Symantec again false positive

Kwai chang caine · **Posted:** Sat Jul 20, 2019 4:54 pm

Hello at all

Recently, they change my laptop of W7 to W10 and furthermore apparently the level of heuristic recognition

So since this time, nearly impossible to compile with PB :shock:

And several of my exe are detected malware :evil:

Then, i have spent 2 hours for found what is the part of code who generate the problem
After delete the majority of my code, just this is sufficient :

Code:

*Buffer = ReceiveHTTPMemory("http://www.myexternalip.com/raw")

If *Buffer
 Taille = MemorySize(*Buffer)
 Ipad.s = PeekS(*Buffer, Taille-1, #PB_UTF8)
 FreeMemory(*Buffer)
EndIf

MessageRequester("PureBasic", "I just ask my IP, and SYMANTEC heuristic detection, say i'm a virus :- )))))")

Virus total test
http://erdsjb.free.fr/purestorage/provi ... Total.html

At the beginning i believe, surely it's Peek/Poke because we write in memory, but nothing of that, just

Code:

*Buffer = ReceiveHTTPMemory("http://www.myexternalip.com/raw")

create an alert :shock:

So i have send the false positive exe, and writing to SYMANTEC

Quote:

Please... it's not because PureBasic is used for create virus by malicious users, than all librarys of PureBasic generate virus.
I give to you a screeshot of virus total site (See zip), and you are only one BIG antivirus to finded a virus :-(

So please, improve your heuristic algorithm before accuse a great french programming language since 20 years.
Now i can't use it on my job, then that use it since more than ten years on the same place.
I send to you the source code and the EXE generate by PureBasic compiler

At your advice, have i a chance SYMANTEC fix their bug ? or i can wait the PB v10 for not see this problem, and again...

Kwai chang caine · **Posted:** Sun Jul 21, 2019 3:07 pm

I answer myself at my question.
I'm very surprising by the quick answer of Symantec already received for my two false positive send.
Apparently he recognize their fault and fix it.
I have not really understand all but this is one of 3 mails i have received.
Then this history proof it's really important for PB to send example analizing like virus.
If all the members do that, perhaps a day PB is not recognize like a malware creator

Symantec wrote:

In relation to submission 160556.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: ThreadDetectionSymantecVirus.exe
    MD5: 13FD6B56245B4CC02037FD07833E7A06
    SHA256: EA8A37992C270179C6033B378230B29D3202469F336208D012BD33A68F5F849D
    Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update
Further Information:
Required RAPID RELEASE sequence >= 201315

The latest Rapid Release definition available here: ftp://ftp.symantec.com/AVDEFS/norton_an ... pidrelease
To check the current sequence number of the Rapid Release definition: https://www.symantec.com/security_response/definitions/rapidrelease
More information on Rapid Release definitions can be found: https://support.symantec.com/en_US/article.TECH103326.html

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endpoint-protection.54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/ ... .en-us.pdf

Sincerely,
Symantec Security Response
https://www.symantec.com/security-center

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

Bitblazer · **Posted:** Sun Jul 21, 2019 8:49 pm

Since i switched to Kaspersky and used the purebasic option "create temporary executable in the source directory", i didnt have this problem ever again. Kasperskys database of whitelisted applications has over 500 million entries and seems to cover purebasic too

I was simply sick after the third false positive of symantec software to waste my time correcting their sloppy detection and switched to kaspersky. Good that they reacted to your report, but if it happens again and again and you get sick of that, just switch to kaspersky

ps - some software has a whitelist feature which can help to get rid of the false positives which inevitably happen for us "homebrew" developers. I added a few tools that way to kaspersky too.

Kwai chang caine · **Posted:** Sun Jul 21, 2019 9:23 pm

Yes you have right, i hate NORTON, personnally i have no antivirus, just the native W10 :wink:

In fact, it's worst of that, it's not my machine, but in my enterprise, and i'm not administrator

Since more than ten years i create pb exe for her, even if i'm not really allowed to use PB.

In fact, for her just exist VBA and OFFICE :cry:

so i have a long time i have forgotten VBA :mrgreen:

Since all this years, i have no problem, but she change my pc for a new one, with W10 pro with BitLocker, and surely a worst level.
So now, impossible to use PB like i do all the days, several of my old program but mainly the compilation of the new, i was desperate :cry:

I hope i'm not forcing to send each new exe to SYMANTEC, because each time i have a detection, the administrator of the enormous network at PARIS send to me i'm a bad user, and reminds me the strict rules :oops:

No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

In fact, since ten years, for just try to do my job, i'm happy like ....

