PureBasic Forums - English

BarryG wrote: Sun Jun 04, 2023 10:05 pm

Fred wrote: Sun Jun 04, 2023 6:39 pmIf it's possible to submit a lot of exe to a virus test tool, we could write an exe generator to create one program per library command, and see if a specific command is flagged. Then I can try to modify the code to avoid this, but it's really silly if you ask me.

VirusTotal supports automatic submissions with their API support. Yes, it costs money and is silly and annoying for you, but what you suggested seems like something you might have to eventually do; otherwise PureBasic's reputation may get tarnished - people won't trust it to produce "clean" code. Look at DeanH's post - he's already started to lose government clients because of it.

makes no sense, you will work forever for "suspicions" virustools are stupid and getting stupider in order to "report"
more or less each developer is FORCED to send his exe to companeis for check

otherwise you will "guess" forever.
if 1 virus ever made with PB then its flaged in stupid detection methods forever....

That's actually a pretty cool idea.
The number of commands are finite and an automated tool could rip them out for asm and cbe compilations.
Is this only a Windows problem?

I checked the business Virus Total API price and it's like 20k$ a year (!). Big pass here haha

Lets cry about 3rd party failures and incompetence but somehow its PBs that needs to do stuff thread...
I suggest a new subforum titled: Annual Drama Events

Yup, that price is highly predatory.
Small business must do manual submissions.

Might be a team effort then. We could split the libs in half, submit, if there is a false positive in one of them, split in half etc. Once the faulty lib(s) isolated, you could go to the command level.

Keep in mind that this effort runs all under the assumption the scanners work purely on some pattern matching algorithms.
We already know that smaller programs can show a false-positive but as soon as they get bigger the false-positives slowly decrease.

My bet is it flags some library function which doesn't change across version, if it was generated code switching to C backend or enabling/disabling optimizer should get ride of it. May be DeanH can try this: build several version of its exe (ASM backend, C backend, ASM backend + optimizer, C + optimizer, ASM debug, C Backend debug) and see if it yields any diff.

Can already provide some feedback. I tried recompiling using the C-backend as recently as two weeks ago. No difference. In fact, an additional module was flagged that was not picked up with the ASM backend. My guess is that not only is some type of pattern matching involved, but some of the AV system vendors actively share their hits. I watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.

DeanH wrote: Tue Jun 06, 2023 12:09 amI watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.

That doesn't matter. Users will upload your exe to VirusTotal anyway, even if you don't. Happens to me all the time.

Hadn't thought of that. Good point. But then I have not heard of a user that has done it. Most would not even know VT exists.

My Department asked me to use something called Hybrid Analysis which did not produce any problems.

Just had another call today from a Victoria school in which exe files were quarantined.

I just ran one exe through Hybrid Analysis. It gave a threat score of 35/100 and pronounced it clean but there is a long list of suspicious things. Fred, I will PM you with the URL of the report.

DeanH wrote: Wed Jun 07, 2023 2:08 amHybrid Analysis

That damn tool says my app is malicious because it reads the clipboard. It's madness.

If that's so it proves there's no real way of fixing it on the PB side.

You can change all the standard libs, Mr. PureLocker compiles a new .exe and I guess it's then like russian roulette to what part of the virus will be taken as "the" signature. If AV's flag signed executables you can't even really buy your way out.

We may find work-arounds and restructure our code to make it more "acceptable" for the AV's, but the bad guys may follow and copy our techniques

The Irony is Virus Total is owned by Google which is quite appropriate considering they've effectively planted spyware on everyone's devices they possibly can.