Why I had to stop using PureBasic

[Olby]

Hi everyone,

Haven't wrote anything here for a long while... Just wanted to share my concerns with using PB as of lately. I've been programming in PB for about a decade now and had wrote a few big applications with it. As well as countless small plugins, utilities etc. However in the last year or two I couldn't but notice the increased number of false positives from some anti-virus packages. This has been an issue before but it was always an easy fix in a form of an odd false-positive report here and there. With the advent of blanket approach where everything without a code signature that looks mildly suspicious or with no or low reputation (number of people using the same file) is marked as infected. This is outrageous. I had to stop writing new utilities at work simply because our corporation uses Symantec Endpoint Protection and it flags pretty much every single executable and DLL created with PB unless it is a very large application and uses numerous libraries (a rare occurrence for PB apps). Their "machine learning" module just flags everything that even slightly resembles a virus (in my case, a small no GUI application most of the time). And the worst of all, it only gets more rigorous over time. At first it was a few executables, I thought fine, then after a few weeks it randomly flags even more. Today I have to exclude the whole PB installation folder, PB installation file and the built application binaries folder to be able to use it. Now, you might say, well, just exclude everything and you should be ok. Yes, however then comes the problem of distributing the software across the office. After making a slightest change in the code, I have to resubmit a false-positive report, wait (sometimes up to a day), expect that all AV instances have been updated with latest rapid release updates and then distribute the PB application. This severely affects our business, especially because we are a medium sized company and rapid prototyping and development is at the core of business. This is a major problem and a big deterrent for PB's continued existence. I personally had to revert to .NET simply because none of my software written with C# has ever been flagged by AVs. I really enjoy using PB but until we can figure out what to do with these false positives, it has no use for me, alas.

Please share your thoughts. Am I the only one suffering here? I understand that, perhaps, a lot of bedroom coders do not have this problem since they write the software for their own use and can control their AVs better than corporations and third-party users.

Best,

[Saboteur]

I had to stop using anti-virus because of that. It marked a lot of programs as infected: aplications, games, "Hello World" compileds... at one point the situation was unbearable.
In windows I only have Defender, and will not install a anti-virus ever. But in a company that is impossible. The problem is anti-virus companies don't do its job well, and that don't gonna change.

[skywalk]

Not familiar with Symantec, but it sounds like you had no white-list control for your app delivery?
Waiting for the antivirus company to change their heuristics is NOT a solution, as you are painfully aware.
However, an admin can white-list your named executable with or without a signature. They might ask for a fingerprint instead(MD5,CRC32,etc.)? Did you attempt to create a similar size utility in gcc or some other c compiler other than visual studio?

[Olby]

I had to stop using anti-virus because of that. It marked a lot of programs as infected: aplications, games, "Hello World" compileds... at one point the situation was unbearable.
In windows I only have Defender, and will not install a anti-virus ever. But in a company that is impossible. The problem is anti-virus companies don't do its job well, and that don't gonna change.

Yes, totally, I remember reading a blog post which essentially claimed that AVs are killing the bedroom coder industry. Code signing is an expensive process therefore lots of these smaller utilities are quarantined for no reason.

Not familiar with Symantec, but it sounds like you had no white-list control for your app delivery?
Waiting for the antivirus company to change their heuristics is NOT a solution, as you are painfully aware.
However, an admin can white-list your named executable with or without a signature. They might ask for a fingerprint instead(MD5,CRC32,etc.)? Did you attempt to create a similar size utility in gcc or some other c compiler other than visual studio?

I am not aware if they have an ability to white list a single file name across the whole network without directly specifying the file location. On my own system I don't have such capabilities. Even if they could I doubt they would agree white-listing based on file name alone, they'll want hashes, and with that it's the same as reporting a false-positive. You make a slightest change in the app and have to update the hashes one again. Now, I'm not saying it is impossible to avoid this problem, it's doable, however at what cost? By having more and more white-listed locations, files etc. I personally took the easiest route and switched to C# or C++. Unfortunately no, I haven't tried anything else than VS2015/2017, recently.

To me PB was always about speed and size/portability of the binaries. I overlooked lots of its quirks and shortcomings in the name of comfort. By the time VS boots I could already run a build in PB. But with the advent of these scrutinous AVs the time advantage is gone due to fiddling with false-positives.

