It is currently Fri Oct 18, 2019 7:58 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Symantec again false positive
PostPosted: Sat Jul 20, 2019 4:54 pm 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
Hello at all

Recently, they change my laptop of W7 to W10 and furthermore apparently the level of heuristic recognition :?

So since this time, nearly impossible to compile with PB :shock:
And several of my exe are detected malware :evil:

Then, i have spent 2 hours for found what is the part of code who generate the problem
After delete the majority of my code, just this is sufficient :

Code:
*Buffer = ReceiveHTTPMemory("http://www.myexternalip.com/raw")

If *Buffer
 Taille = MemorySize(*Buffer)
 Ipad.s = PeekS(*Buffer, Taille-1, #PB_UTF8)
 FreeMemory(*Buffer)
EndIf

MessageRequester("PureBasic", "I just ask my IP, and SYMANTEC heuristic detection, say i'm a virus :- )))))")


Virus total test
http://erdsjb.free.fr/purestorage/provi ... Total.html

At the beginning i believe, surely it's Peek/Poke because we write in memory, but nothing of that, just
Code:
*Buffer = ReceiveHTTPMemory("http://www.myexternalip.com/raw")
create an alert :shock:

So i have send the false positive exe, and writing to SYMANTEC
Quote:
Please... it's not because PureBasic is used for create virus by malicious users, than all librarys of PureBasic generate virus.
I give to you a screeshot of virus total site (See zip), and you are only one BIG antivirus to finded a virus :-(
So please, improve your heuristic algorithm before accuse a great french programming language since 20 years.
Now i can't use it on my job, then that use it since more than ten years on the same place.
I send to you the source code and the EXE generate by PureBasic compiler

At your advice, have i a chance SYMANTEC fix their bug ? or i can wait the PB v10 for not see this problem, and again... :|

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Sun Jul 21, 2019 3:07 pm 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
I answer myself at my question.
I'm very surprising by the quick answer of Symantec already received for my two false positive send.
Apparently he recognize their fault and fix it.
I have not really understand all but this is one of 3 mails i have received.
Then this history proof it's really important for PB to send example analizing like virus.
If all the members do that, perhaps a day PB is not recognize like a malware creator 8)
Symantec wrote:
In relation to submission 160556.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: ThreadDetectionSymantecVirus.exe
    MD5: 13FD6B56245B4CC02037FD07833E7A06
    SHA256: EA8A37992C270179C6033B378230B29D3202469F336208D012BD33A68F5F849D
    Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update
Further Information:
Required RAPID RELEASE sequence >= 201315

The latest Rapid Release definition available here: ftp://ftp.symantec.com/AVDEFS/norton_an ... pidrelease
To check the current sequence number of the Rapid Release definition: https://www.symantec.com/security_response/definitions/rapidrelease
More information on Rapid Release definitions can be found: https://support.symantec.com/en_US/article.TECH103326.html

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endpoint-protection.54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/ ... .en-us.pdf


Sincerely,
Symantec Security Response
https://www.symantec.com/security-center

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Sun Jul 21, 2019 8:49 pm 
Offline
Enthusiast
Enthusiast

Joined: Mon Apr 10, 2017 6:17 pm
Posts: 273
Location: Germany
Since i switched to Kaspersky and used the purebasic option "create temporary executable in the source directory", i didnt have this problem ever again. Kasperskys database of whitelisted applications has over 500 million entries and seems to cover purebasic too ;)

I was simply sick after the third false positive of symantec software to waste my time correcting their sloppy detection and switched to kaspersky. Good that they reacted to your report, but if it happens again and again and you get sick of that, just switch to kaspersky ;)

ps - some software has a whitelist feature which can help to get rid of the false positives which inevitably happen for us "homebrew" developers. I added a few tools that way to kaspersky too.

_________________
webpage


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Sun Jul 21, 2019 9:23 pm 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
Yes you have right, i hate NORTON, personnally i have no antivirus, just the native W10 :wink:
In fact, it's worst of that, it's not my machine, but in my enterprise, and i'm not administrator

Since more than ten years i create pb exe for her, even if i'm not really allowed to use PB. :|
In fact, for her just exist VBA and OFFICE :cry: so i have a long time i have forgotten VBA :mrgreen:
Since all this years, i have no problem, but she change my pc for a new one, with W10 pro with BitLocker, and surely a worst level.
So now, impossible to use PB like i do all the days, several of my old program but mainly the compilation of the new, i was desperate :cry:
I hope i'm not forcing to send each new exe to SYMANTEC, because each time i have a detection, the administrator of the enormous network at PARIS send to me i'm a bad user, and reminds me the strict rules :oops:
No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

In fact, since ten years, for just try to do my job, i'm happy like ....

Image :|

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Sun Jul 21, 2019 9:58 pm 
Offline
Enthusiast
Enthusiast

Joined: Thu Apr 18, 2019 8:17 am
Posts: 329
Kwai chang caine wrote:
No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

That's normal for employers to do that, so don't feel bad. My workplace is the same. Don't risk your job by trying to get your exes whitelisted.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Sun Jul 21, 2019 11:44 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Feb 19, 2005 2:46 pm
Posts: 1793
Location: Pas-de-Calais, France
BarryG wrote:
Kwai chang caine wrote:
No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

That's normal for employers to do that, so don't feel bad. My workplace is the same. Don't risk your job by trying to get your exes whitelisted.

