PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

VirusTotal.com labels PureBasic executables as a virus?

https://www.purebasic.fr/english/viewtopic.php?t=44370

Page 1 of 1

VirusTotal.com labels PureBasic executables as a virus?

Posted: Sun Nov 21, 2010 1:10 am
by Nituvious
It was brought to my attention that a few programs I wrote have been identified as a trojan. I scanned and sure enough, virus total brings up false positives on my program. So, I compiled this into an executable:

Code: Select all

string$ = "hello//stuff goes here"

	message1$ = StringField(string$,1,"//")
	message2$ = StringField(string$,3,"//")
	
	Debug message1$
	Debug message2$
	MessageRequester("stuff",message1$ + message2$)
Uploaded and scanned it, it come back with the same thing.
What's going on here? Why is it doing this? I has never done this before.

Re: VirusTotal.com labels PureBasic executables as a virus?

Posted: Sun Nov 21, 2010 1:21 am
by PB
This type of topic comes up from time to time. Here's the last such one:

http://www.purebasic.fr/english/viewtop ... =7&t=43016

Maybe join that topic, rather than have two separate topics started.

Re: VirusTotal.com labels PureBasic executables as a virus?

Posted: Tue Dec 07, 2010 6:01 pm
by DoubleDutch
VirusTotal is really good, I use the 'Send to' all the time.

btw

Code to access windows information sometimes triggers the AV programs. You can fool them though...
EG:

Code: Select all

Procedure.s nod32text1()
	Static nod32local$="advapi32"
	ProcedureReturn nod32local$
EndProcedure

Procedure.s nod32text2()
	Static nod32local$="GetCurrentHwProfileA"
	ProcedureReturn nod32local$
EndProcedure

Procedure.s HardwareFingerprint() 
	Protected hwp.HW_PROFILE_INFO
	result$=""
	text1$=nod32text1()
  lib=OpenLibraryDll(#PB_Any,text1$) ; "advapi32.dll"
  If lib
  	text2$=nod32text2()
  	If CallFunction(lib,text2$,@hwp) ; "GetCurrentHwProfileA"
  		a=0
  		For loop=1 To 100
  			a+1
  		Next
	  	result$=PeekS(@hwp\szHWProfileGUID[0])
	  EndIf
		CloseLibrary(lib)
	EndIf
 ; Debug PeekS(@hwp\szHwProfileName[0]) + " -> " + PeekS(@hwp\szHWProfileGUID[0]) 
  ProcedureReturn result$
EndProcedure
The above code works, but try it without the nod32 procedures (reinsert the code) and it triggers nod32!!! Just shows you how rubbish the AVs really are.

ESET (the makers of NOD32) have not replied to any of my emails regarding the false positives they keep throwing up, I had to find ways to bypass the av for my customers. Don't believe their '48 hour response' rubbish, you will lose less customers if you figure it out yourself.

Also CLAMAV almost always reports a program as having a virus, usually...

ClamAV 0.96.4.0 2010.12.07 Trojan.Rabbit-2 (!!) They too don't reply to emails or fix the problem. Luckily no-one seems to use this av!

I'm just waiting for the someone to sue for loss of earnings and reputation based on what the AVs do.

Also, I now code sign virtually everything - but code signing is ignored by the AVs - what is the point?
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited