AV false-positives in 2019: PB vs VB

Everything else that doesn't fall into one of the other PB categories.
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: AV false-positives in 2019: PB vs VB

Post by firace »

Marc56us wrote:All the programs I do in PB have always gone to 100%. I don't know why, but here's how I do it:
By 100%, do you mean 0 detections in VirusTotal?

By the way, is there an issue with your website? It seems to be down.
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: AV false-positives in 2019: PB vs VB

Post by BarryG »

Marc56us wrote:stop taking this site for a reference
I have no problem with that, but my users go to VirusTotal.com anyway and believe what it says, rather than what I try to explain. I've tried educating them over and over, but they simply reply that I've got a virus and don't know it. Sites like the below tell them to use VirusTotal:

https://www.howtogeek.com/180162/how-to ... -positive/

To quote the above URL: "If most antivirus programs [from the VT results] say there’s a problem, the file is probably malicious."

This is precisely why I have to get my 15 VirusTotal false-positives down to 0 (or at least 1 or 2) before users will take my app seriously. I'm totally happy to ignore it as a reference like you said, but it's damn near impossible to convince others to. I've tried.
User avatar
Fangbeast
PureBasic Protozoa
PureBasic Protozoa
Posts: 4747
Joined: Fri Apr 25, 2003 3:08 pm
Location: Not Sydney!!! (Bad water, no goats)

Re: AV false-positives in 2019: PB vs VB

Post by Fangbeast »

A friend of mine is quite smart with IT (but he proved not to be as he never checked what was going on, just ranted, raved and blamed me) and he is a clever policeman as well)

He swears black and blue that my code was deleting files as it ran and I kept telling him there was no file deletion code in my PB executable. Even showed him the source.

What's the bet that the file operations (Not any deletion code) were detected as malware by whatever he was using and silently being removed by his detector?

Not once did he even check his recycle bin either.

I haven't had much trouble at all on this machine using Windows 10 built in defender and malwarebytes but I did have to whitelist my development directory and the PB compiler directory. Now everything works here:):)
Amateur Radio, D-STAR/VK3HAF
Marc56us
Addict
Addict
Posts: 1477
Joined: Sat Feb 08, 2014 3:26 pm

Re: AV false-positives in 2019: PB vs VB

Post by Marc56us »

firace wrote:
Marc56us wrote:All the programs I do in PB have always gone to 100%. I don't know why, but here's how I do it:
By 100%, do you mean 0 detections in VirusTotal?
By the way, is there an issue with your website? It seems to be down.
I wouldn't renew my site because the server logs only show spam, robots and connection attempts on management interfaces (which don't exist anyway).

Some achives are on RSBasic.de archive page
(ACME_*)
Example:
ACME_TreeNote_SQL_64_v2.7.1.zip 0/72
ACME_Desk_Setup_x86x64.exe 0/72
ACME_Desk_x64.exe 0/72
...
So it doesn't come from PB but from the way of coding.
(or maybe your PC is really infected?)
All the programs I do in PB have always gone to 100%. I don't know why, but here's how I do it:
- I code in pure basic syntax and PB function only (very few, if any, direct API calls).
- No direct modification of the registry
- Almost never pointers
- Entries are almost always made in standard Windows locations (ie: %AppData%).
- Large programs are packaged with InnoSetup and also use standard paths (ie: %ProgramFiles%, %ProgramData%).

Basic, Pure Basic, PureBasic
And of course, code on an up-to-date machine with antivirus software. :!:

Think simple, code simple

:wink:
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: AV false-positives in 2019: PB vs VB

Post by BarryG »

Marc56us wrote:ACME_Desk_x64.exe 0/72
Nope, it actually has 2/70 malware hits: https://www.virustotal.com/gui/file/edd ... /detection
Marc56us wrote:ACME_TreeNote_SQL_64_v2.7.1.zip 0/72
This one actually has 1/63 malware hit: https://www.virustotal.com/gui/file/df8 ... /detection

VirusTotal updates its detection after you upload for analysis. You need to check about 15 min after the first submission.

And check out "ball_test.exe" from RSBasic.de which has 5/71 hits: https://www.virustotal.com/gui/file/4b4 ... /detection
Marc56us wrote:(or maybe your PC is really infected?)
It's not, but if it were, would a virus infect my exe in the time I finish compilation to the time I submit it to VirusTotal? In 60 seconds?

I even tried building my exe in the Windows Sandbox to be sure it was 100% clean, and it still got 15 malware hits on VirusTotal.
Marc56us wrote:it doesn't come from PB but from the way of coding.
Look at the very first post in this thread: it follows your guidelines (no API calls, no Registry edits, etc) and still gets 8 malware hits.
Marc56us
Addict
Addict
Posts: 1477
Joined: Sat Feb 08, 2014 3:26 pm

Re: AV false-positives in 2019: PB vs VB

Post by Marc56us »

BarryG wrote:
Marc56us wrote:ACME_Desk_x64.exe 0/72
Nope, it actually has 2/70 malware hits: https://www.virustotal.com/gui/file/edd ... /detection
When I check direct link from rsbasic, I still have 0/72
You provide file you've dowloaded before and found 2/72 so...
BarryG wrote:It's not, but if it were, would a virus infect my exe in the time I finish compilation to the time I submit it to VirusTotal? In 60 seconds?
Yes.
If your AV exclude directory where EXE is generated.
BarryG wrote:Look at the very first post in this thread: it follows your guidelines (no API calls, no Registry edits, etc) and still gets 8 malware hits.
The EXE that was generated is small: Poor AV classify that suspect.
I compile your sample (in 64) and have 3/72
Jiangmin (?) Trapmine (?) McAfee-GW-Edition (well know)

There are not 72 companies in the world capable of making a complete and reliable analysis engine, so stop basing your reasoning on the number of analysis engines.
VT is losing credibility by referencing all the analysis engines without testing.