[skywalk]

They can definitely white-list by file and location.
Of course, the hash will change with any updates. Must be part of your delivery system, if you choose that extra layer of security. I prefer my app's are installed with an elevated installer and then no need to worry about a virus or a user changing the app name or location. Then no need for a hash and just a simple white-list by name/location.

If you have not compiled with a non-Microsoft compiler, then it is hard to conclude this is PB only?

[Olby]

They can definitely white-list by file and location.
Of course, the hash will change with any updates. Must be part of your delivery system, if you choose that extra layer of security. I prefer my app's are installed with an elevated installer and then no need to worry about a virus or a user changing the app name or location. Then no need for a hash and just a simple white-list by name/location.

If you have not compiled with a non-Microsoft compiler, then it is hard to conclude this is PB only?

Creating an installer at the pace we are working here would certainly slow the business down. As for non MS compilers, I have used GCC with CodeBlocks in the past and nothing was ever quarantined, albeit it was about 3 years ago.

You are talking about MS compilers as if they have some magic ability to prevent the creation of viruses. Why Symantec doesn't flag a small command prompt utility written in VC++ yet will flag a similar one written in PureBasic? I call it discrimination

[skywalk]

haha, I only mentioned a non-MS compiler based on your success with Visual Studio.
Creating a WIX installer is more difficult, but InnoSetup is very easy?
Both are scriptable.

[normeus]

Symantec is horrible. Maybe we can get all of PB users to complain about Symantec's Heuristic check.
The only way I can make programs in PB is by disabling Symantec for 5 hours.
Like @Olby, I cannot change to a different antivirus provider.
@Olby I got a certificate from https://www.startcomca.com/ for USD$59.00 and that mitigated the problem of sharing programs.
( I have compiled small c++ code with gcc with no problem )
I think Symantec is looking for a PB signature.


- THE FOLLOWING IS MY LOGIC FOR REPORTING A FALSE POSITIVE TO SYMANTEC -

[EDIT SEPT 9 2017]
I deleted this because Symantec replied to me:
"Having reviewed the information provided we are unable to reproduce or confirm the issue described."
so I get my exe deleted but they don't see the problem on their end!

[end EDIT]

It is simple, Symantec does not like PB or it assumes a PB signature with a few chosen words like "China" is a virus.


Norm.

[Olby]

Symantec is horrible. Maybe we can get all of PB users to complain about Symantec's Heuristic check.
The only way I can make programs in PB is by disabling Symantec for 5 hours.
Like @Olby, I cannot change to a different antivirus provider.
@Olby I got a certificate from https://www.startcomca.com/ for USD$59.00 and that mitigated the problem of sharing programs.
( I have compiled small c++ code with gcc with no problem )
I think Symantec is looking for a PB signature.

- THE FOLLOWING IS MY LOGIC FOR REPORTING A FALSE POSITIVE TO SYMANTEC -
If you want to HELP PUREBASIC's reputation maybe you can do this:
1. compile provided sample code to treegadgetexample.exe
2. go to Symantec False positive page and enter the following data:
https://submit.symantec.com/false_positive/

A2 - While using an application <- choose this then Next
B2 - Symantec Endpoint Protection 14.x <- this then Next
C2 - SONAR (Behavioral Heuristics Detection) e.g. SONAR.Heuristic, Bloodhound.SONAR.* <- Next

Upload the exe file created on step 1.
for name of detection enter: Auto-Protect is processing security risk Heur.AdvML.B.
enter your name email address and check on the box which claims you are the creator of this software.
Wait two days for a response.

This random sample code was taken from the forums, kindly donated by @TI-994A
http://www.purebasic.fr/english/viewtop ... 93#p428793
but, Symantec thinks it is a virus:

Code: Select all

EnableExplicit

Enumeration
  #MainWindow
  #Button  
  #Tree
  #List
  #Opt1
  #Opt2
EndEnumeration

Define L, appQuit, selectionLevel, displayLevel = 1
Declare InitialiseTree()

OpenWindow(#MainWindow, 0, 0, 400, 400, "TreeGadget", 
           #PB_Window_SystemMenu | 
           #PB_Window_ScreenCentered)

