Anti-virus false-positive tip

[BarryG]

A new app I was making had an anti-virus false-positive today, which was being reported as "TrojanSpy.Carberp.eut" by Jiangmin on VirusTotal.

After spending all day trying to work out why, including by compiling with a few older PureBasic versions, I randomly decided to remove the icon used in the Compiler Options for it, and BINGO - the false positive was gone! I put the icon back and recompiled the exe again and yep, the false-positive came back.

To be 100% sure, I opened the ".ico" file in IcoFX and changed ONE SINGLE PIXEL and resaved it, recompiled the exe, and uploaded it to VirusTotal. NO false-positive from Jiangmin! Crazy. Then I tried the old pre-edited icon again, yep, Jiangmin flagged it again. All for one single pixel difference in an image - not in any executable code!

I can only assume that some malware exists out there that's using the same free icon that I was using. So this is definitely something to be aware of when you're using free resource offerings from other places: sure, they're convenient; but that's probably why malware authors use them.

And it's good to know that it's not necessarily PureBasic's fault that is causing the alerts (which would be a relief for Fred).

[Little John]

Interesting! Thanks for the detailed information.

[Bitblazer]

Thanks for this interesting info.

[Denis]

@BarryG

Very interesting

[blueb]

Maybe... steganography.
An encrypted message inside a plain message, this is steganography.

See JHP's work with this topic.

[Quin]

Very interesting, thanks for the info!

[RSBasic]

@BarryG
Thank you for the detailed information.

[Caronte3D]

Wow!
Thanks!

[Kuron]

Thanks Barry! Wow, we can bypass the legendary AV authority Jiangmin by simply flipping a pixel. Brilliant!

[BarryG]

It's nuts, isn't it? I don't know what made me decide to test the icon. This was a new app and still relatively small (under 2000 lines) so I just figured keep removing procedures of it, part by part, until the false-positive went away. I was so shocked that removing the icon did it! That's when I guessed there must be a byte sequence in the icon that was matching whatever Jiangmin considered to be malware, so edited a pixel to see, and it worked - no more malware warning!

I'm wondering now whether maybe if I saved the original icon with a different icon editor (other than IcoFX) would produce the same file checksum or not? Will have to test later (although, I like IcoFX and am very used to it).

[Tenaja]

There is the vector icon library, too... I think Little John started it, iirc

viewtopic.php?f=12&t=65091

Here's a designer collector Dave posted
viewtopic.php?p=487423

[NicTheQuick]

I hate AntiViruses. They should be forbidden. They do not help anybody, they are only annoying all the time.

[Kuron]

It's nuts, isn't it?

It is beyond nuts. I was happily ignorant of Jiangmin until your post. But if they are flagging executables simply because of an icon, it shows how poor their product really is.

Hands down, you are the world's best beta tester!

[NicTheQuick]

It's all because of these damn heuristics. They display viruses or Trojans just because they think they might be. In reality, however, only some pattern was found that they already know from another virus or Trojan. This does not have to mean anything. Apparently, this Jiangmin even scans resources for patterns without paying attention to what type the resource is. An image cannot be a virus, yet it is treated as such. Really stupid.

[Kuron]

It's all because of these damn heuristics.

Which sometimes plays into being used as a marketing gimmick. "Our AV program can detect more viruses than the competition."