If your users continue to believe VT Without completely reading the results (who says OK and who says KO) direct them to AV test sites.
I repeat to save you time: If the 4 I mentioned (alphabetical order, Avira, BitDefender, ESET-NOD32, Kaspersky) and a good part of the others said OK, then you will know what to think of the 4 or 5 (almost unknown) that say the opposite...
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: AV false-positives in 2019: PB vs VB

Post by BarryG »

Marc56us wrote:If your users continue to believe VT Without completely reading the results (who says OK and who says KO) direct them to AV test sites.
The real world doesn't work like that: users only care about what VirusTotal says. You can tell them over and over not to listen to VT, and I already do that, but they don't care. You can't educate them. It's a sad situation.
Marc56us wrote:The EXE that was generated is small: Poor AV classify that suspect.
You're ignoring the fact that the small exe made by Visual Basic (which is even smaller than the PureBasic exe) doesn't get so badly classified as suspect by VT (see the first post in this thread). So exe size is irrelevant. Those two exes do exactly the same thing, but only the PureBasic version gets flagged badly. There's obviously some byte sequence (signature) which is triggering it, which is what I've been trying to isolate lately.
Marc56us wrote:(very few, if any, direct API calls).
Plenty of Visual Basic apps use direct API calls; check out some VB code forums. It's not bad to use API.
Marc56us wrote:When I check direct link from rsbasic, I still have 0/72
You provide file you've dowloaded before and found 2/72
What? I didn't download this before. I downloaded it directly from RSBasic like you, yesterday and again today, from the link you provided (RSBasic.de archive page). Proof is below. Look at the VT scan date/time. I don't know what file you're testing, but it's not the one from RSBasic. What's its SHA-256 checksum? It won't be the same as below.

Image

Image
Marc56us
Addict
Addict
Posts: 1477
Joined: Sat Feb 08, 2014 3:26 pm

Re: AV false-positives in 2019: PB vs VB

Post by Marc56us »

When I check direct link from rsbasic, I still have 0/72
You provide file you've dowloaded before and found 2/72
What? I didn't download this before. I downloaded it directly from RSBasic like you, yesterday and again today,
NO, NO, NO! Do not download, use URL only

1. Right click on DOWNLOAD
(On your clipboard you will have this link to submit directly to VT http://backup.rsbasic.de/?file=ACME_Desk_x64.exe)

2. Go to Virustotal
Click URL tab
(or go direct here https://www.virustotal.com/gui/home/url)

3. Paste URL from clipboard

:arrow: Still 0/72

So if the file you downloaded and sent back is considered to have viruses while the one sent directly from the storage site does not, make the appropriate deduction about what is happening on your PC.

(You don't read what we write. So this will be my last post for you.)
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: AV false-positives in 2019: PB vs VB

Post by BarryG »

You're only scanning the web page URL content, not the linked file itself; hence you don't get any detections. See here for an explanation:

https://support.virustotal.com/hc/en-us ... vice-versa

Quote from above: "Other times, the downloaded file might indeed be flagged by the antivirus signatures but the corresponding URL scanner might still have no knowledge that a given URL is distributing such file." That's what happening to you. You need to download the file itself to test, and not test the web page URL content, as explained in the VirusTotal FAQ above. An easy mistake to make.
Marc56us wrote:So if the file you downloaded and sent back is considered to have viruses while the one sent directly from the storage site does not, make the appropriate deduction about what is happening on your PC.
Firstly, as mentioned above, the URL scan is not directly sending any file to VirusTotal for scanning, so we can ignore that part of your statement. Second, you're alluding that the file I downloaded is getting infected by my PC once downloaded... but have you looked closely at the SHA-256 hash from the URL you quoted to the file I downloaded and then submitted? The hashes are the same. That means nothing on my PC has altered the file while it was in my possession (unless you think my PC has the ability to generate SHA-256 collisions; that would be a world-first!).

But you're right about one thing: we can't agree on this, so let's let it go. Happy New Year, mate. :)

Image
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: AV false-positives in 2019: PB vs VB

Post by IdeasVacuum »

How do you guys package your software for distribution? I have found that if installed with an installer, my software is not very often "attacked" by anti-virus software. I use Inno Setup (Looks like Fred maybe too?).
https://jrsoftware.org/isdl.php
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: AV false-positives in 2019: PB vs VB

Post by BarryG »

I used InnoSetup in the past, but that file (MyAppSetup.exe) can get false positives, too. And once the setup extracts your program itself, that's when the user's anti-virus will spot it and maybe complain. So that's basically twice the risk of false positives occurring, so now I only distribute as a zip (to have only one exe flagged instead of two).
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: AV false-positives in 2019: PB vs VB

Post by Bitblazer »

I like NSIS and sometimes add my own installer for the effect.
webpage - discord chat links -> purebasic GPT4All
Post Reply