I don't think so. Usually it's just fear or laziness of administrators. Since the beginning of multiusers we have this kind of politic. And since the beginning we have employees who spent a lot of time just to do their job, better. PB is just a tool. If you have a better tool than the one given by your company, should you use it ? The usual answer is "no". A better answer should be : if there's no possibility it could be harmful. PB is not more harmful than a console, a browser, or office.
PB, as other tools, could be executed in a sandbox. User space should be enough to avoid any problem. If administrators are not at ease with this kind of tool, it's just because they're not expert enough.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Mon Jul 22, 2019 12:14 am 
Offline
Enthusiast
Enthusiast

Joined: Mon Apr 10, 2017 6:17 pm
Posts: 273
Location: Germany
If you can not get a written permission to use purebasic at your working place, then do not use purebasic at your work.

Ask a lawyer what could happen if something goes wrong while you knowingly violated corporate policies. Sorry, but while VBA is a sad joke compared to purebasic, it is also rather easy to learn.

_________________
webpage


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Mon Jul 22, 2019 10:59 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Jun 22, 2003 7:43 pm
Posts: 446
Location: Germany, Saarbrücken
The issue with antiviruses is that they often open back doors or other security holes by themselves. The best thing you can do is to uninstall all antiviruses and only use Windows Defender which uses a sandbox and is highly integrated into the operating system.
Just to see an overview of open issues just look at here: https://www.cvedetails.com/google-searc ... &sa=Search
There are also a lot of news out there which can tell you about new security issues with antiviruses. Just google it.

_________________
Electronics, Crazy & Interesting Stuff, all that with text, image and sound? Click here!

The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Mon Jul 22, 2019 4:54 pm 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
The problem in big company, is they are two parts.
The chef or coworker who have problem that i can resolve with pb, and not vba, and the administrator for who, it's not his problem.
It's the reverse world, normaly the administrator must all do for help the company to have what she need.
But their only one worry, is just have less job, and less risks..... then less job.

Recently he found a fail in chrome and IE, so only FF is allowed
i have an idea for administrator is happy, not allow to power on the machine,like that..not too much works.

If administrator is inteligent, he can install virtual machine or sandbox, like that we can use the not allowed exe.
But without admin rights...impossible to install it

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Tue Jul 23, 2019 1:56 am 
Offline
Addict
Addict

Joined: Fri Aug 28, 2015 6:10 pm
Posts: 1024
Location: Portugal
My sympathies to all that have suffered these scare tactics.

Part of my job was to collate reams of data from loggers all over the site all logged in many excell files. A long tedious process, wrote small ptogramme in Vb for secretary to use but had the unknown publisher message and was warned.

My answer was a second hand computer the secretary then copied all data files to USB came to my office and we had a cup of tea while the second hand computer and my programme did the job copied the new files back to the USB stick which the secretary then took away.

RESULT the secretary was promoted for being so efficient!

_________________
Any intelligent fool can make things bigger and more complex. It takes a touch of genius — and a lot of courage to move in the opposite direction.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Tue Jul 23, 2019 7:39 am 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
Yes you have right, that remember me something !!! :wink:
This is another side of the hapiness to works in big company.
Works for another person (mainly chief) take all the risks, for create what the chief want.
For him, it's a winner/winner opération
If the software works, the chief or the coworker have advancement :shock:
Normal...to strong this chief, he have resolved the big problem that nobody can resolve before with the best, the top, the only one VBA god of the gods of programming language :?
And if there is the least problem with network administrator or other...the chief don't know something in computers, it's not his fault :cry:
It's the fault of the bad programmer who not respect the "good" rules of administrator :twisted:

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Tue Jul 23, 2019 7:52 am 
Offline
Addict
Addict
User avatar

Joined: Thu Jul 03, 2003 6:53 pm
Posts: 1279
Location: England
NicTheQuick wrote:
The issue with antiviruses is that they often open back doors or other security holes by themselves..

Yes. Here's an interesting blog post by a former Mozilla dev on exactly that point.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Tue Jul 23, 2019 11:17 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Jun 22, 2003 7:43 pm
Posts: 446
Location: Germany, Saarbrücken
the.weavster wrote:
NicTheQuick wrote:
The issue with antiviruses is that they often open back doors or other security holes by themselves..

Yes. Here's an interesting blog post by a former Mozilla dev on exactly that point.

Image

_________________
Electronics, Crazy & Interesting Stuff, all that with text, image and sound? Click here!

The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Wed Jul 24, 2019 12:28 pm 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
Incredible :shock:
Little by little all this big company can dead if it's sure than window defender is sufficient.
There is again linux or mac for continue to live....
Or better...they can be converted into a virus creator, there will always be work in it :mrgreen:

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
 Post subject: Re: Symantec again false positive
PostPosted: Wed Jul 31, 2019 10:00 am 
Offline
Addict
Addict
User avatar

Joined: Sun Nov 05, 2006 11:42 pm
Posts: 4508
Location: Lyon - France
When i run a code with debugger Symantec "Bawl his mother" :? and without ...nothing
It's strange like behavior :shock:
And i have try with only a simple MessageRequester(), and it's the same thing :twisted:
Someone understand why ?
And how can i send the debugger to SYMANTEC because the exe created is not detected like a virus ?

_________________
ImageThe happiness is a road...
Not a destination


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye