Where did you get this info ? It might be the case if you use the ScintillaGadget() becase he wrote it, but it's not in every exeBarryG wrote:Because all PureBasic executables have the "Neil Hogdson" signature in them (a series of known bytes), so they're easily detectable as compiled with PureBasic, as opposed to compiled with C. The ransomware coded with PureBasic, called PureLocker, didn't help things.nsstudios wrote:how can antiviruses pinpoint PB specifically?
Oh crap... PB ransomware
Re: Oh crap... PB ransomware
Re: Oh crap... PB ransomware
I doubt scintilla is the issue, more likely some standard library stuff. You get false flags even with the simplest of code without scintilla.
Re: Oh crap... PB ransomware
Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487Fred wrote:it's not in every exe
Re: Oh crap... PB ransomware
Beyond disturbing and one cannot expect our EUs to install our software with such alarms being set off.
Re: Oh crap... PB ransomware
I just testes two programs with this PEStudio software and it says "n/a" in the field of "signature"BarryG wrote:Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487Fred wrote:it's not in every exe
I'm running 5.70 LTS
Re: Oh crap... PB ransomware
Just tested both 32 bit and 64 bit compilations of just the end keyword with pb 5.72 using exeInfo PE.
I love PB and I'm here to stay, but I'm really worried over the fact that antiviruses can target pb specifically just because of it being used for unsavory things by a few people.
- 32 bit:
- Before scan: PureBasic v4.20 - v5.70 - EXE ( 2008-2019 ) Fantaisie Software - www.purebasic.com *ACM
- After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson]
- 64 bit:
- before scan: 64 bit executable -> *** Unknown EXE - CPU : AMD Std Compiler section - GCC exeHeader or Asm demo/example [Signed]
- after scan: Sign. 4376 : [x64 Pure Basic - Pelles C - sign A.S.L ( 64 bit ) ]
That would be absolutely fine as long as the bad spreadsheet wouldn't cause absolutely all spreadsheets to be treated as malicious. This is exactly my worry, and I think this has to be taken very seriously, as it poses a threat to the language as a whole, because people would be less likely to run things made in it.BarryG: What? Why? PureBasic isn't infected or has malware. An executable compiled with it is. What you're saying is like banning Excel because someone made a bad spreadsheet.
I love PB and I'm here to stay, but I'm really worried over the fact that antiviruses can target pb specifically just because of it being used for unsavory things by a few people.
Re: Oh crap... PB ransomware
Ok, you got me curious so i wanted to check one of my executables which doesnt use scintilla. Obviously if you use any third party software to analyse a PE file, the software could claim anything, so first i checked for a PE analyzer different to the PE Explorer commonly used.
This is the result:
CFF Explorer
PE Detective
Seems reasonable - they both dont seem to know purebasic and guess different C(++) compilers, probably because those where used to compile a library part that PB included.
ps: i am using kaspersky internet security and initially there was an issue with homebrew PB executables. So i contacted them, issued samples, they changed something and everything has been fine since that day.
This is the result:
CFF Explorer
PE Detective
Seems reasonable - they both dont seem to know purebasic and guess different C(++) compilers, probably because those where used to compile a library part that PB included.
ps: i am using kaspersky internet security and initially there was an issue with homebrew PB executables. So i contacted them, issued samples, they changed something and everything has been fine since that day.
Re: Oh crap... PB ransomware
*shakes head*nsstudios wrote: [*]After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson][/list]
- DeanH
- Enthusiast
- Posts: 226
- Joined: Wed May 07, 2008 4:57 am
- Location: Adelaide, South Australia
- Contact:
Re: Oh crap... PB ransomware
There might be a new virus or malware about. In the last two weeks several of my users have reported PB compiled modules as infected. This happened last year but seemed to have settled down. They're usually quarantined or immediately closed. Avast and Bit-Defender and even McAfee have done it recently. Not Defender and luckily not Norton/Symanetc. Re-compiling as 64-bit significantly reduces the number of false positives (according to VirusTotal tests) even with the same source code. I do not think it is the Neil Hodgson bit that's being picked up. (I'm Dean Hodgson, no relation.) I've reported the FP's to several companies. Kapersky was quick to respond but the others were either slow or no reply. Bit-Defender clobbered most files regardless of 32/64-bit. I can't think of a good solution other than getting users to exclude files and folders.
Re: Oh crap... PB ransomware
Send the exe to the av companies and ask then to whitelist it.
This is common any time you update code.
This is common any time you update code.
Oh crap... PB ransomware
Hi All,
Windows 10 / Windows Security
Not sure how much the following will help or if it has already been reported, but with a few of my programs the executable was flagged as containing a trojan and quarantined...
After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.
Windows 10 / Windows Security
Not sure how much the following will help or if it has already been reported, but with a few of my programs the executable was flagged as containing a trojan and quarantined...
After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.
Re: Oh crap... PB ransomware
Made no difference to my app, unfortunately. VirusTotal gives it 9/71 malware hits normally, and 10/72 with user mode enabled.JHPJHP wrote:After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: Oh crap... PB ransomware
McAfee is not the best AV software, finds false-positives just like Avast.even McAfee
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.
- NicTheQuick
- Addict
- Posts: 1226
- Joined: Sun Jun 22, 2003 7:43 pm
- Location: Germany, Saarbrücken
- Contact:
Re: Oh crap... PB ransomware
Many Antiviruses or Security Suites drill more holes in your system than there are before. I can not count the occurences of security holes in such software anymore.
Just use Windows Defender and you brain. It's enough.
Also don't use mysterious browser extensions that scan you encrypted data by injecting their own root certificate into the operating systems thrust store. It's bullshit and dangerous.
Just use Windows Defender and you brain. It's enough.
Also don't use mysterious browser extensions that scan you encrypted data by injecting their own root certificate into the operating systems thrust store. It's bullshit and dangerous.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: Oh crap... PB ransomware
Good advice NicTheQuick
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.