Page 1 of 1
PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Wed Feb 02, 2011 10:30 pm
by davenull
I'm having quite a few problems with a combination of PB 4.5x, Windows 7 and F-Secure Client Security.
PB 4.50 32bit, Windows 7 Enterprise/Ultimate 32bit UK, F-Secure Client Security 9.01 32-bit:
No problems.
PB 4.51 32bit, Windows 7 Enterprise/Ultimate 32bit UK, F-Secure Client Security 9.01 32-bit:
Many of my programs are regarded as trojans or other type of viruses by FSCS.
PB 4.5x 32bit, Windows 7 Enterprise 64bit UK, F-Secure Client Security 9.01 64-bit:
Many of my programs are regarded as trojans or other type of viruses by FSCS.
PB 4.5x 64bit, Windows 7 Enterprise 64bit UK, F-Secure Client Security 9.01 64-bit:
No problems.
Something important must have happened between 32bit versions of PB 4.50 and PB 4.51 concerning the above mentioned combination.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Wed Feb 02, 2011 10:49 pm
by Trond
This is a bug in F-Secure, you must contact them.
You can do it here (login is not necessary even though the page is called login.html):
https://analysis.f-secure.com/portal/login.html
Select any of your programs giving a false positive, select the "false positive" option and click submit. Antivirus vendors usually corrects such faults (which happen from time to time) within a few days.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Thu Feb 03, 2011 8:27 am
by Rings
moved, as its (mostly) a Viri scanner problem.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Fri Feb 04, 2011 7:21 pm
by sverson
Trond wrote:... (login is not necessary even though the page is called login.html)...
I have been talking to the F-Secure people today.
They said if you want to receive their response you need to create a user account.
As soon as you are logged in you can describe your problem, tell them you want some response or even ask them to remove the exe right after scanning because it must not get into somebodies hands.
sverson
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Fri Feb 04, 2011 7:41 pm
by davenull
For some reason almost everything made with a 32-bit PB is considered virus by FSCS. I have to use 64-bit PB only and it's very annoying, because I can't utilize Gnozal's great libraries anymore. Unfortunately FSCS is the choice of our company and there's no way to get rid of it.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Fri Feb 04, 2011 10:04 pm
by Trond
sverson wrote:Trond wrote:... (login is not necessary even though the page is called login.html)...
I have been talking to the F-Secure people today.
They said if you want to receive their response you need to create a user account.
As soon as you are logged in you can describe your problem, tell them you want some response or even ask them to remove the exe right after scanning because it must not get into somebodies hands.
sverson
Yes, but you don't want to receive their response, do you? All you want is an antivirus that says nothing until there is an actual virus.
For some reason almost everything made with a 32-bit PB is considered virus by FSCS. I have to use 64-bit PB only and it's very annoying, because I can't utilize Gnozal's great libraries anymore. Unfortunately FSCS is the choice of our company and there's no way to get rid of it.
As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Fri Feb 04, 2011 10:47 pm
by davenull
As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.
I'm aware of that possibility and have used it in the past. Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated. The programs may also be confidential. It's simply crazy that a two-liner "program", which basically pops up a message box is considered a trojan by FSCS.
I know a couple of top guys from F-Secure and they're always very helpful and eager to solve the problems. But enough is enough. F-Secure spoils my day too often. There's something in 32-bit PB that is incompatible with them.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Sat Feb 05, 2011 3:07 pm
by Trond
davenull wrote:As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.
Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.
When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Sat Feb 05, 2011 3:48 pm
by C64
Avira AntiVir used to panic when I used the BlockInput_() API call in my program, so I got around it by using OpenLibrary() to open "user32.dll", then used CallFunction() with "BlockInput" as the parameter. Avira doesn't alert me anymore.
(Before anyone judges: there's legitimate uses for BlockInput(), so back off).
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Sat Feb 05, 2011 4:14 pm
by TomS
C64 wrote:(Before anyone judges: there's legitimate uses for BlockInput(), so back off).
Else it wouldn't exist in the windows api, would it? Just saying
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Sat Feb 05, 2011 4:32 pm
by davenull
Trond wrote:davenull wrote:As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.
Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.
When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.
Unfortunately it doesn't really work this way. I created one program back in 2004 and it was in use unchanged for six years. F-Secure judged that it is a trojan a couple of years after the initial release. The program was submitted to F-Secure for checking and the problem disappeared for a while. It came back later, but another virus signature file corrected the situation quite quickly.
The big problem came last year, when tickets started to flood to our help desk regarding a trojan; this very same program again. Eventually it had to be removed from all 2500+ computers with an AD group policy. Not nice, since the program saved a lot of manual work. It would be great, if FS actually used the procedure you mentioned, but this is not what I've seen.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Sat Feb 05, 2011 6:08 pm
by Trond
davenull wrote:Trond wrote:davenull wrote:As I said, just upload a sample and select "false positive". This happend several times in the past with various antivirus vendors and it was always fixed within a couple of days after submitting the false positive.
Nowadays that would mean uploading a lot as we develop many small programs for Windows administration, which are frequently updated.
When they get any false positive they are not supposed to whitelist it, they are supposed to remove the code that makes it detected. So you should only have to do this once (submit the two-liner if it causes the error) and it should prevent errors on all PB programs.
Unfortunately it doesn't really work this way. I created one program back in 2004 and it was in use unchanged for six years. F-Secure judged that it is a trojan a couple of years after the initial release. The program was submitted to F-Secure for checking and the problem disappeared for a while. It came back later, but another virus signature file corrected the situation quite quickly.
The big problem came last year, when tickets started to flood to our help desk regarding a trojan; this very same program again. Eventually it had to be removed from all 2500+ computers with an AD group policy. Not nice, since the program saved a lot of manual work. It would be great, if FS actually used the procedure you mentioned, but this is not what I've seen.
That's very sad and annoying, that F-Secure can't handle these things properly.
Re: PB 4.5x, Windows 7 and F-Secure Client Security
Posted: Tue Feb 08, 2011 12:11 pm
by sverson
Hi,
This is what F-Secure said to me:
08.02.2011 08:06 - F-Secure Security Labs wrote:Hello,
With growing number of threats in the wild, we have to be strict in our detection which eventually causes some false alarms. This is also true with many of Antivirus vendors. However, in F-Secure, we are constantly working on reducing the FAs and at the same time maintain and improve our detection rate. This makes us one of the strongest players in this AV industry. Mean while, in the case of FA, we also have a team which will work on that issue and fix it quickly.
In your case, if you see your distributed program is often flagged as suspicious or malicious, we would also request you to sign it. Applications with strong digital signature (after thorough investigation by our clean files/trusted signer verification team) can be whitelisted so they wont be mistakenly detected. Please ask us if you have more doubts on this.
Best regards,
--------
F-Secure Security Labs
http://www.f-secure.com/weblog/
F-Secure Corporation
http://www.f-secure.com/
sverson