PureBasic Forums - English

This code causes me a false positive with McAfee Antivirus using PureBasic v5.61 32 Bits but compile fine with PureBasic v5.61 64 bits.

Same here

Nice to see that 64bit version runs!

There seems to be a core problem with antivirus detection and purebasic currently. I just compiled a x86 PB exe with a simple MessageRequester("test", "test requester")" and bitdefender instantly detected and quarantained it. It compiled into a tiny 5kb executable and was now send to bitdefener support for further analysis.

Lets see what they say. I have to pay for a new AV solution again anyway and if they cant fix this, i will switch again. I suggest everybody of you does the same and reports here which AV solution thinks its a threat and which isnt.

Compile the following line into a x86 executable:
30.10.2018 bitdefender internet security 2018 both antivirusscanner and advanced threat detection wrongly detect and quarantaine/erase it.

Support is contacted and has a zipped copy of the executable for analysis.

If you use a different AV solution, please compile the line into x86 code and tell if you can launch the executable or what happens if you try. I will report my reply from bitdefender here.

Lets see which vendor will get my/our money for next year.

Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

Dude wrote:

Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

Damn, that is high.

Dude wrote:

Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

Another hint to me that too many AV products are truely just crap and dont analyse this at all. So it just seems to be a filesize check (and maybe a single stub signature of pb that they pick up without even noticing they detect a programming language instead).

Maybe its time to compile 5 general basic single liners like this, "hello world" and other common ones and point out which scanners are basically snake oil products. Make an article about it in detail and post it with the executables and links on a webpage, so people can make a more inforrmed buy.

Hmmm ...

hello world, a messagerequester, a windows version check (maybe in inlined asm for the stupid entropy checks some scanners do), maybe a canvas widget with a bresenham line (most basic algo in IT for graphic - any more suggestions?

ps: im pretty sure other less common programming languages have the same problem. Maybe we should team up and initiate some kind of (anti)-EICAR movent

For info I signed the exec and performed the test but it didn't changed anything, still 12/65 which is pretty bad.

For comparison, I compiled this code instead, and only got 4/67 false positives:
https://www.virustotal.com/#/file/c8cce ... /detection

And this compiled code gives 3/67 false positives:
https://www.virustotal.com/#/file/f9b53 ... /detection

Without version info: 12/66
With version info (*): 02/67

chi wrote:

Code: Select all

MessageRequester("test", "test requester")

Without version info: 12/66
With version info (*): 02/67

Now, that's interesting @chi. Tested on the same .exe and it got only flagged 1/66. Just put some version info to your file and it seems to do the trick (which demonstrate how these AV are a bunch of crap)

https://www.virustotal.com/#/file/8374d ... /detection

For faster testing and more insight: https://www.winitor.com/

The anti virus specialists are very clever.
No virus would put version info into its code.
So, everything without version info is a virus; really smart!

O.k., McAfee also wants version info and I could now compile with 32bit.

So I don't need 64bit OCI.dll which I got to run meanwhile; a positive effect...

Thanks a lot for the version hint!!!

I mean really... I am really happy!!!
Thanks a lot folks! You're all great!

I've been using AntiVir now for years, and it did spot a few real ones, as well as some false positives. There were very few false positives with PureBasic thus far. Also it doesn't seem to need version info to detect a (non) virus

And as it seems to score reasonably as well in most virusscanner tests I think I'll stick with it for the moment. That, a bit of common sense, and now and again a single scan with malwarebytes or superantispyware has kept me clean for the last 10 years or so. I also use Firefox + NoScript to avoid some incidental drive-by downloads.

Oh. And avoiding porn websites probably helps as well

Perhaps I was just lucky

I tried virustotal, and all my stuff (except ReVal) gives 2/62. Cyclaan and eGambit are the offenders. Pfff.