BarryG · **Joined:** Thu Apr 18, 2019 8:17 am **Posts:** 1194

Kwai chang caine wrote:

No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

That's normal for employers to do that, so don't feel bad. My workplace is the same. Don't risk your job by trying to get your exes whitelisted.

djes · **Posted:** Sun Jul 21, 2019 11:44 pm

BarryG wrote:

Kwai chang caine wrote:

No software not allowed by the enterprise
No external drive connected on the network of the enterprise, etc .... :oops:

That's normal for employers to do that, so don't feel bad. My workplace is the same. Don't risk your job by trying to get your exes whitelisted.

I don't think so. Usually it's just fear or laziness of administrators. Since the beginning of multiusers we have this kind of politic. And since the beginning we have employees who spent a lot of time just to do their job, better. PB is just a tool. If you have a better tool than the one given by your company, should you use it ? The usual answer is "no". A better answer should be : if there's no possibility it could be harmful. PB is not more harmful than a console, a browser, or office.
PB, as other tools, could be executed in a sandbox. User space should be enough to avoid any problem. If administrators are not at ease with this kind of tool, it's just because they're not expert enough.

Bitblazer · **Posted:** Mon Jul 22, 2019 12:14 am

If you can not get a written permission to use purebasic at your working place, then do not use purebasic at your work.

Ask a lawyer what could happen if something goes wrong while you knowingly violated corporate policies. Sorry, but while VBA is a sad joke compared to purebasic, it is also rather easy to learn.

NicTheQuick · **Posted:** Mon Jul 22, 2019 10:59 am

The issue with antiviruses is that they often open back doors or other security holes by themselves. The best thing you can do is to uninstall all antiviruses and only use Windows Defender which uses a sandbox and is highly integrated into the operating system.
Just to see an overview of open issues just look at here: https://www.cvedetails.com/google-searc ... &sa=Search
There are also a lot of news out there which can tell you about new security issues with antiviruses. Just google it.

Kwai chang caine · **Posted:** Mon Jul 22, 2019 4:54 pm

The problem in big company, is they are two parts.
The chef or coworker who have problem that i can resolve with pb, and not vba, and the administrator for who, it's not his problem.
It's the reverse world, normaly the administrator must all do for help the company to have what she need.
But their only one worry, is just have less job, and less risks..... then less job.

Recently he found a fail in chrome and IE, so only FF is allowed
i have an idea for administrator is happy, not allow to power on the machine,like that..not too much works.

If administrator is inteligent, he can install virtual machine or sandbox, like that we can use the not allowed exe.
But without admin rights...impossible to install it

collectordave · **Posted:** Tue Jul 23, 2019 1:56 am

My sympathies to all that have suffered these scare tactics.

Part of my job was to collate reams of data from loggers all over the site all logged in many excell files. A long tedious process, wrote small ptogramme in Vb for secretary to use but had the unknown publisher message and was warned.

My answer was a second hand computer the secretary then copied all data files to USB came to my office and we had a cup of tea while the second hand computer and my programme did the job copied the new files back to the USB stick which the secretary then took away.

RESULT the secretary was promoted for being so efficient!

Kwai chang caine · **Posted:** Tue Jul 23, 2019 7:39 am

Yes you have right, that remember me something !!! :wink:

This is another side of the hapiness to works in big company.
Works for another person (mainly chief) take all the risks, for create what the chief want.
For him, it's a winner/winner opération
If the software works, the chief or the coworker have advancement :shock:

Normal...to strong this chief, he have resolved the big problem that nobody can resolve before with the best, the top, the only one VBA god of the gods of programming language

And if there is the least problem with network administrator or other...the chief don't know something in computers, it's not his fault :cry:

It's the fault of the bad programmer who not respect the "good" rules of administrator :twisted:

the.weavster · **Posted:** Tue Jul 23, 2019 7:52 am

NicTheQuick wrote:

The issue with antiviruses is that they often open back doors or other security holes by themselves..

Yes. Here's an interesting blog post by a former Mozilla dev on exactly that point.

NicTheQuick · **Posted:** Tue Jul 23, 2019 11:17 am

the.weavster wrote:

NicTheQuick wrote:

The issue with antiviruses is that they often open back doors or other security holes by themselves..

Yes. Here's an interesting blog post by a former Mozilla dev on exactly that point.

Kwai chang caine · **Posted:** Wed Jul 24, 2019 12:28 pm

Incredible :shock:

Little by little all this big company can dead if it's sure than window defender is sufficient.
There is again linux or mac for continue to live....
Or better...they can be converted into a virus creator, there will always be work in it :mrgreen:

Kwai chang caine · **Posted:** Wed Jul 31, 2019 10:00 am

When i run a code with debugger Symantec "Bawl his mother"

and without ...nothing
It's strange like behavior :shock:

And i have try with only a simple MessageRequester(), and it's the same thing :twisted:

Someone understand why ?
And how can i send the debugger to SYMANTEC because the exe created is not detected like a virus ?

PureBasic Forum

Symantec again false positive

Who is online