, let's think a bit :

the signature is : 60 00 00 E0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 00 00 E0
If this code is assembler, then it disassembles as :
60 pusha
00 00 add BYTE PTR [eax],al
e0 .byte 0xe0

This is too much generic to be a packer routine.

If this is data, 600000E0 is too generic to rely on.

By the simple fact to look at the signature, it is sure it is too much generic and generates false positives.

Mail sent with attached file.