Studies against AV false positives
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Studies against AV false positives
This thread shall be dedicated to the quest for finding the reason(s) why Purebasic executables so often raise false positive alerts in anti virus products.
See it as a joint venture to reveal those secrets to find a solution ...
See it as a joint venture to reveal those secrets to find a solution ...
Last edited by Didelphodon on Fri Apr 12, 2013 8:44 am, edited 1 time in total.
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: Studies against AV false positives
Tried the following things:
Threw an absolutely empty default PB executable in virustotal:
See ... https://www.virustotal.com/de/file/8793 ... 365751641/
=> 7 false positives
Again, threw an absolutely empty default PB executable in virustotal, but this time with any of the information fields filled out (compiler options):
See ... https://www.virustotal.com/de/file/4cd0 ... 365752015/
=> only 3 false positives - note, empty information fields seem to trigger
Threw an absolutely empty default PB executable in virustotal:
See ... https://www.virustotal.com/de/file/8793 ... 365751641/
=> 7 false positives
Again, threw an absolutely empty default PB executable in virustotal, but this time with any of the information fields filled out (compiler options):
See ... https://www.virustotal.com/de/file/4cd0 ... 365752015/
=> only 3 false positives - note, empty information fields seem to trigger
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: Studies against AV false positives
Hm, DrWeb is one of the false positives - I'm going to ask a friend at DrWeb to do me a favour checking what triggers ...
EDIT: Just dropped my friend an email. To be continued ...
EDIT: Just dropped my friend an email. To be continued ...
Go, tell it on the mountains.
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: Studies against AV false positives
I applaud your intent, but fear you could be flogging a dead horse..........
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.
Re: Studies against AV false positives
é#@à%* I just installed NOD32 version6
And all my pb .exe files are erased ??!!
They are not even in quarantine ...
Marc,
And all my pb .exe files are erased ??!!
They are not even in quarantine ...
Marc,
- every professional was once an amateur - greetings from Pajottenland - Belgium -
PS: sorry for my english I speak flemish ...
PS: sorry for my english I speak flemish ...
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: Studies against AV false positives
That will be an option somewhere in NOD32.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: Studies against AV false positives
Good news from DrWeb. They had a signature based on a false positive from somewhen in their database which is now removed. Hence there shouldn't be any more false positives with Purebasic executables (with good intention of course) in the future. We'll see ...
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: Studies against AV false positives
However, I encourage everyone to fill out those detail informations in the compiler options (like company name, etc.) as it seems to be one of the aspects heuristics look for.
On one hand understandable that this might be an aspect but on the other hand a rather weak one
On one hand understandable that this might be an aspect but on the other hand a rather weak one
Last edited by Didelphodon on Fri Apr 12, 2013 1:04 pm, edited 1 time in total.
Go, tell it on the mountains.
-
- Addict
- Posts: 1482
- Joined: Tue Feb 22, 2011 1:16 pm
Re: Studies against AV false positives
I read in another (software business) forum that if you digitally sign your executables (via Comodo or whomever) then no virus app will flag it as a false positive at all. Could solve the whole problem, but it's not cheap.
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
PureBasic: Born in 1998 and still going strong to this very day!
Re: Studies against AV false positives
Hi Didelphodon,
is possible to recieve the first sample?
or the PB code
Thanks
jpd
is not necessary reproduced here with a simple debug line and create exe!!
is possible to recieve the first sample?
or the PB code
Thanks
jpd
is not necessary reproduced here with a simple debug line and create exe!!
PB 5.10 Windows 7 x64 SP1
Re: Studies against AV false positives
Hi,
Here a Analyse from MAG2
Interesting result for a empty file
Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137
Best
jpd
Here a Analyse from MAG2
Interesting result for a empty file
Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137
Best
jpd
PB 5.10 Windows 7 x64 SP1
-
- Addict
- Posts: 1482
- Joined: Tue Feb 22, 2011 1:16 pm
Re: Studies against AV false positives
An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.jpd wrote:Interesting result for a empty file
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
PureBasic: Born in 1998 and still going strong to this very day!
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: Studies against AV false positives
True! That's actually the footprint of a compiler.MachineCode wrote:An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.jpd wrote:Interesting result for a empty file
Go, tell it on the mountains.
-
- User
- Posts: 85
- Joined: Sat Mar 06, 2010 2:55 pm
Re: Studies against AV false positives
jpd wrote:Hi,
Here a Analyse from MAG2
Interesting result for a empty file
Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137
Best
jpd
Is that your local IP? as in its trying to connect to your debugger?
- doctorized
- Addict
- Posts: 854
- Joined: Fri Mar 27, 2009 9:41 am
- Location: Athens, Greece
Re: Studies against AV false positives
Once I had this problem with NOD32 and a dll file that contains a DataSection.
I solved my problem with this:
When I read the data section I read from 1 to 20 and then from 25 and after.
I solved my problem with this:
Code: Select all
DataSection
Data.b .......... ; 20 bytes
Data.l $12345678
Data.b ........ ; rest of the bytes
EndDataSection