How to have zero detection on VirusTotal...?

[drgolf]

Sorry to ask this :
How to have zero detection on VirusTotal with exe from purebasic ?
I use purebasic 5.21 LTS 32 bits on windows XP or 8.1 pro.

Curently i have 2 ou 3 positive , with all my exe (small or big exe).

The positive i have for exemple :

CMC : Packed.Win32.Zcrypt.3!O 20140122
TotalDefense : Win32/Inject.C!generic 20140207

It is not possible for commercial applications to have positive detection.
Simply the user canot download or install the program.

For institutionnal users (hospitals, administrations) it is not possible to desactive antivirus.

The only solution i found is to recode to Delphi or lazarus, but big work...

With Delphi all versions (7 ou turbo, XE, XE2,...) = virus total 0 detection.
With lazarus 1.0.14 = 0 detection

Sorry for my bad english (french user).

[eesau]

Most important thing is to always and constantly report false positives to antivirus developers, especially to those that detect your executable as positive.

It really is annoying how often for example my Avast detects PB executables as positive...

[PB]

First, any virus description with "gen" or "generic" is just a false positive.
I know this doesn't help, but you can mention it in your docs/manual for
people to be aware.

Next, if you're using API calls in your code, try replacing them from being
direct calls, to being indirect with OpenLibrary. See my post about it here:
http://www.purebasic.fr/english/viewtop ... 77#p431877

Lastly, you can usually get around the false positives by recompiling your
code in a slightly different way. I've done that successfully in the past,
by adding unused strings or other unused code, that will end up hiding
the problem from the anti-virus tool. Sometimes it's all you can do.

[IdeasVacuum]

You have to write to the AV companies who show detection and tell them their app is giving a false-positive. Most of them have a form to fill-in on their website, and you have to send them your app too. In my experience, you will get a response within 10 days, and they do indeed change their app, but of course that can happen much later. It is unlikely that your customers will actually test your app anyway, but if they do and raise a query with you, you can at least send them a copy of the AV company's response. That's the good news. The bad news is, a couple of releases down the line, the AV app will probably spew another false-positive for your app. The truth is that AV apps in general are poorly written - their value with regards to a real virus is negligible.

[Thorium]

It helps if you compile as x64. Much less false positives.
You also dont need to deactivate the virus scanner, just deactivate heuristics in the virus scanner settings. Heuristics are useless and should be deactivated, especialy on hospitals or companies. You dont want to get your custom applications blocked just because of a virus scanner update.

The problem is also not PB specific, i got false positives with apps written in VB.NET und C++ as well.

[SeregaZ]

i want to make some autoupdate check and i found nice code for dowload page to memory... but antiviruses is a panic what i can do with this code?

old varicant download page to file near exe... but this exe can be starts from cd. probably i can try download to temp folder of windows... but will be nice fix this "tomem" code.

Code: Select all

Procedure.l DownloadToMem(URL.s, *lpRam, ramsize) ; процедура для скачивания файла в память
  Protected agent.s, hInet, hData, Bytes.l 

  agent.s = "Mozilla/4.0 (compatible; ST)" 
  hInet = InternetOpen_( @agent.s,0,0,0,0 ) 
  hData = InternetOpenUrl_( hInet, @URL.s, "", 0, $8000000, 0 ) 
  
  If hData > 0 : InternetReadFile_( hData, *lpRam, ramsize, @Bytes ) : Else : Bytes = -1 : EndIf 
  
  InternetCloseHandle_(hInet) 
  InternetCloseHandle_(hData) 
  
  ProcedureReturn Bytes
EndProcedure

Dim html.a(1024)
Size=DownloadToMem("http://microsoft.com", @html(), 1024)
MessageRequester("", PeekS(@html(), Size, #PB_Ascii))

[high key]

It really is annoying how often for example my Avast detects PB executables as positive...

That's right.

The wierdest Avast warning I ever came across:

only 1 line of code

Code: Select all

Debug Str(#PB_Ignore)

which caused an Win32: Evo-gen (Susp) alarm

(code not saved, just started with F5)

[PB]

> what i can do with this code?

Since you're using direct API calls, you could try my suggestion
that I posted above yours, and make them indirect calls. Might
be the solution you need.

In fact, the more I think about it, the more I feel these direct
API calls are the cause of PureBasic's anti-virus false positives,
because they're so easy for malware authors to use. Hmm.

[viiartz]

No sure if this helps anything, but I've started getting false positives (Eset Nod32 v7.0.317.4 x86) while trying to compile the my code within jaPBe 3.13.4.880 editor. When I try the same code (file) within the native Purebasic editor (PB 5.30 x86) there is no problem at all. I reported the false positives to Eset by the way. Why would compiling with jaPBe create the false positives and not with the PB editor? I assume they both compile the code with the same PB compiler and maybe using slightly different compiler parameters? Is my assumption correct?

[PB]

I recently switched from Avira to Avast because of false positives.
Avira wasn't even letting me compile anything anymore. Avast is
playing nicer and not freaking out; plus it has a handy link to add
any false positive to its whitelist with a simple click (PLUS you can
submit any false positive to them with a click, too).

Avira doesn't do that, and Avira doesn't let me exclude files on an
SD card. So for me, Avast is a winner, and Avira has had its day.

[ostapas]

I recently switched from Avira to Avast

What happened to Zorin OS?

[PB]

I have more than one computer.

[IdeasVacuum]

I'm using Avast too. I do not know if it's actually any good at detecting viruses (it has a lot of false-positives with PB stuff, same as the others do) but with Avast, you are in control! I also like the fact that they are at least trying to be good at what they do, often there are several updates per day.

[firace]

...
Lastly, you can usually get around the false positives by recompiling your
code in a slightly different way. I've done that successfully in the past,
by adding unused strings or other unused code, that will end up hiding
the problem from the anti-virus tool. Sometimes it's all you can do.

Hi,

could you provide any examples of this?
For instance, my short program below, which is just retrieving a text file from a Microsoft server, is triggering several FPs. I've tried adding some random strings but to no avail...
I'm especially interested in getting rid of the "CMC" false detection. Those obscure AVs are really annoying and don't even respond to email...

https://www.virustotal.com/en/file/21df ... 408785574/

Code: Select all

InitNetwork()

ConnectionID = OpenNetworkConnection("www.msftncsi.com", 80)
If ConnectionID
  
  Header$ = "GET /ncsi.txt HTTP/1.0" + #CRLF$
  Header$ + "Host: www.msftncsi.com" + #CRLF$
  Header$ + #CRLF$
  
  SendNetworkString(ConnectionID, Header$)
  TimeOutCounter = 300
  Repeat
    If NetworkClientEvent(ConnectionID) = #PB_NetworkEvent_Data
      Break
    EndIf
    Delay(10)
    TimeOutCounter -1
  Until TimeOutCounter = 0
  
  If TimeOutCounter <> 0
    #Size = 10000
    *Buffer = AllocateMemory(#Size)
    
    If *Buffer
      String$ = ""
      Repeat
        Laenge = ReceiveNetworkData(ConnectionID, *Buffer, #Size)
        If Laenge > 0
          String$ + PeekS(*Buffer, Laenge, #PB_UTF8)
        EndIf
      Until FindString(String$, "NCSI") > 0
      FreeMemory(*Buffer)
    EndIf
  EndIf
  
EndIf

MessageRequester("Result",String$)

[ostapas]

Ugly hack, but usually helps - compress your exe with UPX, open it in hex editor and replace all "upx" strings with random data, also replace a string containing upx version, e.g. "3.91". You can also experiment with other packers.