false alarms Avast... (yeah i know it is not PB problem!)

[skywalk]

Acquiring trusted certificates and only allowing them to run is the future

Nope. Viruses can fake signatures, or alter the code in Windows that verifies them. It's all been tried before.

Are you kidding?
The signatures are impossible to spoof with today's computing power.
The actual signature server is built from a clean OS install. Then the client is distributed to each machine that plans to access the server. If the Client is corrupted, it will be denied also. All Client machines are able to 'Run As Admin'.

The system has flaws, but they require high espionage to exploit them. In some cases, physical access to the server is required and/or outright fraud by an employee.

Antivirus scanning is dead. Think about their approach?
Scan for known. - Yay. But now you must carry ALL known patterns forward, year after year
Scan for look-alikes. - False alarms
Scan for weird behaving code. - False alarms as no way to define what 'weird' is.

Trust Method.
EVERYTHING assumed bad. - Only scan for approved signatures in super fast lookup table.

[djes]

I'm working in a big administration. Yesterday a colleague asked me for a problem, she didn't want to contact the computer department at first. She just visited a website and downloaded a PDF. Of course it was a corrupted file and its computer just presented a full page asking for cb card number, impossible to get rid of. Hotkeys were disabled and the page started with its profile. She was in panic... I took the control of computer with another profile, autoruns, get rid of this shit, removed a very visible virus file, and so on.

After that I've searched for the name of this baby, it was just a well known trojan going around the net for years...

What I've not said is that we all have the latest Symantec AV updated daily...

[MachineCode]

Trust Method.
EVERYTHING assumed bad. - Only scan for approved signatures in super fast lookup table.

And then nobody can run something new that isn't approved, which is far worse than false alarms. If I write a little tool for my friend, he can't run it. How will PureBasic even compile an exe, if the OS denies it because it's not approved? How do you get around that?

BTW, even approved apps can have a malicious payload after a year. So something gets approved but then deletes the C: drive after a year, because it was approved as "safe" 365 days earlier.

[skywalk]

And then nobody can run something new that isn't approved, which is far worse than false alarms. If I write a little tool for my friend, he can't run it. How will PureBasic even compile an exe, if the OS denies it because it's not approved? How do you get around that?

BTW, even approved apps can have a malicious payload after a year. So something gets approved but then deletes the C: drive after a year, because it was approved as "safe" 365 days earlier.

Like I said, when you create new or modify existing entities(dll,exe,etc.), you simply log into the server and request a new signature. Yeah, not instant, but also not a chance you will 'delete your c: drive'
I don't think you understand?
If an approved exe is modified 1 second later or after a year, it is NO LONGER approved.

[djes]

I think you have too much confidence in AV editors skills ! I have a portable harddrive, and the IT dept asked me to scan it for viruses, because it often fires false alarms when automated daily scan occurs (around 12am). So I did, but alarm still occurs... Because this stupid AV doesn't remember already scanned files... So I should scan this 1Tb HD each time I connect it

[skywalk]

This is one of the reasons antivirus is dead. It does not really work.
You can bring a thoroughly infected pen drive into your office, but if any of the unapproved content tries to run, it is blocked.
You don't scan entirely, only what you want to run.
Think of a ship at sea surrounded by pirates asking to come aboard.

[Danilo]

Antivirus scanning is dead.

The computing world changes. Not within 1 day, but slowly and continuously it is changing.

With Apple's app store and Microsoft's app store you need a developer account, your
submitted applications are checked and approved.
_If_ bad behavior of your application would be overseen, the application gets removed
from app store and from all devices where it is running, as soon as it is detected.
You loose your developer account and that's it. You are out.

Today you are still allowed to code anonymously and users are able to run your untrusted/unsigned
and unchecked software on their PCs. But hey, it is already changing... slowly but continuously...

It will not be a problem, you'll get used to it. It is just that you are not anonymously anymore,
you have a developer ID. If you use your knowledge to create something useful, it is not a problem at all, is it?
You create useful software, submit it to the stores by using your developer account ID, and if everything
is checked and gets approved, users world wide are able to download and use your trusted software (or pay for a license).