TreeGadget(#Tree, 10, 10, 200, 380)
ButtonGadget(#Button, 220, 10, 170, 30, "Display sub-levels...")
ListViewGadget(#List, 220, 80, 170, 310)
OptionGadget(#Opt1, 225, 50, 90, 20, "to level 2 only")
OptionGadget(#Opt2, 320, 50, 90, 20, "to level 3")
SetGadgetState(#Opt1, 1)
InitialiseTree()

Repeat
  Select WaitWindowEvent()
    Case #PB_Event_CloseWindow
      appQuit = 1
    Case #PB_Event_Gadget
      Select EventGadget()
        Case #Opt1, #Opt2
          If GetGadgetState(#Opt1)
            displayLevel = 1
          Else
            displayLevel = 2
          EndIf
        Case #Button
          ClearGadgetItems(#List)
          selectionLevel = GetGadgetItemAttribute(#Tree, GetGadgetState(#Tree),
                                                  #PB_Tree_SubLevel)
          AddGadgetItem(#List, -1, "Sub-levels of " +
                                   GetGadgetItemText(#Tree, GetGadgetState(#Tree)) + " :")
          For L = GetGadgetState(#Tree) + 1 To CountGadgetItems(#Tree) - 1
            If GetGadgetItemAttribute(#Tree, L, #PB_Tree_SubLevel) <= selectionLevel
              Break
            Else
              If GetGadgetItemAttribute(#Tree, L, #PB_Tree_SubLevel) <= displayLevel
                AddGadgetItem(#List, -1, "- " + GetGadgetItemText(#Tree, L))
              EndIf
            EndIf
          Next L
      EndSelect
  EndSelect
Until appQuit = 1 

Procedure InitialiseTree()
  Protected L, LL, item.s
  AddGadgetItem(#Tree, -1, "Random Lists", 0, 0)
  For L = 1 To 5
    Read.s item
    AddGadgetItem(#Tree, -1, item, 0, 1)
    For LL = 1 To 6
      Read.s item
      AddGadgetItem(#Tree, -1, item, 0, 2)
    Next LL
    SetGadgetItemState(#Tree, CountGadgetItems(#Tree) - 7, #PB_Tree_Expanded)
  Next L
  SetGadgetItemState(#Tree, 0, #PB_Tree_Expanded)
  SetGadgetState(#Tree, 0)
EndProcedure

DataSection
  Data.s "Colours", "Red", "Blue", "Green", "Yellow", "Cyan", "Magenta"
  Data.s "Fruits", "Apple", "Banana", "Cherry", "Lemon", "Mango", "Strawberry"
  Data.s "Animals", "Monkey", "Giraffe", "Horse", "Lion", "Tiger", "Zebra"
  Data.s "Planets", "Pluto", "Jupiter", "Neptune", "Venus", "Mercury", "Mars"
  Data.s "Countries", "France", "Germany", "China", "Japan", "United Kingdom", "U.S.A."
EndDataSection

It is simple, Symantec does not like PB or it assumes a PB signature with a few chosen words like "China" is a virus.


Norm.

Funny, but when I compile it Symantec ignores it. Even tried a force scan on it (outside of my exclusion folders) still nothing. Probably because you have already white listed it (although based on my experience they only white list exact hashes).

[marc_256]

Well my story is as follow,

I had an idea to write a big (very complex) cad cam cnc program.
I decided to invest all my money (and time) in it.
Being a very small company, i took a very, very big risk.
I started with PB, as result of years of basic programming over the last 35 years.
Started with Apple II, PC GW basic, Qbasic, Qbasic 45, ..., PB.
It took me more than 2 and 1/2 years to study and write all the different parts, and a beautiful good working GUI,
all needed to have a good working software.
for so long I was working within PB editor on my desktop and laptop I had no problems.
After I started to build PB.exe files, my AV's programs (like NOD32), even erased my .exe files from the HDD.
I did not find any solution for this problems, (even on this forum http://www.purebasic.fr/english/viewtop ... =7&t=59302), so I never sold one of my programs,
and worked the last 2 years (very hard to pay back my financial investors).
a few weeks ago, I payed back the last part of my dept.

I wanted to restart my programming, but I was afraid to take the step,
Plus the risk that the 3D OGRE rendering engine integration in PB, is like stopped ??

I wanted to restart and rewrite all my program in C++, but have not at all the experience that i have with BASIC.

