Share via

Is there risk to using binary compression?

dchapman 0 Reputation points
2026-06-10T11:06:35.9866667+00:00

Does using binary compression such as UPX make binaries more likely to be flagged as malware by Microsoft Defender?

Microsoft Security | Microsoft Defender | Other
0 comments

Answer accepted by question author

Marcin Policht 91,560 Reputation points MVP Volunteer Moderator
2026-06-10T11:21:36.8666667+00:00

Yep - this indeed makes your executables significantly more likely to be flagged as malware by Microsoft Defender. Malware creators frequently use UPX to hide malicious code from simple scanners and alter file signatures. Because bad actors use this tool so often, antivirus software treats UPX compression markers as a major red flag, even if your program is completely safe.

When you use UPX, the compressed file also ends up looking highly random and chaotic to security scanners. Microsoft Defender uses machine learning to look for this specific type of data chaos, which closely matches the patterns found in ransomware. Furthermore, UPX often strips out modern Windows security protections like hardware-enforced stack protection during compression, which makes the file look even more suspicious to automated defenses.

If your file gets blocked, it will usually trigger a generic warning ending in "!ml," which means it was flagged by machine learning. The easiest way to fix this issue is to avoid using UPX entirely, as small file sizes are rarely worth the security headache today. If you must compress your file, buying a digital code-signing certificate to sign your executable should establish trust with Defender and prevent false alarms.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-10T11:06:50.5233333+00:00

    Yes. Using generic binary packers or compressors such as UPX can increase the likelihood that a binary is flagged or scrutinized by Microsoft Defender and related protections.

    From Microsoft’s documented criteria:

    • Malware is defined by behavior that compromises user security (for example, backdoors, droppers, obfuscators, password stealers, ransomware), not just by the tool used on the file.
    • Potentially unwanted applications (PUA) are classified into categories such as advertising software, bundling software, evasion software, and poor industry reputation.
    • “Evasion software” includes software that actively tries to evade detection by security products or behaves differently in the presence of security products.
    • “Poor industry reputation” applies when trusted security providers detect a program as unwanted or malicious.

    Packers like UPX are widely used by both legitimate developers and malware authors. When a binary is compressed/packed, its code is hidden behind a decompression stub at runtime. This is a common technique in:

    • Obfuscators and droppers (malware categories explicitly listed by Microsoft).
    • Evasion behaviors (hiding or transforming code to avoid static inspection).

    Because of this, a packed binary can:

    1. Look more similar to known malware families that also use packers.
    2. Reduce the amount of static content available for reputation and signature-based analysis.
    3. Trigger more aggressive heuristic or behavioral analysis.

    This does not mean “UPX = malware,” but it does mean:

    • A packed binary is more likely to be treated as suspicious until reputation and behavior are clearly benign.
    • If the packed binary also exhibits behaviors that match malware or PUA categories (for example, downloading and executing other binaries, bundling unwanted software, or evading detection), it is more likely to be classified as malware or PUA.

    For software developers:

    • Consistently signing binaries with a certificate from a trusted root authority helps Microsoft quickly identify the source and build reputation.
    • If a packed binary is detected as malware or PUA and that is believed to be a false positive, the file can be submitted as a software developer and the determination disputed using the developer contact form after the submission result.
    • Microsoft does not maintain a “whitelist” or accept files into a false-positive prevention program; reputation is built via consistent signing and observed behavior.

    In practice, using binary compression/packing increases the chance of extra scrutiny and potential detections, especially if combined with behaviors that match malware or PUA criteria. Unsigned, newly released, or low-reputation packed binaries are at higher risk of being flagged.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.