Page 1 of 2
How to have zero detection on VirusTotal...?
Posted: Fri Feb 07, 2014 3:00 pm
by drgolf
Sorry to ask this :
How to have zero detection on VirusTotal with exe from purebasic ?
I use purebasic 5.21 LTS 32 bits on windows XP or 8.1 pro.
Curently i have 2 ou 3 positive , with all my exe (small or big exe).
The positive i have for exemple :
CMC : Packed.Win32.Zcrypt.3!O 20140122
TotalDefense : Win32/Inject.C!generic 20140207
It is not possible for commercial applications to have positive detection.
Simply the user canot download or install the program.
For institutionnal users (hospitals, administrations) it is not possible to desactive antivirus.
The only solution i found is to recode to Delphi or lazarus, but big work...
With Delphi all versions (7 ou turbo, XE, XE2,...) = virus total 0 detection.
With lazarus 1.0.14 = 0 detection
Sorry for my bad english (french user).
Re: How to have zero detection on VirusTotal...?
Posted: Fri Feb 07, 2014 3:16 pm
by eesau
Most important thing is to always and constantly report false positives to antivirus developers, especially to those that detect your executable as positive.
It really is annoying how often for example my Avast detects PB executables as positive...
Re: How to have zero detection on VirusTotal...?
Posted: Fri Feb 07, 2014 3:21 pm
by PB
First, any virus description with "gen" or "generic" is just a false positive.
I know this doesn't help, but you can mention it in your docs/manual for
people to be aware.
Next, if you're using API calls in your code, try replacing them from being
direct calls, to being indirect with OpenLibrary. See my post about it here:
http://www.purebasic.fr/english/viewtop ... 77#p431877
Lastly, you can usually get around the false positives by recompiling your
code in a slightly different way. I've done that successfully in the past,
by adding unused strings or other unused code, that will end up hiding
the problem from the anti-virus tool. Sometimes it's all you can do.

Re: How to have zero detection on VirusTotal...?
Posted: Fri Feb 07, 2014 3:23 pm
by IdeasVacuum
You have to write to the AV companies who show detection and tell them their app is giving a false-positive. Most of them have a form to fill-in on their website, and you have to send them your app too. In my experience, you will get a response within 10 days, and they do indeed change their app, but of course that can happen much later. It is unlikely that your customers will actually test your app anyway, but if they do and raise a query with you, you can at least send them a copy of the AV company's response. That's the good news. The bad news is, a couple of releases down the line, the AV app will probably spew another false-positive for your app. The truth is that AV apps in general are poorly written - their value with regards to a real virus is negligible.
Re: How to have zero detection on VirusTotal...?
Posted: Sun Feb 09, 2014 6:14 pm
by Thorium
It helps if you compile as x64. Much less false positives.
You also dont need to deactivate the virus scanner, just deactivate heuristics in the virus scanner settings. Heuristics are useless and should be deactivated, especialy on hospitals or companies. You dont want to get your custom applications blocked just because of a virus scanner update.
The problem is also not PB specific, i got false positives with apps written in VB.NET und C++ as well.
Re: How to have zero detection on VirusTotal...?
Posted: Sun Feb 09, 2014 7:19 pm
by SeregaZ
i want to make some autoupdate check and i found nice code for dowload page to memory... but antiviruses is a panic

what i can do with this code?
old varicant download page to file near exe... but this exe can be starts from cd. probably i can try download to temp folder of windows... but will be nice fix this "tomem" code.
Code: Select all
Procedure.l DownloadToMem(URL.s, *lpRam, ramsize) ; процедура для скачивания файла в память
Protected agent.s, hInet, hData, Bytes.l
agent.s = "Mozilla/4.0 (compatible; ST)"
hInet = InternetOpen_( @agent.s,0,0,0,0 )
hData = InternetOpenUrl_( hInet, @URL.s, "", 0, $8000000, 0 )
If hData > 0 : InternetReadFile_( hData, *lpRam, ramsize, @Bytes ) : Else : Bytes = -1 : EndIf
InternetCloseHandle_(hInet)
InternetCloseHandle_(hData)
ProcedureReturn Bytes
EndProcedure
Dim html.a(1024)
Size=DownloadToMem("http://microsoft.com", @html(), 1024)
MessageRequester("", PeekS(@html(), Size, #PB_Ascii))
Re: How to have zero detection on VirusTotal...?
Posted: Mon Jul 21, 2014 10:19 am
by high key
eesau wrote:
It really is annoying how often for example my Avast detects PB executables as positive...
That's right.
The wierdest Avast warning I ever came across:
only 1 line of code
which caused an Win32: Evo-gen (Susp) alarm
(code not saved, just started with F5)
Re: How to have zero detection on VirusTotal...?
Posted: Mon Jul 21, 2014 11:10 am
by PB
> what i can do with this code?
Since you're using direct API calls, you could try my suggestion
that I posted above yours, and make them indirect calls. Might
be the solution you need.
In fact, the more I think about it, the more I feel these direct
API calls are the cause of PureBasic's anti-virus false positives,
because they're so easy for malware authors to use. Hmm.
Re: How to have zero detection on VirusTotal...?
Posted: Sun Aug 17, 2014 10:01 am
by viiartz
No sure if this helps anything, but I've started getting false positives (Eset Nod32 v7.0.317.4 x86) while trying to compile the my code within jaPBe 3.13.4.880 editor. When I try the same code (file) within the native Purebasic editor (PB 5.30 x86) there is no problem at all. I reported the false positives to Eset by the way. Why would compiling with jaPBe create the false positives and not with the PB editor? I assume they both compile the code with the same PB compiler and maybe using slightly different compiler parameters? Is my assumption correct?
Re: How to have zero detection on VirusTotal...?
Posted: Sun Aug 17, 2014 10:12 am
by PB
I recently switched from Avira to Avast because of false positives.
Avira wasn't even letting me compile anything anymore. Avast is
playing nicer and not freaking out; plus it has a handy link to add
any false positive to its whitelist with a simple click (PLUS you can
submit any false positive to them with a click, too).
Avira doesn't do that, and Avira doesn't let me exclude files on an
SD card. So for me, Avast is a winner, and Avira has had its day.
Re: How to have zero detection on VirusTotal...?
Posted: Sun Aug 17, 2014 12:06 pm
by ostapas
I recently switched from Avira to Avast
What happened to Zorin OS?

Re: How to have zero detection on VirusTotal...?
Posted: Sun Aug 17, 2014 1:17 pm
by PB
I have more than one computer.

Re: How to have zero detection on VirusTotal...?
Posted: Sun Aug 17, 2014 1:22 pm
by IdeasVacuum
I'm using Avast too. I do not know if it's actually any good at detecting viruses (it has a lot of false-positives with PB stuff, same as the others do) but with Avast, you are in control! I also like the fact that they are at least trying to be good at what they do, often there are several updates per day.
Re: How to have zero detection on VirusTotal...?
Posted: Sat Aug 23, 2014 10:25 am
by firace
PB wrote:
...
Lastly, you can usually get around the false positives by recompiling your
code in a slightly different way. I've done that successfully in the past,
by adding unused strings or other unused code, that will end up hiding
the problem from the anti-virus tool. Sometimes it's all you can do.

Hi,
could you provide any examples of this?
For instance, my short program below, which is just retrieving a text file from a Microsoft server, is triggering several FPs. I've tried adding some random strings but to no avail...
I'm especially interested in getting rid of the "CMC" false detection. Those obscure AVs are really annoying and don't even respond to email...
https://www.virustotal.com/en/file/21df ... 408785574/
Code: Select all
InitNetwork()
ConnectionID = OpenNetworkConnection("www.msftncsi.com", 80)
If ConnectionID
Header$ = "GET /ncsi.txt HTTP/1.0" + #CRLF$
Header$ + "Host: www.msftncsi.com" + #CRLF$
Header$ + #CRLF$
SendNetworkString(ConnectionID, Header$)
TimeOutCounter = 300
Repeat
If NetworkClientEvent(ConnectionID) = #PB_NetworkEvent_Data
Break
EndIf
Delay(10)
TimeOutCounter -1
Until TimeOutCounter = 0
If TimeOutCounter <> 0
#Size = 10000
*Buffer = AllocateMemory(#Size)
If *Buffer
String$ = ""
Repeat
Laenge = ReceiveNetworkData(ConnectionID, *Buffer, #Size)
If Laenge > 0
String$ + PeekS(*Buffer, Laenge, #PB_UTF8)
EndIf
Until FindString(String$, "NCSI") > 0
FreeMemory(*Buffer)
EndIf
EndIf
EndIf
MessageRequester("Result",String$)
Re: How to have zero detection on VirusTotal...?
Posted: Sat Aug 23, 2014 12:54 pm
by ostapas
Ugly hack, but usually helps - compress your exe with UPX, open it in hex editor and replace all "upx" strings with random data, also replace a string containing upx version, e.g. "3.91". You can also experiment with other packers.