PureBasic Forums - English

This thread shall be dedicated to the quest for finding the reason(s) why Purebasic executables so often raise false positive alerts in anti virus products.
See it as a joint venture to reveal those secrets to find a solution ...

Tried the following things:

Threw an absolutely empty default PB executable in virustotal:
See ... https://www.virustotal.com/de/file/8793 ... 365751641/
=> 7 false positives

Again, threw an absolutely empty default PB executable in virustotal, but this time with any of the information fields filled out (compiler options):
See ... https://www.virustotal.com/de/file/4cd0 ... 365752015/
=> only 3 false positives - note, empty information fields seem to trigger

Hm, DrWeb is one of the false positives - I'm going to ask a friend at DrWeb to do me a favour checking what triggers ...

EDIT: Just dropped my friend an email. To be continued ...

I applaud your intent, but fear you could be flogging a dead horse..........

é#@à%* I just installed NOD32 version6

And all my pb .exe files are erased ??!!
They are not even in quarantine ...


Marc,

That will be an option somewhere in NOD32.

Good news from DrWeb. They had a signature based on a false positive from somewhen in their database which is now removed. Hence there shouldn't be any more false positives with Purebasic executables (with good intention of course) in the future. We'll see ...

However, I encourage everyone to fill out those detail informations in the compiler options (like company name, etc.) as it seems to be one of the aspects heuristics look for.
On one hand understandable that this might be an aspect but on the other hand a rather weak one

I read in another (software business) forum that if you digitally sign your executables (via Comodo or whomever) then no virus app will flag it as a false positive at all. Could solve the whole problem, but it's not cheap.

Hi Didelphodon,

is possible to recieve the first sample?
or the PB code

Thanks
jpd


is not necessary reproduced here with a simple debug line and create exe!!

Hi,
Here a Analyse from MAG2

Interesting result for a empty file



Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137

Best
jpd

jpd wrote:Interesting result for a empty file

An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.

MachineCode wrote:

jpd wrote:Interesting result for a empty file

An empty file (exe) is not actually blank. It still contains headers, setup and initialisation code. Any of that can trigger a false positive.

True! That's actually the footprint of a compiler.

jpd wrote:Hi,
Here a Analyse from MAG2

Interesting result for a empty file



Process/Thread Events
Creates process: C:\windows\temp\test.exe ["C:\windows\temp\test.exe" ]
Network Events
Sends data to: 10.74.1.255:137

Best
jpd

Is that your local IP? as in its trying to connect to your debugger?

Once I had this problem with NOD32 and a dll file that contains a DataSection.
I solved my problem with this: When I read the data section I read from 1 to 20 and then from 25 and after.