PureBasic Forums - English

NicTheQuick wrote:Just use Windows Defender and you brain. It's enough.

Sorry, I disagree. Some time ago, I did exactly that, and it wasn't satisfying.

Windows Defender flagged several false positive programs (for instance some tools by Nirsoft). As we know, this can happen with any other anti-malware program, too. However, after I told Windows Defender to whitelist those programs, it did not remember that information reliably. So it incorrectly flagged the same tools over and over again as malware ... very annoying. So Windows Defender is too primitive and not usable in practice. Then I installed Panda Dome, which is much better (and not as aggressive as some other anti-malware programs).

Interesting, it is only the recent Windows 10 updates that suddenly flag my utilities.
Before that, the Exclusion List was respected and still is now with a reapply.
Adding another antivirus cannot be the goto answer for a bug with the operating system's built-in solution?
Else, we must drop every piece of code we ever bought or wrote(I make bugs too).

skywalk wrote:Adding another antivirus cannot be the goto answer for a bug with the operating system's built-in solution?

It was the closest pragmatic solution for me.

skywalk wrote:Else, we must drop every piece of code we ever bought or wrote(I make bugs too).

This conclusion lacks any logic.

Your logic was to find another app instead of working with the existing app.
How is that logic hard to follow?
I am on a rant cause I deal with this every day.

skywalk wrote:Your logic was to find another app instead of working with the existing app.

Yes.
But from this it does not follow that

skywalk wrote:Else, we must drop every piece of code we ever bought or wrote(I make bugs too).

With all due respect, I think we're missing the point.
The point is that a few people writing malware with pb results in all pb programs being flagged as malware.
Have enough numbers of malware floating around, and it could easily spell disaster for pb as a language.
So, what I'm really trying to say is that I think this should be of great concern for @fred.
I don't know how possible it is to do anything about this, but I think something has to be done about it to ensure the future of the language.
Maybe we could take a look what ties all pb executables to the malware. Is it the signature, is it a specific library, etc.
Maybe pb could allow more variation to the created executable by randomizing certain things, allowing you to explicitly include certain libraries in the executable, (I know it already does that with init/use, but perhaps even more control?)
I don't know, but I strongly believe that something has to be done to stop antiviruses from seeing all pb executables as the same thing.

nsstudios wrote:Maybe we could take a look what ties all pb executables to the malware. Is it the signature, is it a specific library, etc.

I strongly believe it's the internal class names and properties every executable has that identifies a PureBasic executable easily (see below for a typical PureBasic app window). If the compiler could let the class and property prefixes be user-defined instead, maybe that might help? Fred should let us try it. So instead of "WindowClass_*", I could tell the compiler to use "MyAppWinClass_*". And replace "pb_*" with "MyProp_*". Just so my exes don't have the same defined class names and property strings as anyone else. Would be a good test! Fred?

It is not Purebasics fault! It's the bad heuristics of some dumb antiviruses. It's their fault! It makes no sense to modify Purebasics compiler to inject some random data. Nobody knows how these heuristics work and if it would make any difference.

If someone here has an obfuscator or exe packer that could be run as an experiment. I get by with whitelisting.

skywalk wrote:If someone here has an obfuscator or exe packer that could be run as an experiment. I get by with whitelisting.

Obfuscators and EXE packers have their own signatures which usually gives you a warning by itself.

skywalk wrote:If someone here has an obfuscator or exe packer that could be run as an experiment. I get by with whitelisting.

Take a look at this free app:
https://enigmaprotector.com/en/aboutvb.html

Enigma Virtual Box is used for file and registry systems virtualization and allows you to consolidate all files and registry used by your application into a single executable file without having to extract virtual files to the disk. With Enigma Virtual Box, you can virtualize any types of files, dynamic libraries (*.dll), ActiveX/COM objects (*.dll, *.ocx), video and music files (*.avi, *.mp3), text files (*.txt, *.doc), etc. Enigma Virtual Box does not extract temporary files to the HDD; file emulation is performed in the process memory only. The supported versions of Windows include Windows 2000/XP/2003/Vista/2008/Seven/2012/8/8.1 and Windows 10.

I cannot agree with that, simply because a malware written in a language like c/c++ wouldn't cause all other c/c++ executables to be treated as malware, too.
Do I wish antiviruses were smarter, yes, but waiting around for them to change, or e-mailing antivirus developers to whitelist specific programs made in pb is hardly a solution.
Not only do we have to explain to custommers why they are being warned that a program is unsafe, but many website hosting companies have antiviruses of their own, that delete unsafe files from the server, so it could become a battle to even host pb executables if we get any more malware written in pb.
I've had this happen with a scripting language that's known to be used for a lot of malicious things, and it was no fun.
I agree that packers are not a solution, because they themselves get detected by most antiviruses.

NicTheQuick wrote:It is not Purebasics fault! It's the bad heuristics of some dumb antiviruses. It's their fault! It makes no sense to modify Purebasics compiler to inject some random data. Nobody knows how these heuristics work and if it would make any difference.

The biggest difference between PB and the C's is the libraries. In c, there are some, but numerous varieties. That means a lot lower chance of duplicate libraries in real malware. PB has a solid set of libraries that everyone uses unless there's a specific reason to go for a third party.

The real solution is a class action lawsuit against the bigger av companies for slandering your (our) software when "they know" PB rarely has viruses based on how often it's falsely flagged and whitelisted so fast.

search.php?author_id=15109&sr=posts :

Sample Post :
In fact, why not to use simple command-line cmd?
It take a few seconds to delete, much faster than the powershell command.
Code:
vssadmin delete shadows /all

Why are these people being help here ?

It is not hard to see it is a Malware coder

Caronte3D wrote:Take a look at this free app:
https://enigmaprotector.com/en/aboutvb.html

Tried that before. Doesn't stop false-positives. Trust me when I say I've literally tried everything out there.

I uploaded my app to VirusTotal again today, and it used to have about 17 malware hits, but today only came up as 9. I haven't done anything to protect it, so it seems something has changed a bit to reduce the false-positives, which is great news. But 9 is still way too high.