Why I had to stop using PureBasic

Everything else that doesn't fall into one of the other PB categories.
ivega718
User
User
Posts: 15
Joined: Mon Feb 25, 2013 9:29 pm

Re: Why I had to stop using PureBasic

Post by ivega718 »

This code causes me a false positive with McAfee Antivirus using PureBasic v5.61 32 Bits but compile fine with PureBasic v5.61 64 bits.

Code: Select all

EnableExplicit

Define Null.l

If OpenWindow(0, 0, 0, 120, 100, "ButtonImage", #PB_Window_SystemMenu | #PB_Window_ScreenCentered)
  ButtonGadget(0,10,10,100,20,"Button",0)
  ButtonGadget(1,10,50,100,20,"Button",0)
  
  SetWindowTheme_(GadgetID(0),@Null,@Null)
  SetWindowLongPtr_(GadgetID(0),#GWL_STYLE,GetWindowLongPtr_(GadgetID(0),#GWL_STYLE)|#BS_FLAT) 

Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow 
EndIf
HanPBF
Enthusiast
Enthusiast
Posts: 563
Joined: Fri Feb 19, 2010 3:42 am

Re: Why I had to stop using PureBasic

Post by HanPBF »

Same here :(

Nice to see that 64bit version runs!
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Why I had to stop using PureBasic

Post by Bitblazer »

There seems to be a core problem with antivirus detection and purebasic currently. I just compiled a x86 PB exe with a simple MessageRequester("test", "test requester")" and bitdefender instantly detected and quarantained it. It compiled into a tiny 5kb executable and was now send to bitdefener support for further analysis.

Lets see what they say. I have to pay for a new AV solution again anyway and if they cant fix this, i will switch again. I suggest everybody of you does the same and reports here which AV solution thinks its a threat and which isnt.

Compile the following line into a x86 executable:

Code: Select all

MessageRequester("test", "test requester")
30.10.2018 bitdefender internet security 2018 both antivirusscanner and advanced threat detection wrongly detect and quarantaine/erase it.

Support is contacted and has a zipped copy of the executable for analysis.

If you use a different AV solution, please compile the line into x86 code and tell if you can launch the executable or what happens if you try. I will report my reply from bitdefender here.

Lets see which vendor will get my/our money for next year.
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: Why I had to stop using PureBasic

Post by Dude »

Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")
Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Why I had to stop using PureBasic

Post by Kuron »

Dude wrote:
Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")
Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(
Damn, that is high.
Best wishes to the PB community. Thank you for the memories. ♥️
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Why I had to stop using PureBasic

Post by Bitblazer »

Dude wrote:
Bitblazer wrote:

Code: Select all

MessageRequester("test", "test requester")
Yep, it's pretty bad: 12/67 scanners say the above code is malware:

https://www.virustotal.com/#/file/600ac ... 600244171/

:(
Another hint to me that too many AV products are truely just crap and dont analyse this at all. So it just seems to be a filesize check (and maybe a single stub signature of pb that they pick up without even noticing they detect a programming language instead).

Maybe its time to compile 5 general basic single liners like this, "hello world" and other common ones and point out which scanners are basically snake oil products. Make an article about it in detail and post it with the executables and links on a webpage, so people can make a more inforrmed buy.

Hmmm ...

hello world, a messagerequester, a windows version check (maybe in inlined asm for the stupid entropy checks some scanners do), maybe a canvas widget with a bresenham line (most basic algo in IT for graphic ;) - any more suggestions?

ps: im pretty sure other less common programming languages have the same problem. Maybe we should team up and initiate some kind of (anti)-EICAR movent ;)
Last edited by Bitblazer on Tue Nov 21, 2017 11:13 pm, edited 1 time in total.
Fred
Administrator
Administrator
Posts: 16619
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Why I had to stop using PureBasic

Post by Fred »

For info I signed the exec and performed the test but it didn't changed anything, still 12/65 which is pretty bad.
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: Why I had to stop using PureBasic

