Old topic, new name: "virus" found in our software

[c4s]

Today I released a new version of my application (compiled with PB4.61). Now I just got an automated email from a software hosting website, which always scans the uploaded/updated archive with about 40 antivirus tools.

Getting a false-positive here and there is nothing new to us (interesting article by the way). However, this time I was surprised of the "virus" - luckily only - Clam-AV found:

PUA.Win32.Packer.Purebasic-1

I'm used to names such as "GEN/Whatever"... but this? Are they serious? Does that mean code written in PureBasic is now officially malicious no matter what's actually inside the executable?!
Also just a few weeks ago Clam-AV didn't even bother giving my application that virus name, although the code didn't change much! It makes me sick how they seem to randomly flag our software: Most times clean, sometimes this, other times "GEN/Whatever" and so on...

All I can do is shake my head and wonder when those antivirus tools will finally improve so that the average computer user doesn't get scared by false-positive warnings.

Leave us small developers with your potentially business-harming behavior alone!

[DarkDragon]

I just found one entry in their virus database specifying this type: http://lurker.clamav.net/message/201206 ... 47.en.html

And they also seem to block other programming languages:

Added: PUA.Win32.Packer.MsVisualCpp

[jesperbrannmark]

Yep I just did a check on virustotal.com for the software I sell and ClamAV is also claiming PUA.Win32.Packer.Purebasic-1. I submitted a false positive to them and will see what they will reply.

[c4s]

@DarkDragon
Interesting to see how PureBasic is on a list with obvious license management tools, crypters, packers etc. ...regarding the small executable sizes PureBasic usually generates they might even be right with that decision.


@jesperbrannmark
Thanks. Hopefully they will change their stupid decision to flag programming languages, normal installers and similar stuff as malicious/unwanted software.

[Josh]

ClamAv don't show a virus anymore. But in the additional informations there is following comment:

ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/support/faq/pua.

I get this comment only at the 32bit version of my exe, not at 64bit

[Little John]

ClamAv don't show a virus anymore. But in the additional informations there is following comment:

ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/support/faq/pua.

I get this comment only at the 32bit version of my exe, not at 64bit

We should keep in mind that there are not only PUA, but also SUA (Surely Unwanted Applications) and OSSP (Obviously Stupid Superfluous Programs) ... for instance ClamAV

[c4s]

Anyway, the detection doesn't make any sense as Little John already has pointed out!

The average user doesn't know what to do with those additional classifications. What is a packer, is it good or bad? In this list I can see P2P being listed as well because "[...] it happens that copyrights are violated by downloading copyright protected content (Music, Movies) [...]".
Either the application does malicious stuff and must be blocked or it is harmless. In that case the user shouldn't be confused with misleading "virus detected" messages - I'm pretty sure the average user calls it that way which is a big problem for the reputation of that detected application!

In the end this behavior just harms us small programmers because the products of large companies will be allowed anyway. Maybe even with a little phoning-home here, p2p there etc. who knows or cares...