For development at home or internal company development, you can unlock your software or devices
to run applications you wrote without submitting it through the app store. You are able to do that by using your
personal developer ID.
For example, I can unlock my Windows Phone or Win8 desktop computer for apps development and testing, by using my MSDN developer account ID,
but I can't distribute my unchecked applications to all end users without going through the store, being checked and approved there.

The app stores for all platforms and all devices help to make computing more safe for all users. It is not perfect yet, but it is already changing.
Let's see how the computing world looks like in 10 years from now on...

[MachineCode]

If an approved exe is modified 1 second later or after a year, it is NO LONGER approved.

I didn't mean the approved exe gets modified. I meant that its malicious code is never known when it's originally approved; it sits dormant for a month or year. Then, that original approved exe suddenly goes nuts and deletes C: and does whatever else.

Apps like Sandboxie are good to prevent this: the approved exe can try to delete C: but it will fail. We need more sandboxing of apps. An app really shouldn't have access to anywhere outside its own folder anyway, unless that's its job (eg. file manager). The OS should sandbox everything by default, and the user should have to give permission for the app to have read/write access outside its own folder. That would stop a LOT of damage.

[Danilo]

We need more sandboxing of apps. [...] That would stop a LOT of damage.

In case you missed it, the sandboxing principle is also part of the app store thingy. Not to mention app hosting within the cloud, running it in a sandbox in browsers. It's coming, and it's coming very fast now...

The big guys made the first step already:
- Adobe Creative Cloud
- Microsoft Office 365

[Thorium]

If an approved exe is modified 1 second later or after a year, it is NO LONGER approved.

I didn't mean the approved exe gets modified. I meant that its malicious code is never known when it's originally approved; it sits dormant for a month or year. Then, that original approved exe suddenly goes nuts and deletes C: and does whatever else.

Apps like Sandboxie are good to prevent this: the approved exe can try to delete C: but it will fail. We need more sandboxing of apps. An app really shouldn't have access to anywhere outside its own folder anyway, unless that's its job (eg. file manager). The OS should sandbox everything by default, and the user should have to give permission for the app to have read/write access outside its own folder. That would stop a LOT of damage.

You dont need to sandbox if your user accounts are set up correctly.
Also i had trojans break out of Sandboxie befor. If i would not been so stupid to run my browser and Sandboxie with admin rights nothing would have happend.

[Azul]

I commented about this at avast antivirus facebook group. I hope it gets their attention so they fix it faster.

https://www.facebook.com/avast/posts/449432095130329

update:

bit later it seemed that after updating avast will be triggered more likely if I try to compile from ide and use debugger. Compiling exe and executing does not seem to be triggered too easily anymore.

Program that executes another program is triggered more likely than program that uses aes and email sending.

<humour> create tool for compile progress. Creates zip (with instructions from http://forum.avast.com/index.php?board= ... eadid=7779 ) and be ready to send it if executable is denied </humour>

[Mohawk70]

This should demonstrate the sorry state of modern anti-virus scanners

The [typo]above[/typo] below links to the VirusTotal.com scan result of 'micro.exe' file compiled using PureBasic 5.10 32-bit.

https://www.virustotal.com/en/file/ee50 ... 361807832/

The source code consists of

Code: Select all

The image below is the combined screenshots of the compiler settings used

[Mohawk70]

Ironically, in this case Avast does not come up as a false positive and says it's clean , but several others do !

[Mohawk70]

Results from 2 other online scanners

https://www.metascan-online.com/en/scan ... 019ff9d75b

http://virusscan.jotti.org/en/scanresul ... b57ff137ff

Notice the results of the 2nd

[LuCiFeR[SD]]

Mohawk70, the only things you can do are this. Contact every AV vendor(s) that flag your exe as malicious, they generally have a page where you can send stuff to be tested. or get your software digitally signed.

When you have a product which is "Ready for release" Send it to the AV company BEFORE you put it online to be downloaded. Inform the people who are testing your software that it *MIGHT* raise a false positive. Actively encourage the users of your software to submit it to AV vendors for testing.

Sitting here repeating what we already know over and over again won't change anything. None of the AV vendors are here, they will never read you words. AV companys are just in it for the money. the more they can frighten you into buying their software, the better. False positives to them are good for business... it shows that their software is better than a competitors because it finds more "suspicious" stuff... The masses feel safer and developers get more annoyed