PureBasic Forums - English

I just wanted to throw this in here but for me just putting:

ShowConsole()
HideConsole()

Somewhere in the source code (far apart) fixes everything for Avast (even when never called). Also filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged. It's just the completely console-less / window-less and information-less application that virus scanners seem to hate a lot which is exactly what our temporary PureBasic executables are.

It's still annoying that just about every F5 gets flagged though however this may help some.

Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged

My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.

Embedding a digital signature in the app and in the installer does help with some AV. Still ridiculous that all the effort and expense is on our side because of poor quality on the AV developer's side.

Dude wrote:

Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged

My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.

Exactly. That's why it's so hard to automate it all.

heartbone wrote:

firace wrote:Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.

Consider the strategy of complaining to the many magazine technical columnists and online tech bloggers making sure a bcc: is sent to the financial officers of the offending AV company.

Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!

Because you titled this thread as you did, it encouraged my thinking which generated the following question.
Are you massaging the executable (by inserting NOPs and the like) to get past the AV detectors?

No, I'm not inserting any extra instructions, nor encrypting, packing, or otherwise obfuscating the existing code.

I'm achieving results mainly by working on the data sections (as surprising as that may be) and file and memory alignments. Finding an effective set of tricks was largely the result of a huge amount of trial and error, facilitated by a little fuzzer-like(*) tool that I wrote for this purpose. Each executable is a different case, which is why it is so hard to automate the whole process.

My goal is obviously not to help malware go undetected by AVs, but to help legit PB apps to avoid being flagged as malicious for no good reason (I'm thinking MemPad, ProcDOT, Chompston, and countless others.)

To address Didel's valid concerns, for each request, I could either deliver the ready-to-use clean executable, or a clear set of custom instructions so the modified executable can be directly built by you, thus removing issues of trust.

(*) https://www.owasp.org/index.php/Fuzzing

firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you

Don't make us wait too long.

Dude wrote:

firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you

Don't make us wait too long.

I am ready to start!

I will give higher precedence to older user accounts, and freeware projects that already have public releases.
For such projects I will do it for free.

For commercial projects, I will charge a fee (probably close to my hourly rate, but to be discussed), only if you're happy with the result.

So far I've had a 95% success rate - meaning, eliminating all False Positives on VirusTotal.
(Remember, each executable is a different story and there is no single magic formula.)

I have enough time to help 1 or 2 users this week.
Whoever is interested, please post a description of your application, and a download link.
I will then contact you by PM.

Any news on this so we can do it ourselves?

Manuel wrote:Any news on this so we can do it ourselves?

Unfortunately I abandoned this project as I lost motivation.

firace wrote:Unfortunately I abandoned this project as I lost motivation.

That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".

Manuel wrote:

firace wrote:Unfortunately I abandoned this project as I lost motivation.

That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".

I'll check if I still have my notes related to this, but don't hold your breath - it was a work in progress, way too messy, and most of it probably obsolete now: AV engines have evolved quite a bit in the meantime, and VirusTotal also added new AVs that really don't like PB executables

Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though.

aaaaaaaargh wrote:Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though.

This system is the money-producing-machinery of the av-companies. They hold parts of these companies, selling the certificates.