Page 7 of 11
Re: Why I had to stop using PureBasic
Posted: Wed Oct 18, 2017 9:25 pm
by ivega718
This code causes me a false positive with McAfee Antivirus using PureBasic v5.61 32 Bits but compile fine with PureBasic v5.61 64 bits.
Code: Select all
EnableExplicit
Define Null.l
If OpenWindow(0, 0, 0, 120, 100, "ButtonImage", #PB_Window_SystemMenu | #PB_Window_ScreenCentered)
ButtonGadget(0,10,10,100,20,"Button",0)
ButtonGadget(1,10,50,100,20,"Button",0)
SetWindowTheme_(GadgetID(0),@Null,@Null)
SetWindowLongPtr_(GadgetID(0),#GWL_STYLE,GetWindowLongPtr_(GadgetID(0),#GWL_STYLE)|#BS_FLAT)
Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow
EndIf
Re: Why I had to stop using PureBasic
Posted: Fri Oct 27, 2017 10:27 am
by HanPBF
Same here
Nice to see that 64bit version runs!
Re: Why I had to stop using PureBasic
Posted: Mon Oct 30, 2017 6:39 pm
by Bitblazer
There seems to be a core problem with antivirus detection and purebasic currently. I just compiled a x86 PB exe with a simple MessageRequester("test", "test requester")" and bitdefender instantly detected and quarantained it. It compiled into a tiny 5kb executable and was now send to bitdefener support for further analysis.
Lets see what they say. I have to pay for a new AV solution again anyway and if they cant fix this, i will switch again. I suggest everybody of you does the same and reports here which AV solution thinks its a threat and which isnt.
Compile the following line into a x86 executable:
Code: Select all
MessageRequester("test", "test requester")
30.10.2018 bitdefender internet security 2018 both antivirusscanner and advanced threat detection wrongly detect and quarantaine/erase it.
Support is contacted and has a zipped copy of the executable for analysis.
If you use a different AV solution, please compile the line into x86 code and tell if you can launch the executable or what happens if you try. I will report my reply from bitdefender here.
Lets see which vendor will get my/our money for next year.
Re: Why I had to stop using PureBasic
Posted: Mon Oct 30, 2017 10:21 pm
by Dude
Bitblazer wrote:Code: Select all
MessageRequester("test", "test requester")
Yep, it's pretty bad: 12/67 scanners say the above code is malware:
https://www.virustotal.com/#/file/600ac ... 600244171/
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 3:40 am
by Kuron
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 7:22 am
by Bitblazer
Another hint to me that too many AV products are truely just crap and dont analyse this at all. So it just seems to be a filesize check (and maybe a single stub signature of pb that they pick up without even noticing they detect a programming language instead).
Maybe its time to compile 5 general basic single liners like this, "hello world" and other common ones and point out which scanners are basically snake oil products. Make an article about it in detail and post it with the executables and links on a webpage, so people can make a more inforrmed buy.
Hmmm ...
hello world, a messagerequester, a windows version check (maybe in inlined asm for the stupid entropy checks some scanners do), maybe a canvas widget with a bresenham line (most basic algo in IT for graphic
- any more suggestions?
ps: im pretty sure other less common programming languages have the same problem. Maybe we should team up and initiate some kind of (anti)-
EICAR movent
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 8:36 am
by Fred
For info I signed the exec and performed the test but it didn't changed anything, still 12/65 which is pretty bad.
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 11:12 am
by Dude
For comparison, I compiled this code instead, and only got 4/67 false positives:
Code: Select all
MessageBox_(0,"test requester","test",0)
https://www.virustotal.com/#/file/c8cce ... /detection
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 11:44 am
by Dude
And this compiled code gives 3/67 false positives:
Code: Select all
With msg.MSGBOXPARAMS
\cbSize = SizeOf(msg)
\hwndOwner = 0
\lpszText = @"test requester"
\lpszCaption = @"test"
\dwStyle = #MB_USERICON | #MB_YESNO
EndWith
MessageBoxIndirect_(@msg)
https://www.virustotal.com/#/file/f9b53 ... /detection
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 3:27 pm
by chi
Code: Select all
MessageRequester("test", "test requester")
Without version info:
12/66
With version info (*):
02/67
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 3:38 pm
by Fred
chi wrote:Code: Select all
MessageRequester("test", "test requester")
Without version info:
12/66
With version info (*):
02/67
Now, that's interesting @chi. Tested on the same .exe and it got only flagged 1/66. Just put some version info to your file and it seems to do the trick (which demonstrate how these AV are a bunch of crap)
https://www.virustotal.com/#/file/8374d ... /detection
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 4:01 pm
by chi
For faster testing and more insight:
https://www.winitor.com/
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 5:18 pm
by HanPBF
The anti virus specialists are very clever.
No virus would put version info into its code.
So, everything without version info is a virus; really smart!
O.k., McAfee also wants version info and I could now compile with 32bit.
So I don't need 64bit OCI.dll which I got to run meanwhile; a positive effect...
Thanks a lot for the version hint!!!
I mean really... I am really happy!!!
Thanks a lot folks! You're all great!
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 8:55 pm
by blueznl
I've been using AntiVir now for years, and it did spot a few real ones, as well as some false positives. There were very few false positives with PureBasic thus far. Also it doesn't seem to need version info to detect a (non) virus
And as it seems to score reasonably as well in most virusscanner tests I think I'll stick with it for the moment. That, a bit of common sense, and now and again a single scan with malwarebytes or superantispyware has kept me clean for the last 10 years or so. I also use Firefox + NoScript to avoid some incidental drive-by downloads.
Oh. And avoiding porn websites probably helps as well
Perhaps I was just lucky
Re: Why I had to stop using PureBasic
Posted: Tue Oct 31, 2017 9:34 pm
by blueznl
I tried virustotal, and all my stuff (except ReVal) gives 2/62. Cyclaan and eGambit are the offenders. Pfff.