PureBasic Forums - English

I have an alert of my virus program (GDATA) on following pages:

http://freenet-homepage.de/gnozal/PureBUILD.zip
http://freenet-homepage.de/gnozal/PureValid_440.zip

If I would know how to load up pictures or so, I could send you the messages of GDATA...

Klaus

-----------------------------------------
PB 4.31, PB 4.40 b7, XP, Vista, Windows 7

Klaus_1963 wrote:I have an alert of my virus program (GDATA) on following pages:
http://freenet-homepage.de/gnozal/PureBUILD.zip
http://freenet-homepage.de/gnozal/PureValid_440.zip

False positives with packed executables ... a classic.

When you have an alert, please check with several other anti-virus softwares, or with Virustotal before posting, especially when it's some generic / heuristic alert.
Thanks.

Scan results :
http://www.virustotal.com/analisis/8a13 ... 1259142995
http://www.virustotal.com/analisis/b30b ... 1259143125

Note about the user-libraries : the installers are self-extracting zip archives, so you can open them with any archiver and extract the files without starting the installer itself.

I'm sorry and I hate to bother you with this question again, because your programs are so useful to the whole group
and much appreciated by us all. But how can a person be sure in these cases that it's a false positive?
I used the virustotal web page on both of these files, with the zip, and unzipped. I even unarchived the
file into it's directories, and all three show multiple virus hits on the exe file.
I sincerely thank you for your help and understanding.

yrreti wrote:I'm sorry and I hate to bother you with this question again, because your programs are so useful to the whole group and much appreciated by us all. But how can a person be sure in these cases that it's a false positive?

What you can do : send the file(s) to your AV provider for analysis and the false alarm may disappear in next virus definition files.
Or change / setup your AV.

AVG and Microsoft Security Essentials both detect PureValid as a virus on default settings.

DoubleDutch wrote:AVG and Microsoft Security Essentials both detect PureValid as a virus on default settings.

Only PureVALID, not the other libraries ?

The library installers are self-extracting ZIP archives ; so the alarm may come from the SFX stub or from files in the archive.
If it's only one library, it may be the archive content ; if it's all of them, it's rather the SFX stub.

Only PureValid for me (on MS security essentials) - just tried both again for you.

DoubleDutch wrote:Only PureValid for me (on MS security essentials) - just tried both again for you.

So maybe its the (compressed) PureValid.exe file in the archive (it's the same since 2004 ...!) ?
I just tested this file on virustotal : it triggers a lot of generic/heuristic alarms ...
I will recompile this file (if I find the source).

PM me when you do and I'll check it for you.

I have recompiled PureValid.exe and PureBuild.exe.
They should trigger less false (generic / heuristic) alarms (just tested on VirusTotal).

Someone must have reported your PureValid link as a link to a virus, as now the link shows up in MS security essentials!

Maybe you should rename the link?

(other links on the page are ok)

DoubleDutch wrote:Someone must have reported your PureValid link as a link to a virus, as now the link shows up in MS security essentials!

The (newly compiled) PureValid_440.zip tested on VirusTotal is negative with Microsoft V1.5502, so I don't know what's wrong with MS security essentials...

The file now doesn't flag as a virus - but the link (since yesterday!!!) does.

I think changing the link slightly would do it.

DoubleDutch wrote:I think changing the link slightly would do it.

In this case my update tool wouldn't work anymore.
I guess the link issue will be fixed in a next MS update.

My web site got temporarily blocked for "Signs of Malware".

To be sure, I scanned my site backup with ClamWin (updated 23 feb 2011) and MS Malicious Software Removal Tool 3.16 : nothing. I also scanned with VirusTotal : nothing either.

I have contacted the uCoz technical support : they received a complaint from abuseATclean-mxDOTde about PureUPX.zip.
I have repacked the file so that it should not trigger a false alarm anymore...
uCoz has deblocked the site.

It is online again.