Post by Dude »

For comparison, I compiled this code instead, and only got 4/67 false positives:

Code: Select all

MessageBox_(0,"test requester","test",0)
https://www.virustotal.com/#/file/c8cce ... /detection
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: Why I had to stop using PureBasic

Post by Dude »

And this compiled code gives 3/67 false positives:

Code: Select all

With msg.MSGBOXPARAMS
  \cbSize = SizeOf(msg)
  \hwndOwner = 0
  \lpszText = @"test requester"
  \lpszCaption = @"test"
  \dwStyle = #MB_USERICON | #MB_YESNO
EndWith
MessageBoxIndirect_(@msg)
https://www.virustotal.com/#/file/f9b53 ... /detection
User avatar
chi
Addict
Addict
Posts: 1028
Joined: Sat May 05, 2007 5:31 pm
Location: Linz, Austria

Re: Why I had to stop using PureBasic

Post by chi »

Code: Select all

MessageRequester("test", "test requester")
Without version info: 12/66
With version info (*): 02/67
Et cetera is my worst enemy
Fred
Administrator
Administrator
Posts: 16619
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Why I had to stop using PureBasic

Post by Fred »

chi wrote:

Code: Select all

MessageRequester("test", "test requester")
Without version info: 12/66
With version info (*): 02/67
Now, that's interesting @chi. Tested on the same .exe and it got only flagged 1/66. Just put some version info to your file and it seems to do the trick (which demonstrate how these AV are a bunch of crap)

https://www.virustotal.com/#/file/8374d ... /detection
User avatar
chi
Addict
Addict
Posts: 1028
Joined: Sat May 05, 2007 5:31 pm
Location: Linz, Austria

Re: Why I had to stop using PureBasic

Post by chi »

For faster testing and more insight: https://www.winitor.com/ ;)
Et cetera is my worst enemy
HanPBF
Enthusiast
Enthusiast
Posts: 563
Joined: Fri Feb 19, 2010 3:42 am

Re: Why I had to stop using PureBasic

Post by HanPBF »

The anti virus specialists are very clever.
No virus would put version info into its code.
So, everything without version info is a virus; really smart!

O.k., McAfee also wants version info and I could now compile with 32bit.

So I don't need 64bit OCI.dll which I got to run meanwhile; a positive effect...

Thanks a lot for the version hint!!!

I mean really... I am really happy!!!
Thanks a lot folks! You're all great!
User avatar
blueznl
PureBasic Expert
PureBasic Expert
Posts: 6161
Joined: Sat May 17, 2003 11:31 am
Contact:

Re: Why I had to stop using PureBasic

Post by blueznl »

I've been using AntiVir now for years, and it did spot a few real ones, as well as some false positives. There were very few false positives with PureBasic thus far. Also it doesn't seem to need version info to detect a (non) virus :-)

And as it seems to score reasonably as well in most virusscanner tests I think I'll stick with it for the moment. That, a bit of common sense, and now and again a single scan with malwarebytes or superantispyware has kept me clean for the last 10 years or so. I also use Firefox + NoScript to avoid some incidental drive-by downloads.

Oh. And avoiding porn websites probably helps as well 8)

Perhaps I was just lucky :?
( PB6.00 LTS Win11 x64 Asrock AB350 Pro4 Ryzen 5 3600 32GB GTX1060 6GB)
( The path to enlightenment and the PureBasic Survival Guide right here... )
User avatar
blueznl
PureBasic Expert
PureBasic Expert
Posts: 6161
Joined: Sat May 17, 2003 11:31 am
Contact:

Re: Why I had to stop using PureBasic

Post by blueznl »

I tried virustotal, and all my stuff (except ReVal) gives 2/62. Cyclaan and eGambit are the offenders. Pfff.
( PB6.00 LTS Win11 x64 Asrock AB350 Pro4 Ryzen 5 3600 32GB GTX1060 6GB)
( The path to enlightenment and the PureBasic Survival Guide right here... )
Post Reply