Why I had to stop using PureBasic

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

PureBasic Manual wrote:

No PB functions actually support this feature for now (it is ignored for them).

So... why the big difference in VirusTotal scans then? Obviously the settings are NOT ignored, because there's something different in both exes that is triggering an extra 7 malware alerts for the "Dynamic CPU" version.

I hope someone else who had a lot of false positives can do some tests and report their experience.

Paul · **Posted:** Sun Nov 26, 2017 11:20 pm

Maybe Fred could step in an comment on what the DYNAMIC CPU flag is doing?

I did the same test using opswat.com and a blank EXE x86 was flagged by 9 out of 36
The same blank EXE x86 with Dynamic CPU flag was flagged by 2 out of 36
The same blank EXE compiled as x64 was flagged by 1 out of 36

Comparing the ASM generated code from EXE x86 and EXE x86 Dynamic CPU was identical so the compiler is doing something after the ASM code.
And whatever it's doing has much better luck with the virus scan engines

RESULTS
EXE (x86)
AVG
Dropper.Generic2.SOR

ClamAV
Win.Trojan.Agent-385037

Filseclab
Trojan.Agent.cmfr.wykn

Ikarus
Trojan.Win32.Agent

Jiangmin
Trojan/Zapchast.aqb

McAfee
GenericRXAM-AG!18655C7E0A74

nProtect
Trojan/W32.Agent2.3584.D

Vir.IT eXplorer
Trojan.Win32.Generic.SOR

VirusBlokAda
Trojan.Agent2

EXE (x86) DYN
Jiangmin
Trojan/Zapchast.aqb

Vir.IT eXplorer
Trojan.Win32.Generic.SOR

EXE (x64)
Jiangmin
Trojan/Zapchast.aqb

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

Thanks for your tests, Paul.

Anyone else want to contribute? Some of you said you had false-positive issues, so let's test this CPU-setting theory and see if it makes a difference for you.

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

Medlin wrote:

2. Make good use of VirusTotal. Customer says you have a bad file, show them you do not, using the current day's signatures.

That doesn't work. VirusTotal can say your app is 100% clean one day, but two weeks later it reports 20 viruses for it. I've seen this. It's happened to me. VirusTotal is unreliable!

HanPBF · **Joined:** Fri Feb 19, 2010 3:42 am **Posts:** 544

As I read above, even code signing with public certificates is not a solution.
sad...

Does code signing makes false positives anyway less probably?

I guess, due to the kind of software anti virus is, there shall be no rule to prevent false positives.
The conecpt behind finding anti virus code shall make it not possible, as new kind of viruses may come up.
So, minimizing false positives is at least a way to go.

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

HanPBF wrote:

Does code signing makes false positives anyway less probably?

No, because the AV works by looking for code patterns. You can have a signed exe with those patterns, so it'll be flagged.

Bitblazer · **Posted:** Tue Jan 02, 2018 10:36 am

Dude wrote:

HanPBF wrote:

Does code signing makes false positives anyway less probably?

No, because the AV works by looking for code patterns. You can have a signed exe with those patterns, so it'll be flagged.

There is no guarantee that AV software does anything at all. Due to the current popularity and plenty of outlet ways where its often about great looks, good advertising and large profit margins, you could as well sell completely nonsense software as AV product and end up with an average income for nothing. Recent tests and the inflation of "security" and "AV" products actually indicates that this already happens on a decently large scale

Anybody wants to do a list of false positives of commercial AV products for fun?

HanPBF · **Joined:** Fri Feb 19, 2010 3:42 am **Posts:** 544

by building an own anti virus software: McMonkey maybe (only German-speaking understand that joke...)

Quote:

Dude wrote:

Quote:

HanPBF wrote:
Does code signing makes false positives anyway less probably?

No, because the AV works by looking for code patterns. You can have a signed exe with those patterns, so it'll be flagged.

That's why web apps are so much preferred...

If we want guarantee an exe to be non virus attacked runnable, some virtualization is needed.

Java has a VM and JIT compiling -> so anti virus knows the guy just running.
.NET -> also well known
Both are internally memory save (despite C# unmanaged code).

srod does build currently a scripting engine.
The engine itself may be false positive scanned; but if it runs some months and is changed not so much, scripts running on that machine are not "seen" by anti virus (at least the scripts are not interpreted).

20years of PureBasic... and how much faster are we today?
How fast is a scripting engine today compared to a same price expected PC 15 years ago?

Ok... shorter: I think it is not possible to protect an executable from false positive anti virus detection as the concept is to observe and to denunciate (better some more falses than to less positives...)

You build software with PureBasic, try the best to not be tracked by anti virus and Your customer gets the same problem with Your software and has himself write to his anti virus provider.

HanPBF · **Joined:** Fri Feb 19, 2010 3:42 am **Posts:** 544

PureBasic x86 5.62b1 or 5.61, Windows x64

Just wanted to try UPX.exe (portabel) with PureBasic and did use today RAD Studio Delphi for some code changes.
Then, "suddenly" anti virus blocks polink.exe again.

When I switch of the debugger or create an exe, everything works.

McAfee sees ~039CDBA.TMP in of C:\Users\USERID\AppData\Local\Temp\ as
GenericRXDV-HU!BFEB4A4A619E (Trojan Horse)
in application
C:\Program Files (x86)\PureBasic\5.62b1\Compilers\polink.exe

Very strange that this program is again and again found false positive by antivirus software...
All the years and antivirus providers still sleeping?

I still hope I did change anything totally easy to find.

But: how long will that work until next false positive???

HanPBF · **Joined:** Fri Feb 19, 2010 3:42 am **Posts:** 544

This setting made it possible to use the debugger again:
"Enable Purifier" to on...

It was switched off before and I can only see a lot of superstitiousness concerning antivirus and settings...

I there a reason, purifier changes antivirus behaviour when debugging?
O.k. it's named purifier for some reason... :wink:

Zebuddi123 · **Posted:** Fri Jan 26, 2018 8:21 pm

Hi to all. While doing a bit of research I stumbled upon this site https://www.hybrid-analysis.com/sample/86939613647257ac16b2d68e04f9c614fbc4f63de4ad2e2f4ff0843e13cbc541?environmentId=100 multi malware/virus scanner in the same vain as VT with quite a lot of usefull diagnostic info.

So I thought straight away lets chuck some pb code at it see what happens

Well it dont lke 64 bit so I chucked the same exe in 32 bit, it did take about 10 mins but it was 25th in the queue.

So it pulled up quite a bit of detail which gives us an insight into whats whats in M\V scanning. My beginings of an app scored 70/100 for a probable nasty :evil:

3 editorgadgets, 1 webgadget, 3 buttongadgets
oh not to forget and a window :shock:

and the relevent processing loop.

The link above is to the app I scanned it should take you there and you can always go to the home page and test you exe`s there. Could be a use ful site see what you guys think ?

Zebuddi.

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

Hmm, so I submitted this simple test exe to check the results:

Code:

a=1

First, VirusTotal said it has 5/66 malware results (

):

https://www.virustotal.com/#/file/a5e37 ... /detection

And here is what the malware analysis said:

https://www.hybrid-analysis.com/sample/ ... mentId=100

Malware analysis wrote:

Reads terminal service related keys (often RDP related)
Imports suspicious APIs
PE file contains unusual section name
Matched Compiler/Packer signature
PureBasic 4.x -> Neil Hodgson (who the hell is this? :shock:

)

I did a scan of all files in my PureBasic folder for "Neil Hodgson" and there were 0 matches, so I have no idea where this is coming from.

Are the above issues something that Fred can fix? Encrypt them internally or something to avoid detection?

For example, why is an exe of "a=1" even reading this Registry key?

Malware analysis wrote:

Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED"

And this bit:

Malware analysis wrote:

PE file contains unusual section name
"a5e37dde2d2c96f8e842957d32479d5ea1cec7416a6196ec2c5f172986f4fb73.exe.bin" has a section named ".code"

Maybe Fred can give it a different name to ".code" if that's triggering alerts? And so on.

BTW, here's the assembly output of "a=1" for reference. Why is "OpenGLSubsystem" included? Isn't that for graphics?

Code:

; 
; PureBasic 5.61 (Windows - x86) generated code
; 
; (c) 2016 Fantaisie Software
; 
; The header must remain intact for Re-Assembly
; 
; :System
; kernel32.lib
; :Import
; 
format MS COFF
; 
; 
extrn _ExitProcess@4
extrn _GetModuleHandleW@4
extrn _HeapCreate@12
extrn _HeapDestroy@4
extrn _memset
public _PB_Instance
public _PB_ExecutableType
public _PB_OpenGLSubsystem
public _PB_MemoryBase
public PB_Instance
public PB_MemoryBase
public _PB_EndFunctions

macro pb_public symbol
{
  public  _#symbol
  public symbol
_#symbol:
symbol:
}

macro    pb_align value { rb (value-1) - ($-_PB_DataSection + value-1) mod value }
macro pb_bssalign value { rb (value-1) - ($-_PB_BSSSection  + value-1) mod value }

public PureBasicStart
; 
section '.code' code readable executable align 4096
; 
; 
PureBasicStart:
; 
  PUSH   dword I_BSSEnd-I_BSSStart
  PUSH   dword 0
  PUSH   dword I_BSSStart
  CALL  _memset
  ADD    esp,12
  PUSH   dword 0
  CALL  _GetModuleHandleW@4
  MOV    [_PB_Instance],eax
  PUSH   dword 0
  PUSH   dword 4096
  PUSH   dword 0
  CALL  _HeapCreate@12
  MOV    [PB_MemoryBase],eax
; a=1
  MOV    dword [v_a],1
; 
_PB_EOP_NoValue:
  PUSH   dword 0
_PB_EOP:
  CALL  _PB_EndFunctions
  PUSH   dword [PB_MemoryBase]
  CALL  _HeapDestroy@4
  CALL  _ExitProcess@4
_PB_EndFunctions:
  RET
; 
; 
section '.data' data readable writeable
; 
_PB_DataSection:
_PB_OpenGLSubsystem: db 0
pb_public PB_DEBUGGER_LineNumber
  dd     -1
pb_public PB_DEBUGGER_IncludedFiles
  dd     0
pb_public PB_DEBUGGER_FileName
  db     0
pb_public PB_Compiler_Unicode
  dd     1
pb_public PB_Compiler_Thread
  dd     0
pb_public PB_Compiler_Purifier
  dd     0
pb_public PB_Compiler_Debugger
  dd     0
_PB_ExecutableType: dd 0
align 4
align 4
align 4
s_s:
  dd     0
  dd     -1
align 4
; 
section '.bss' readable writeable
_PB_BSSSection:
align 4
; 
I_BSSStart:
_PB_MemoryBase:
PB_MemoryBase: rd 1
_PB_Instance:
PB_Instance: rd 1
; 
align 4
PB_DataPointer rd 1
v_a rd 1
align 4
align 4
align 4
align 4
I_BSSEnd:
section '.data' data readable writeable
SYS_EndDataSection:

IdeasVacuum · **Posted:** Sat Jan 27, 2018 3:37 am

Very good research you guys.

Fred?

TassyJim · **Posted:** Sat Jan 27, 2018 6:43 am

Dude wrote:

Malware analysis wrote:

Reads terminal service related keys (often RDP related)
Imports suspicious APIs
PE file contains unusual section name
Matched Compiler/Packer signature
PureBasic 4.x -> Neil Hodgson (who the hell is this? :shock:

)

I did a scan of all files in my PureBasic folder for "Neil Hodgson" and there were 0 matches, so I have no idea where this is coming from.

Neil Hodgson = Scintilla

His name appears in the Scintilla License.txt and presumably in the dll

Jim

Dude · **Joined:** Mon Feb 16, 2015 2:49 pm **Posts:** 1907

TassyJim wrote:

Neil Hodgson = Scintilla
His name appears in the Scintilla License.txt and presumably in the dll

Okay, but as I showed, nothing in my PureBasic folder contains his name (unless it's packed or encrypted).

Also, his name appears literally nowhere in the ASM source for my exe, so why would it be found by a scanner?

I tried changing the ".code" name in the exe and the exe still ran (woohoo!) but now the scanners complain of finding an unknown name instead of unusual name, and made the exe even more suspicious (d'oh!). So yeah, keep it as ".code" after all.

I feel the Scintilla issue needs the most attention, because something is being added to our exes with Neil in it, and that could be the whole problem with PureBasic exes being falsely flagged.

PureBasic Forum

Why I had to stop using PureBasic

Who is online