On the other side, I LOVE PB, I created almost impossible things with it.
really nice peaces of software(please look here) http://www.purebasic.fr/english/viewtop ... 36&t=60557.
But I can't sell them, so ... and this was my goal ...

greatings,
marc

PS: sorry for my english.

[Olby]

Well my story is as follow,

I had an idea to write a big (very complex) cad cam cnc program.
I decided to invest all my money (and time) in it.
Being a very small company, i took a very, very big risk.
I started with PB, as result of years of basic programming over the last 35 years.
Started with Apple II, PC GW basic, Qbasic, Qbasic 45, ..., PB.
It took me more than 2 and 1/2 years to study and write all the different parts, and a beautiful good working GUI,
all needed to have a good working software.
for so long I was working within PB editor on my desktop and laptop I had no problems.
After I started to build PB.exe files, my AV's programs (like NOD32), even erased my .exe files from the HDD.
I did not find any solution for this problems, (even on this forum http://www.purebasic.fr/english/viewtop ... =7&t=59302), so I never sold one of my programs,
and worked the last 2 years (very hard to pay back my financial investors).
a few weeks ago, I payed back the last part of my dept.

I wanted to restart my programming, but I was afraid to take the step,
Plus the risk that the 3D OGRE rendering engine integration in PB, is like stopped ??

I wanted to restart and rewrite all my program in C++, but have not at all the experience that i have with BASIC.

On the other side, I LOVE PB, I created almost impossible things with it.
really nice peaces of software(please look here) http://www.purebasic.fr/english/viewtop ... 36&t=60557.
But I can't sell them, so ... and this was my goal ...

greatings,
marc

PS: sorry for my english.

I am sorry to hear you have had financial losses due to false-positives. In my case I was lucky to be spared so far. Currently mainly my utilities and DLL plugins have been flagged. Two of the major apps I wrote and which are still used commercially today are not flagged, so far, finger-crossed. But I hear you, it is a real problem, or should I say lack of, since it's not our fault but the AV developer's.

[marc_256]

Olby,

I think is a question of size,
we are to small to have influences on these AV developers.

marc

[heartbone]

Unless one is running unfamiliar programs, there is very little need to have an AV nanny watching your every move.
Yes, the big business operations perhaps feel the need for such protection from stupid employees,
but software developers in control should not be running AV except when they initially load or execute new software.
Even while browsing on the internet, all that is really needed is something like NoScript to protect from malice.

For the programmer to run AV software on a continuous basis when it is not needed, is really not very wise,
but to allow the AV nanny to interfere with the project's development is just plain ludicrous.

IMO one can develop software in a better environment without the nanny's assistance.
Once the software is developed, then (unfortunately) you'd need to get the module white-listed with all the nanny vendors, but that's the only real problem..

In my opinion, I saw no valid reason posted here to stop using this fine tool.
But then again, business logic and deductive logic are not the same.

[Dude]

My thoughts: looking at a PureBasic exe, at the end of the file is a whole bunch of plain-text and dangerous-looking API definitions, such as "DeleteFile" and "TerminateProcess", etc. Maybe the AV sees these and that's enough to trigger the false positive? So, FRED, can you perhaps encrypt those (like you already do for our custom strings) so they're not stored as plain text in the exe anymore, and thus not so obvious to the AV software?

I also noticed the exe has a manifest file embedded into it. Mine has a "publicKeyToken" of "6595b64144ccf1df" and "name" of "CompanyName.ProductName.YourApp" in there. Are these details the same for everyone else? If so, that could be triggering AV false positives too, because once an infected PureBasic exe is released with those details, then EVERYONE'S PureBasic exe will trigger it. So we need to be able to specify our own manifest details. Again, Fred, can that be made possible?

[TassyJim]

Symantec is horrible.

They don't stop with your programs.
Last week I discovered that they had black-listed my website.
They accuse me of hosting 'driveby downloads'

It's a dull and boring website, but apart from it's lack of interest, it does no harm.

I don't know how many prospective new users of my programs Symantec have frightened off.

I am waiting for Symantec to tell me what it is on my website that they objected to. I gather that it will take 2 weeks (or more) for them to reevaluate.
Once they tell me what they think is wrong (if they ever do), I will put a big notice on every page, warning visitors that Symantec aren't capable of telling good from bad.

The more that they block, the better their stats look - bugger the poor sod they defamed.

Jim