PureBasic Forum
https://www.purebasic.fr/english/

Why I had to stop using PureBasic
https://www.purebasic.fr/english/viewtopic.php?f=7&t=69166
Page 7 of 11

Author:  ivega718 [ Wed Oct 18, 2017 9:25 pm ]
Post subject:  Re: Why I had to stop using PureBasic

This code causes me a false positive with McAfee Antivirus using PureBasic v5.61 32 Bits but compile fine with PureBasic v5.61 64 bits.

Code:
EnableExplicit

Define Null.l

If OpenWindow(0, 0, 0, 120, 100, "ButtonImage", #PB_Window_SystemMenu | #PB_Window_ScreenCentered)
  ButtonGadget(0,10,10,100,20,"Button",0)
  ButtonGadget(1,10,50,100,20,"Button",0)
 
  SetWindowTheme_(GadgetID(0),@Null,@Null)
  SetWindowLongPtr_(GadgetID(0),#GWL_STYLE,GetWindowLongPtr_(GadgetID(0),#GWL_STYLE)|#BS_FLAT)

Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow
EndIf

Author:  HanPBF [ Fri Oct 27, 2017 10:27 am ]
Post subject:  Re: Why I had to stop using PureBasic

Same here :(

Nice to see that 64bit version runs!

Author:  Bitblazer [ Mon Oct 30, 2017 6:39 pm ]
Post subject:  Re: Why I had to stop using PureBasic

There seems to be a core problem with antivirus detection and purebasic currently. I just compiled a x86 PB exe with a simple MessageRequester("test", "test requester")" and bitdefender instantly detected and quarantained it. It compiled into a tiny 5kb executable and was now send to bitdefener support for further analysis.

Lets see what they say. I have to pay for a new AV solution again anyway and if they cant fix this, i will switch again. I suggest everybody of you does the same and reports here which AV solution thinks its a threat and which isnt.

Compile the following line into a x86 executable:

Code:
MessageRequester("test", "test requester")


30.10.2018 bitdefender internet security 2018 both antivirusscanner and advanced threat detection wrongly detect and quarantaine/erase it.

Support is contacted and has a zipped copy of the executable for analysis.

If you use a different AV solution, please compile the line into x86 code and tell if you can launch the executable or what happens if you try. I will report my reply from bitdefender here.

Lets see which vendor will get my/our money for next year.

Author:  Dude [ Mon Oct 30, 2017 10:21 pm ]
Post subject:  Re: Why I had to stop using PureBasic

Bitblazer wrote:
Code:
MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(

Author:  Kuron [ Tue Oct 31, 2017 3:40 am ]
Post subject:  Re: Why I had to stop using PureBasic

Dude wrote:
Bitblazer wrote:
Code:
MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(


Damn, that is high.

Author:  Bitblazer [ Tue Oct 31, 2017 7:22 am ]
Post subject:  Re: Why I had to stop using PureBasic

Dude wrote:
Bitblazer wrote:
Code:
MessageRequester("test", "test requester")

Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(


Another hint to me that too many AV products are truely just crap and dont analyse this at all. So it just seems to be a filesize check (and maybe a single stub signature of pb that they pick up without even noticing they detect a programming language instead).

Maybe its time to compile 5 general basic single liners like this, "hello world" and other common ones and point out which scanners are basically snake oil products. Make an article about it in detail and post it with the executables and links on a webpage, so people can make a more inforrmed buy.

Hmmm ...

hello world, a messagerequester, a windows version check (maybe in inlined asm for the stupid entropy checks some scanners do), maybe a canvas widget with a bresenham line (most basic algo in IT for graphic ;) - any more suggestions?

ps: im pretty sure other less common programming languages have the same problem. Maybe we should team up and initiate some kind of (anti)-EICAR movent ;)

Author:  Fred [ Tue Oct 31, 2017 8:36 am ]
Post subject:  Re: Why I had to stop using PureBasic

For info I signed the exec and performed the test but it didn't changed anything, still 12/65 which is pretty bad.

Author:  Dude [ Tue Oct 31, 2017 11:12 am ]
Post subject:  Re: Why I had to stop using PureBasic

For comparison, I compiled this code instead, and only got 4/67 false positives:

Code:
MessageBox_(0,"test requester","test",0)

https://www.virustotal.com/#/file/c8cce ... /detection

Author:  Dude [ Tue Oct 31, 2017 11:44 am ]
Post subject:  Re: Why I had to stop using PureBasic

And this compiled code gives 3/67 false positives:

Code:
With msg.MSGBOXPARAMS
  \cbSize = SizeOf(msg)
  \hwndOwner = 0
  \lpszText = @"test requester"
  \lpszCaption = @"test"
  \dwStyle = #MB_USERICON | #MB_YESNO
EndWith
MessageBoxIndirect_(@msg)

https://www.virustotal.com/#/file/f9b53 ... /detection

Author:  chi [ Tue Oct 31, 2017 3:27 pm ]
Post subject:  Re: Why I had to stop using PureBasic

Code:
MessageRequester("test", "test requester")
Without version info: 12/66
With version info (*): 02/67

Author:  Fred [ Tue Oct 31, 2017 3:38 pm ]
Post subject:  Re: Why I had to stop using PureBasic

chi wrote:
Code:
MessageRequester("test", "test requester")
Without version info: 12/66
With version info (*): 02/67


Now, that's interesting @chi. Tested on the same .exe and it got only flagged 1/66. Just put some version info to your file and it seems to do the trick (which demonstrate how these AV are a bunch of crap)

https://www.virustotal.com/#/file/8374d ... /detection

Author:  chi [ Tue Oct 31, 2017 4:01 pm ]
Post subject:  Re: Why I had to stop using PureBasic

For faster testing and more insight: https://www.winitor.com/ ;)

Author:  HanPBF [ Tue Oct 31, 2017 5:18 pm ]
Post subject:  Re: Why I had to stop using PureBasic

The anti virus specialists are very clever.
No virus would put version info into its code.
So, everything without version info is a virus; really smart!

O.k., McAfee also wants version info and I could now compile with 32bit.

So I don't need 64bit OCI.dll which I got to run meanwhile; a positive effect...

Thanks a lot for the version hint!!!

I mean really... I am really happy!!!
Thanks a lot folks! You're all great!

Author:  blueznl [ Tue Oct 31, 2017 8:55 pm ]
Post subject:  Re: Why I had to stop using PureBasic

I've been using AntiVir now for years, and it did spot a few real ones, as well as some false positives. There were very few false positives with PureBasic thus far. Also it doesn't seem to need version info to detect a (non) virus :-)

And as it seems to score reasonably as well in most virusscanner tests I think I'll stick with it for the moment. That, a bit of common sense, and now and again a single scan with malwarebytes or superantispyware has kept me clean for the last 10 years or so. I also use Firefox + NoScript to avoid some incidental drive-by downloads.

Oh. And avoiding porn websites probably helps as well 8)

Perhaps I was just lucky :?

Author:  blueznl [ Tue Oct 31, 2017 9:34 pm ]
Post subject:  Re: Why I had to stop using PureBasic

I tried virustotal, and all my stuff (except ReVal) gives 2/62. Cyclaan and eGambit are the offenders. Pfff.

Page 7 of 11 All times are UTC + 1 hour
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/