PureBasic Forums - English

I've made a few terminal based games, just for fun I tested them with Virus Total. It threw the usual false positives, but then I noticed this which is a bit odd... No other online scanner I tried reports this behavior. Why is my program connecting to Microsoft data logging?

I think I have not enough information. Where these communications has been catched? At the end of your router? (Might come from a browser or can be your OS network traffic, and it makes sense if you use windows)

By the way, I really like your Roadwarrior/Roadpocalypse project

miso wrote: Sat Feb 01, 2025 12:27 amWhere these communications has been catched?

From VirusTotal when it tested Vernostonos' exe. When you upload exes there, it runs the exe and watches what it does, and it reported that his exe was reaching out to those domains. Happens with my exes, too.

Ehh, I got it. I don't like what you say...

miso wrote: Sat Feb 01, 2025 12:27 am I think I have not enough information. Where these communications has been catched? At the end of your router? (Might come from a browser or can be your OS network traffic, and it makes sense if you use windows)

By the way, I really like your Roadwarrior/Roadpocalypse project

Thanks! I'm planning on a release later this year. The setup module has finished its beta testing.

BarryG wrote: Sat Feb 01, 2025 1:58 am

miso wrote: Sat Feb 01, 2025 12:27 amWhere these communications has been catched?

From VirusTotal when it tested Vernostonos' exe. When you upload exes there, it runs the exe and watches what it does, and it reported that his exe was reaching out to those domains. Happens with my exes, too.

I've spoken to a few people about this, it could possibly be:

1. An error, related to how there VM and or software is configured.
2. My program is contacting Microsoft...

I am not sure how to investigate this further. When I tried an earlier build of one of my programs it said it was contacting Instagram? Weird...

I cannot replicate these behaviors on my own systems.

Perhaps it's part of the testing. To test if your program starts acting suspicious when it contacts special websites like windows update or big sites that could be used by botnets and malware? The VT website may fake connections to specific names and IP's, internally redirect the calls and fake a successful connection, and observe the behavior (with genuine certificates/collaboration of the companies).

That's what I could imagine in non-paranoid mode.

In paranoid mode this is internet 2.0, total surveillance, you can only connect with biometrics and real time face and fingerprint scans, and it's the kernel taking care of the connections and access rights in case it doesn't happen on hardware level yet and needs to be emulated on older machines.

A PB program never communicate to anything, it's a Virus total thing..

Whew!

Vernostonos wrote: Fri Jan 31, 2025 11:04 pm Why is my program connecting to Microsoft data logging?

It isn't your program specifically - it's the operating system. There's this little tick box about allowing the reporting of usage data. I forget the precise wording but one of them essentially says "we can gather telemetry on this machine". It's one of those tiny little things you do when you set up your computer for the first time but actually has enormous implications when you sit down and think carefully about it. I'm guessing most people can't even remember which option they ticked at the time.

Vernostonos wrote: Fri Jan 31, 2025 11:04 pmWhy is my PB program sending network traffic to Microsoft?

If your program really is reporting back to MS my guess is that an OS API function call or possibly the vs runtime library reports back usage telemetry so that they can determine market penetration in a more accurate way than consumer survey can determine. Historically, it has been difficult to accurately measure this in a meaningful way and modern 'always connected' devices are able to change this dramatically.

Its one of those things that Microsoft will want to promote in their corporate advertising, "Your ad will be seen by our x million users. You should spend your advertising budget with us not those other guys" but it will also be used to dictate internal development direction and budgets too. There's no point working on a new version of an API if no-one in the field ever uses it. See Microsoft Agent as an example.

Vernostonos wrote: Sat Feb 01, 2025 2:18 am When I tried an earlier build of one of my programs it said it was contacting Instagram? Weird...

I would treat that aspect of the report with due skepticism. There is a lot of room for error in the analysis unless you do a full scale reverse engineer of the subject application - which I'm reasonably confident VirusTotal are not doing in an automated test! This is a report of 'what the sandbox vm did' in the test session, which isn't necessarily the same as 'this is what your process did'.

The destinations and ports you show are fairly standard for a Windows client machine.
Port 137 on a local class C address is the operating system announcing itself to the LAN, or looking for other machines on the LAN.
Port 80 is an unencrypted HTTP session. Port 443 is an encrypted one.
23.216.147.78 and 23.204.150.28 are part of Akamai Technologies content delivery network. They distribute Windows Update data on behalf of Microsoft because they're geared up to cope with that sort of workload.
20.99.186.246 is MSN. I'm thinking about a default Edge browser...

Vernostonos wrote: Sat Feb 01, 2025 2:18 am I am not sure how to investigate this further.

If you really want to follow up and determine what information is being communicated to whom exactly, you would need to do some network packet level analysis using a protocol analyzer. I'd start with Wireshark (because it's free). Set this up and do some user training (using a protocol analyzer isn't something you learn to do in 20mins in your lunch break, if you've not done it before). You'll be able to capture the actual packet data being sent over the network to see what it contains but it's a non-trivial exercise.

If you're not familiar with TCP/IP networking an introductory course to this would be valuable first so that what you're seeing makes sense to you.

You can easily verify it's not contacting MS domains by using any debugger or disassembler and looking at imports and strings.. Glasswire will also show process associated traffic.

Windows, like MacOS and some Linux distros, has telemetry and in some cases real time AV. My guess is VirusTotal hasn't been filtering out telemetry subsystem stuff on their VM. You can also get zero detections on known malware there with any custom packer or "crypter" because most AVs are just paid-Yara, but I digress..

For monitoring network traffic locally on Windows, I recommend Fiddler2. Just ran it over two of my large PB projects and neither of them reported any hTTP activity to MS

Quin, how do you use Fiddler2 with our exes? I dragged the target on my exe's window, but no network events show up in the left-hand capture box. Sounds good, right? But my app does access the internet to do an update check when a button is clicked, and this access is not shown in Fiddler2.

I just tried it with Firefox too, and again no traffic is shown. There must be some way to enable logging?