PureBasic Forums - English

Working on an update to a program and this happened:

Complile with Debug project attempt 1: Got a POLINK fatal error (virus), Windows Defender detected: Trojan:Win32/Wacatec.B!ml
Complile with Debug project attempt 2: Got a POLINK fatal error (virus), Windows Defender detected: Trojan:Win32/Wacatec.B!ml
Complile with Debug project attempt 1: Compiled fine, no problem amd no -ve Defender action.

Anyone else come up with this? Purifier is disabled (normally), enabling it doesn't seem to make any difference (I don't actually know what purifier does).

We have a user of our software complain that on a WIN10/McAfee(?) machines they had a similar virus warning in December.

Any thoughts? Anyone had something similar? I'm using 5.73LTS.

Submit the executable that creates the false positive to microsoft and McAfee as false positive. This has happened repeatedly in the past with different AV products and currently there is no easy fix to avoid it happening in the future.

The steps to release a binary have to end with:

• Compile final binary for customers
• wrap binary, helpfile, resources and installer into a release package with your favorite installer like NSIS
• Use Virustotal to find every single false positive AV.
• report your final installer to each of the reporting AV as false positive.
• wait till they all report back - verify again with Virustotal till all reports are gone
• update all your webpages and social media about the new release
• release the binaries to customers

I'm finding McAfee a real pain.

With one program it was happy for me to download and happy for me to run and also create software resulting in an executable. When I compiled the result into an EXE, as soon as I ran it McAfee immediately deleted it. It then proudly informed me how it had just saved me from a deadly virus. Not only that, when I repeat the process it adds all of them to a list to show me how supadupa it is in removing a virus. It just doesn't make any sense. Why cannot a user specify that a selected program is to be allowed and not to be removed with some sort of validation or setting? Contacting McAfee or any AV supplier is made so difficult and time consuming and they generally unhelpful.

Not only that, McAfee and all the AV companies check everything you do, every single program you run, every file you open. When and for how long all of the time you are switched on. The results along with anything and everything you have agreed to give them in the license agreement. Which is basically everything on your computer. They download all of that onto their servers. Maybe they take even more data than Google does? I have a different AV on different computers. Just so that each AV company doesn't know about the other computers, or devices. They contribute to paranoia on security in my opinion. Critical stuff I have on a PC that never goes online.

It is still up to you if you install any AV (IME aside)

Antiviruses simply are snake oil. They add so much more complexity to the system which in turn results in new security holes. It happens quite often that an antivirus software opens the path to the underlying system to a hacker. With great complexity comes great responsibility. So why should we trust in a bunch of developers to be better than the whole dark virus developing community? It just makes no sense. The thing I hate the most about many antiviruses is the fact that they add a new root certificate to your system so it can open SSL encrypted network communications and also read what's there. To make that happen there has to be a private key to that root certificate somewhere on your system. Third party application could find that and do the same with your network communications. It's just. so. dumb.

Bitblazer wrote: Tue Feb 01, 2022 3:40 pm Submit the executable that creates the false positive to microsoft and McAfee as false positive. This has happened repeatedly in the past with different AV products and currently there is no easy fix to avoid it happening in the future.

The steps to release a binary have to end with:

• Compile final binary for customers
• wrap binary, helpfile, resources and installer into a release package with your favorite installer like NSIS
• Use Virustotal to find every single false positive AV.
• report your final installer to each of the reporting AV as false positive.
• wait till they all report back - verify again with Virustotal till all reports are gone
• update all your webpages and social media about the new release
• release the binaries to customers

Thanks all for your comments and advice. We are trying to release a new (beta) version of our code every week or two (new features and bug fixes), and also keep an LTS (idea/name nicked from PB) version that we have used internally for sometime.

Has massive problems with false positives a few years ago when PureLocker came out. Been an issue ever since.

64-bit binaries proved far less prone to the false positives (fp) than 32-bit. I had to introduce 64-bit versions to deal with this.

I Instructed users to exclude the appropriate drive/folder/files from being checked by their AV system. This has proven the best strategy. Admittedly can be difficult if dealing with large managed networks like state-wide education systems. Microsoft had a tech note virtually apologizing for this problem, admitting they cannot solve it, and recommending excluding especially for databases. The note now seems to be unavailable. Also have Windows users make sure controlled folder access is off.

Submitted exe's to many companies. Only a couple actually responded and whitelisted. Most did not even though all steps were correctly followed for submission.

Discovered the hard way that VirusTotal shares false positives to other AV vendors and therefore acts like a virus itself. I used to submit to VT a lot but found the FP's spread like mad to systems I know my users do not use, including Microsoft and McAfee. I now avoid VT.

DeanH wrote: Wed Feb 02, 2022 2:54 amThe note now seems to be unavailable.

Do you still have a link to the note, even if it now goes to a dead/missing page?

DeanH wrote: Wed Feb 02, 2022 2:54 am Microsoft had a tech note virtually apologizing for this problem, admitting they cannot solve it, and recommending excluding especially for databases. The note now seems to be unavailable.

Wayback machine and others could help. Or dig through your internet cache folders.

https://support.microsoft.com/en-us/win ... -b5b6627a-
b008-2ca2-7931-7e51e912b034

I might be wrong about the page not being available. I thought the page had to do with excluding but it is about controlled folder access, which is another aspect. It does contain the quote, after the steps, that sums up the situation. I am positive I once saw a recommendation on one of their pages about excluding database software.

DeanH wrote: Thu Feb 03, 2022 2:22 amhttps://support.microsoft.com/en-us/win ... 51e912b034

That's fantastic, Dean! It's a perfect way to show our customers that false-positives can occur despite our apps being safe. I'm keeping that for my FAQ.

That page is also saved at Archive.org and Archive.today in case Microsoft decides to remove or re-word it in future.

Here is a fact sheet I wrote that is available to my system's users about dealing with false positives.

http://bookmark.central.sa.edu.au/websi ... itives.pdf

Superb! Very similar to what my own FAQ has about false positives and how to deal with them. We Aussies think alike! Hehe.