Studies against AV false positives

Everything else that doesn't fall into one of the other PB categories.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Studies against AV false positives

Post by Didelphodon »

This thread shall be dedicated to the quest for finding the reason(s) why Purebasic executables so often raise false positive alerts in anti virus products.
See it as a joint venture to reveal those secrets to find a solution ...
Last edited by Didelphodon on Fri Apr 12, 2013 8:44 am, edited 1 time in total.
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: Studies against AV false positives

Post by Didelphodon »

Tried the following things:

Threw an absolutely empty default PB executable in virustotal:
See ... https://www.virustotal.com/de/file/8793 ... 365751641/
=> 7 false positives

Again, threw an absolutely empty default PB executable in virustotal, but this time with any of the information fields filled out (compiler options):
See ... https://www.virustotal.com/de/file/4cd0 ... 365752015/
=> only 3 false positives - note, empty information fields seem to trigger
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: Studies against AV false positives

Post by Didelphodon »

Hm, DrWeb is one of the false positives - I'm going to ask a friend at DrWeb to do me a favour checking what triggers ...

EDIT: Just dropped my friend an email. To be continued ...
Go, tell it on the mountains.
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: Studies against AV false positives

Post by IdeasVacuum »

I applaud your intent, but fear you could be flogging a dead horse.......... :?
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
marc_256
Enthusiast
Enthusiast
Posts: 743
Joined: Thu May 06, 2010 10:16 am
Location: Belgium
Contact:

Re: Studies against AV false positives

Post by marc_256 »

é#@à%* I just installed NOD32 version6

And all my pb .exe files are erased ??!!
They are not even in quarantine ...


Marc,
- every professional was once an amateur - greetings from Pajottenland - Belgium -
PS: sorry for my english I speak flemish ...
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: Studies against AV false positives

Post by IdeasVacuum »

That will be an option somewhere in NOD32.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: Studies against AV false positives

Post by Didelphodon »

Good news from DrWeb. They had a signature based on a false positive from somewhen in their database which is now removed. Hence there shouldn't be any more false positives with Purebasic executables (with good intention of course) in the future. We'll see ...
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: Studies against AV false positives

Post by Didelphodon »

However, I encourage everyone to fill out those detail informations in the compiler options (like company name, etc.) as it seems to be one of the aspects heuristics look for.
On one hand understandable that this might be an aspect but on the other hand a rather weak one ;-)
Last edited by Didelphodon on Fri Apr 12, 2013 1:04 pm, edited 1 time in total.
Go, tell it on the mountains.
MachineCode
Addict
Addict
Posts: 1482
Joined: Tue Feb 22, 2011 1:16 pm

Re: Studies against AV false positives

Post by MachineCode »

I read in another (software business) forum that if you digitally sign your executables (via Comodo or whomever) then no virus app will flag it as a false positive at all. Could solve the whole problem, but it's not cheap.
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
jpd
Enthusiast
Enthusiast
Posts: 167
Joined: Fri May 21, 2004 3:31 pm

Re: Studies against AV false positives

Post by jpd »

Hi Didelphodon,

is possible to recieve the first sample?
or the PB code

Thanks
jpd


is not necessary reproduced here with a simple debug line and create exe!!
PB 5.10 Windows 7 x64 SP1
jpd
Enthusiast
Enthusiast
Posts: 167
Joined: Fri May 21, 2004 3:31 pm

Re: Studies against AV false positives

Post by jpd »

Hi,
Here a Analyse from MAG2

Interesting result for a empty file



Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137

Best
jpd
PB 5.10 Windows 7 x64 SP1
MachineCode
Addict
Addict
Posts: 1482
Joined: Tue Feb 22, 2011 1:16 pm

Re: Studies against AV false positives

Post by MachineCode »

jpd wrote:Interesting result for a empty file
An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: Studies against AV false positives

Post by Didelphodon »

MachineCode wrote:
jpd wrote:Interesting result for a empty file
An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.
True! That's actually the footprint of a compiler.
Go, tell it on the mountains.
DoctorLove
User
User
Posts: 85
Joined: Sat Mar 06, 2010 2:55 pm

Re: Studies against AV false positives

Post by DoctorLove »

jpd wrote:Hi,
Here a Analyse from MAG2

Interesting result for a empty file



Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137

Best
jpd

Is that your local IP? as in its trying to connect to your debugger?
User avatar
doctorized
Addict
Addict
Posts: 854
Joined: Fri Mar 27, 2009 9:41 am
Location: Athens, Greece

Re: Studies against AV false positives

Post by doctorized »

Once I had this problem with NOD32 and a dll file that contains a DataSection.
I solved my problem with this:

Code: Select all

DataSection
Data.b .......... ; 20 bytes
Data.l $12345678
Data.b ........ ; rest of the bytes
EndDataSection
When I read the data section I read from 1 to 20 and then from 25 and after.
Post Reply