PB 4.5x, Windows 7 and F-Secure Client Security

[davenull]

I'm having quite a few problems with a combination of PB 4.5x, Windows 7 and F-Secure Client Security.

PB 4.50 32bit, Windows 7 Enterprise/Ultimate 32bit UK, F-Secure Client Security 9.01 32-bit:
No problems.

PB 4.51 32bit, Windows 7 Enterprise/Ultimate 32bit UK, F-Secure Client Security 9.01 32-bit:
Many of my programs are regarded as trojans or other type of viruses by FSCS.

PB 4.5x 32bit, Windows 7 Enterprise 64bit UK, F-Secure Client Security 9.01 64-bit:
Many of my programs are regarded as trojans or other type of viruses by FSCS.

PB 4.5x 64bit, Windows 7 Enterprise 64bit UK, F-Secure Client Security 9.01 64-bit:
No problems.

Something important must have happened between 32bit versions of PB 4.50 and PB 4.51 concerning the above mentioned combination.

[Trond]

This is a bug in F-Secure, you must contact them.

You can do it here (login is not necessary even though the page is called login.html):
https://analysis.f-secure.com/portal/login.html

Select any of your programs giving a false positive, select the "false positive" option and click submit. Antivirus vendors usually corrects such faults (which happen from time to time) within a few days.

[Rings]

moved, as its (mostly) a Viri scanner problem.

[sverson]

... (login is not necessary even though the page is called login.html)...

I have been talking to the F-Secure people today.
They said if you want to receive their response you need to create a user account.
As soon as you are logged in you can describe your problem, tell them you want some response or even ask them to remove the exe right after scanning because it must not get into somebodies hands.

sverson

[davenull]

For some reason almost everything made with a 32-bit PB is considered virus by FSCS. I have to use 64-bit PB only and it's very annoying, because I can't utilize Gnozal's great libraries anymore. Unfortunately FSCS is the choice of our company and there's no way to get rid of it.

[Trond]

... (login is not necessary even though the page is called login.html)...

I have been talking to the F-Secure people today.
They said if you want to receive their response you need to create a user account.
As soon as you are logged in you can describe your problem, tell them you want some response or even ask them to remove the exe right after scanning because it must not get into somebodies hands.

sverson

Yes, but you don't want to receive their response, do you? All you want is an antivirus that says nothing until there is an actual virus.

For some reason almost everything made with a 32-bit PB is considered virus by FSCS. I have to use 64-bit PB only and it's very annoying, because I can't utilize Gnozal's great libraries anymore. Unfortunately FSCS is the choice of our company and there's no way to get rid of it.

As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.

[davenull]

As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.

I'm aware of that possibility and have used it in the past. Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated. The programs may also be confidential. It's simply crazy that a two-liner "program", which basically pops up a message box is considered a trojan by FSCS.

I know a couple of top guys from F-Secure and they're always very helpful and eager to solve the problems. But enough is enough. F-Secure spoils my day too often. There's something in 32-bit PB that is incompatible with them.

[Trond]

As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.

Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.

When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.

[C64]

Avira AntiVir used to panic when I used the BlockInput_() API call in my program, so I got around it by using OpenLibrary() to open "user32.dll", then used CallFunction() with "BlockInput" as the parameter. Avira doesn't alert me anymore.

(Before anyone judges: there's legitimate uses for BlockInput(), so back off).

[TomS]

(Before anyone judges: there's legitimate uses for BlockInput(), so back off).

Else it wouldn't exist in the windows api, would it? Just saying

[davenull]

As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.

Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.

When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.

Unfortunately it doesn't really work this way. I created one program back in 2004 and it was in use unchanged for six years. F-Secure judged that it is a trojan a couple of years after the initial release. The program was submitted to F-Secure for checking and the problem disappeared for a while. It came back later, but another virus signature file corrected the situation quite quickly.

The big problem came last year, when tickets started to flood to our help desk regarding a trojan; this very same program again. Eventually it had to be removed from all 2500+ computers with an AD group policy. Not nice, since the program saved a lot of manual work. It would be great, if FS actually used the procedure you mentioned, but this is not what I've seen.

[Trond]

As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.

Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.

When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.

Unfortunately it doesn't really work this way. I created one program back in 2004 and it was in use unchanged for six years. F-Secure judged that it is a trojan a couple of years after the initial release. The program was submitted to F-Secure for checking and the problem disappeared for a while. It came back later, but another virus signature file corrected the situation quite quickly.

The big problem came last year, when tickets started to flood to our help desk regarding a trojan; this very same program again. Eventually it had to be removed from all 2500+ computers with an AD group policy. Not nice, since the program saved a lot of manual work. It would be great, if FS actually used the procedure you mentioned, but this is not what I've seen.

That's very sad and annoying, that F-Secure can't handle these things properly.

[sverson]

Hi,

This is what F-Secure said to me:

Hello,

With growing number of threats in the wild, we have to be strict in our detection which eventually causes some false alarms. This is also true with many of Antivirus vendors. However, in F-Secure, we are constantly working on reducing the FAs and at the same time maintain and improve our detection rate. This makes us one of the strongest players in this AV industry. Mean while, in the case of FA, we also have a team which will work on that issue and fix it quickly.

In your case, if you see your distributed program is often flagged as suspicious or malicious, we would also request you to sign it. Applications with strong digital signature (after thorough investigation by our clean files/trusted signer verification team) can be whitelisted so they wont be mistakenly detected. Please ask us if you have more doubts on this.

Best regards,
--------
F-Secure Security Labs http://www.f-secure.com/weblog/
F-Secure Corporation http://www.f-secure.com/

sverson