Fred wrote: ↑Sun Jun 04, 2023 6:39 pmIf it's possible to submit a lot of exe to a virus test tool, we could write an exe generator to create one program per library command, and see if a specific command is flagged. Then I can try to modify the code to avoid this, but it's really silly if you ask me.
VirusTotal supports automatic submissions with their API support. Yes, it costs money and is silly and annoying for you, but what you suggested seems like something you might have to eventually do; otherwise PureBasic's reputation may get tarnished - people won't trust it to produce "clean" code. Look at DeanH's post - he's already started to lose government clients because of it.
makes no sense, you will work forever for "suspicions" virustools are stupid and getting stupider in order to "report"
more or less each developer is FORCED to send his exe to companeis for check
otherwise you will "guess" forever.
if 1 virus ever made with PB then its flaged in stupid detection methods forever....
That's actually a pretty cool idea.
The number of commands are finite and an automated tool could rip them out for asm and cbe compilations.
Is this only a Windows problem?
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
Lets cry about 3rd party failures and incompetence but somehow its PBs that needs to do stuff thread...
I suggest a new subforum titled: Annual Drama Events
Might be a team effort then. We could split the libs in half, submit, if there is a false positive in one of them, split in half etc. Once the faulty lib(s) isolated, you could go to the command level.
Keep in mind that this effort runs all under the assumption the scanners work purely on some pattern matching algorithms.
We already know that smaller programs can show a false-positive but as soon as they get bigger the false-positives slowly decrease.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
My bet is it flags some library function which doesn't change across version, if it was generated code switching to C backend or enabling/disabling optimizer should get ride of it. May be DeanH can try this: build several version of its exe (ASM backend, C backend, ASM backend + optimizer, C + optimizer, ASM debug, C Backend debug) and see if it yields any diff.
Can already provide some feedback. I tried recompiling using the C-backend as recently as two weeks ago. No difference. In fact, an additional module was flagged that was not picked up with the ASM backend. My guess is that not only is some type of pattern matching involved, but some of the AV system vendors actively share their hits. I watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.
DeanH wrote: ↑Tue Jun 06, 2023 12:09 amI watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.
That doesn't matter. Users will upload your exe to VirusTotal anyway, even if you don't. Happens to me all the time.
I just ran one exe through Hybrid Analysis. It gave a threat score of 35/100 and pronounced it clean but there is a long list of suspicious things. Fred, I will PM you with the URL of the report.
If that's so it proves there's no real way of fixing it on the PB side.
You can change all the standard libs, Mr. PureLocker compiles a new .exe and I guess it's then like russian roulette to what part of the virus will be taken as "the" signature. If AV's flag signed executables you can't even really buy your way out.
We may find work-arounds and restructure our code to make it more "acceptable" for the AV's, but the bad guys may follow and copy our techniques
The Irony is Virus Total is owned by Google which is quite appropriate considering they've effectively planted spyware on everyone's devices they possibly can.