PureBasic Forums - English

Hi all. Today I decided to submit one of my exes to two online virus scanners,
to see what they'd report. I'm not very happy at all. Here are the reports:

http://virusscan.jotti.org/en/scanresul ... 30280ae642



http://www.virustotal.com/analisis/0ac6 ... 1280039195



As you can see, both make my app look like it's virus-ridden with malware.
My question is: if my potential customers showed me the results above, how
would I convince them that my app is safe? I don't even know what some of
those alerts are, or why they're there. I'm just creating the exe using a clean
PureBasic install with a DLL compressed with UPX, and I made the DLL using
PureBasic too. I don't get it. My system is not infected from what I can tell,
after doing a full system scan with Avira AntiVir. Doesn't make sense. (And
I only named it Calc.exe for the upload to these sites, so the real name is
kept unknown to them).

Try without using UPX, and don't call it like a Windows app.

Both good points. A good antivir will know that isn't the well-known calc.exe and raise flags on that alone. Just like if you walked into a bank with a check you wanted cashed and when they asked your name you said Tom Selleck. They know you aren't him and eyebrows go up. On the UPX issue, there are two main concerns right off the bat. The first is that the antivir programs know it's packed and scrambled and that because of that they can't give it a clean bill of health- They don't know what's in there. The second is that packing results in bytes being jammed together in all manner of random patterns. The likelihood of one of those patterns resembling a known virus signature is quite good.

Okay, so I ditched UPX and did a rebuild of the DLL and EXE, and the results are
still pretty much the same... only 1 or 2 virus apps showed no concern now. See:

http://virusscan.jotti.org/en/scanresul ... e47f2d8856



http://www.virustotal.com/analisis/ffee ... 1280067870



This really sucks. Is it because I'm using GetAsyncKeyState and things like that?
Maybe those API commands are raising "suspicious" flags. This is really depressing.
How can I release this app if it looks like malware? Has anyone else suffered this?

Maybe my PC really is infected and I just don't know it? But that wouldn't explain
why a freshly-built EXE would have so many infections as soon as it's created...

It's all a heuristical alert (see "heur" and "gen") so you shouldn't have a real virus in your software.
The only thing you can do now is to contact those antivirus manufacturers and report yours as a false-positive. All of them should have a report e-mail, web formular etc. I remember we already collected some of the addresses here in the forum!

UPX's isnt a problem, virus scanners can unpack it and analyse the code, same with most other packers. They can even unpack morphine without problems.

The problem is the heuristic of the scanners, only thing you can do is send the .exe or .dll or whatever is detected as virus to the company that develops the virus scanners that detect it as maleware. They likely will fix it with one of the next updates.

Most of them have special e-mail addresses for sending false positives to them.

Thanks for the info, guys. So I assume I'd just let the companies know before
I do a general release of my app? How do they know I'm telling the truth and
that my app ISN'T malware?

I've been doing some search/replace of API calls in my app, because I want to
see exactly WHAT is causing these false alerts. It's a time-consuming process.

The only result I've got so far, is that if I remove the DeleteFile_() API command,
and use PureBasic's DeleteFile() instead, then NOD32 doesn't report Win32/Genetik
anymore. Weird that it complains about an API command, because I assumed that
PureBasic was just a wrapper for it?

they know that it isnt maleware because they analyse it. You have to send the compiled .exe to them and they run it in a VM and check what it do.

> You have to send the compiled .exe to them and they run it in a VM and check what it do

I see. Hmm. So they need access to a registered version of my app? I don't like that.
Who knows what they'll do with it. "Here Bob, take this home with you after I've had
a play in the VM."

Also, that's kinda silly, because my app could simply have a time delay and do the
damage after X months. So prior to that time they're marking it as safe to all their
users. Hmm... could be a good way to kill an anti-virus vendor's reputation!

It's more likely they will look manually at the locations flagged in the binary file (decompiled to asm) by their internal slow&deep scanning tools in order to see what the code is doing at those locations.

PB wrote:> You have to send the compiled .exe to them and they run it in a VM and check what it do

I see. Hmm. So they need access to a registered version of my app? I don't like that.
Who knows what they'll do with it. "Here Bob, take this home with you after I've had
a play in the VM."

Also, that's kinda silly, because my app could simply have a time delay and do the
damage after X months. So prior to that time they're marking it as safe to all their
users. Hmm... could be a good way to kill an anti-virus vendor's reputation!

Maybe one of us could create a list of functions definitively flagged as bad by heuristics...

I may have missed something... do you get the same reports when you run it through a virus scanner NOT on the internet???

Some of them really want to sell you their product/service...

Looking at the list of what hit it as BAD... I become suspicious... none of them found the same thing. And only 3 of them declared they found anything at all...

Avast and AVG reported clear... AntiVir wants to sell you their software... I never heard of the others so I would not worry about it!!!

> do you get the same reports when you run it through a virus scanner NOT on the internet?

I use Avira AntiVir and yes, it matches what the online scan says.

If I compile my ER program with PB v4.4x, there are no virus warnings. But with 4.5x I get the warnings too. Pretty annoying, but not PB's fault.

Anyone know if there is a complete list of submission email addresses for the false-positives?

I remembered that I installed VirusTotal’s uploader some time ago and newer really found a use for it, until now.
If included in PB I can check small snippets of code just by a quick copy-paste into a new source tab then press F5, and then both find where and what triggers different anti viruses & then also give them a collection of false detection to sort out of their signature files.
Ex;