Anti-virus plague

Ironic isn’t it ? Nowaday, anti-virus are becoming more and more intrusives, and ‘thanks’ to heuristic approaches, the false positives raise a lot, while eradication or real virus are less and less common. When was your last real virus detection ? Mine was may be 5-6 years ago. Since then, i got many alerts, but all were just dumbs. Microsoft has made giant progress to counter virus spreading and execution with modern iterations of Windows (see ASLR, DEP, user mode, etc.).

My concern about anti-viruses is the famous heuristic approach which often flag legit PureBasic programs as contamined. I don’t know exactly how works an anti-virus, but I bet it builds a database with some code patterns found in real virus, and if this code pattern is found in an executable it will raise an alert. And here is really the problem: if PureBasic is used to make a trojan or a virus, then chances are high than the code pattern will be actually a purelibrary command, meaning than every other PureBasic program using this command will be flaged as well. It’s really a poor detection mechanism and I can’t understand why anti-virus maker don’t try to find other methods to detect threats. Since several years now, PureBasic programs (and even the official IDE) are regulary flagged as virus with no reasons, and such threads often popup on officials forums. I can imagine the face of a potential customer wanting install the demo version of PureBasic when a big alert saying ‘Warning Trojan.bigvirus.1337’ popup.

So what to do ? Actually a very few things can be done:
– always send false positives to the your anti-virus maker. The more they get, bigger are the chances they will improve their detection routines.
– change your anti-virus. well, some are better than other. If it doesn’t work with PureBasic, you can consider it as a bad one :)

I hope it will change, somewhen. Ha, dreams…

2 thoughts on “Anti-virus plague

  1. TI-994A

    “…if PureBasic is used to make a trojan or a virus, then chances are high than the code pattern will be actually a purelibrary command, meaning than every other PureBasic program using this command will be flaged as well.”

    Hi Fred. If this is true, it’s going to be a real problem because, good or bad, most lay users tend to follow the recommendations of their security apps. One solution may be code signing, although costly, and not foolproof.

  2. J. Baker

    This is one thing I like about Mac. A developer can sign their app. That’s not to say that someone who’s actually making a virus couldn’t purchase a developer license and sign their “virus”. But it may be less likely.

    The best solution is to only run apps from the “Mac App Store”. These apps have been tested and most likely won’t contain a virus. At least I would hope not. Now if Microsoft would do the same, this could help restrain at least most of the false positives.

    The only bad thing with “the best solution” above, is that the app store does reject certain things and doesn’t give a developer full control on how they feel their app should be.

    All aside, I believe their should be some sort of signing technique across the board for all OS, just like their was/is for certified drivers. This doesn’t mean a user couldn’t or shouldn’t run unsigned apps but this would be an option to enable or disable per OS, like on OS X.

Leave a Reply