VirusTotal.com labels PureBasic executables as a virus?

Everything else that doesn't fall into one of the other PB categories.
Post Reply
Nituvious
Addict
Addict
Posts: 1033
Joined: Sat Jul 11, 2009 4:57 am
Location: United States

VirusTotal.com labels PureBasic executables as a virus?

Post by Nituvious »

It was brought to my attention that a few programs I wrote have been identified as a trojan. I scanned and sure enough, virus total brings up false positives on my program. So, I compiled this into an executable:

Code: Select all

string$ = "hello//stuff goes here"

	message1$ = StringField(string$,1,"//")
	message2$ = StringField(string$,3,"//")
	
	Debug message1$
	Debug message2$
	MessageRequester("stuff",message1$ + message2$)
Uploaded and scanned it, it come back with the same thing.
What's going on here? Why is it doing this? I has never done this before.
▓▓▓▓▓▒▒▒▒▒░░░░░
Top
PB
PureBasic Expert
PureBasic Expert
Posts: 7581
Joined: Fri Apr 25, 2003 5:24 pm

Re: VirusTotal.com labels PureBasic executables as a virus?

Post by PB »

This type of topic comes up from time to time. Here's the last such one:

http://www.purebasic.fr/english/viewtop ... =7&t=43016

Maybe join that topic, rather than have two separate topics started.
I compile using 5.31 (x86) on Win 7 Ultimate (64-bit).
"PureBasic won't be object oriented, period" - Fred.
Top
User avatar
DoubleDutch
Addict
Addict
Posts: 3220
Joined: Thu Aug 07, 2003 7:01 pm
Location: United Kingdom
Contact:
Contact DoubleDutch

Re: VirusTotal.com labels PureBasic executables as a virus?

Post by DoubleDutch »

VirusTotal is really good, I use the 'Send to' all the time.

btw

Code to access windows information sometimes triggers the AV programs. You can fool them though...
EG:

Code: Select all

Procedure.s nod32text1()
	Static nod32local$="advapi32"
	ProcedureReturn nod32local$
EndProcedure

Procedure.s nod32text2()
	Static nod32local$="GetCurrentHwProfileA"
	ProcedureReturn nod32local$
EndProcedure

Procedure.s HardwareFingerprint() 
	Protected hwp.HW_PROFILE_INFO
	result$=""
	text1$=nod32text1()
  lib=OpenLibraryDll(#PB_Any,text1$) ; "advapi32.dll"
  If lib
  	text2$=nod32text2()
  	If CallFunction(lib,text2$,@hwp) ; "GetCurrentHwProfileA"
  		a=0
  		For loop=1 To 100
  			a+1
  		Next
	  	result$=PeekS(@hwp\szHWProfileGUID[0])
	  EndIf
		CloseLibrary(lib)
	EndIf
 ; Debug PeekS(@hwp\szHwProfileName[0]) + " -> " + PeekS(@hwp\szHWProfileGUID[0]) 
  ProcedureReturn result$
EndProcedure
The above code works, but try it without the nod32 procedures (reinsert the code) and it triggers nod32!!! Just shows you how rubbish the AVs really are.

ESET (the makers of NOD32) have not replied to any of my emails regarding the false positives they keep throwing up, I had to find ways to bypass the av for my customers. Don't believe their '48 hour response' rubbish, you will lose less customers if you figure it out yourself.

Also CLAMAV almost always reports a program as having a virus, usually...

ClamAV 0.96.4.0 2010.12.07 Trojan.Rabbit-2 (!!) They too don't reply to emails or fix the problem. Luckily no-one seems to use this av!

I'm just waiting for the someone to sue for loss of earnings and reputation based on what the AVs do.

Also, I now code sign virtually everything - but code signing is ignored by the AVs - what is the point?
https://deluxepixel.com <- My Business website
https://reportcomplete.com <- School end of term reports system
Top
Post Reply

Return to “General Discussion”