UPXed PowerBasic Programms are likely to identified as Gen.Trojan
As a Software developer i was just wondering, how fast your Tool kills my development tasks :-)
Especially files created with PowerBasic and then UPX'ed will often be flagged as a Virus.
i have now started to add a certificate to automatically compiled files (Compile with Powerbaisc 10).
A certificate shall proof that the Software is authentic from a developer, and a Anti-Virus Heuristics should better not eat it unless this is a known virus. Which it can not be if it comes from me.
I have now deactivated the Antivirus because it will not let me work.
I am uploading you one of the files that it reports false positive.
Interesting point, after "removing the file", it was not possible to compile the file again with the same name at the same location.
No file with this name could be created until the computer was restarted. WHY is that?
Attached ONE of the false positives, for my customers i need to create several.
Therefore it would be good if you check for my certificate and then not eat it.
-
Hello theogott!
Could you write more about the product that detects your files? What version? Does it detect during installation or downloading the file from the Internet?
0 -
The Product is "Ad-Aware" FreeAntivirus
The file - in m,y case - is detected from the realtime protection engine.
I have a Script, that does the following:
When the PowerBasic Compiler is ready compiling,
then the UPX will be applied,
after that automatically "signtool.exe" is called to add the certificate.
In that last Moment i got a Window (green window) "Thread detected". The the file is gone ...
and not only the file is gone, but its not more possible to create such a file until the computer is restarted,
Eben renaming a file that has another name to "this name" does not work.
Now taking a peek into the "Quarantined files" there is a long list of false positives ... he eat a lot of programms ... let me add that i can not move the first column "Threat" and make it bigger.
Therefore i can only read "Ge.Trjoan.Hezr.FU ..:" Rest missing.
How many false positive do you want?
I think i have a lot ... (See attached picture)
PS: Just thinking if i tell him to completely exclude the Powerbasic Folder from Scannning, but thats a problem during Backup.
0 -
Very interesting ...ok.
Where did you say are all the Quarantined Files ?
I have the version ... see picture.
From what you say, i suspect that in teh process when the "Signtool.exe" adds the certificate, for a moment maybe a invalid combination may have been there,
I really miss that "Send a false positive to Lavasoft" button in the Program.Ok, I will send you a lot of these files, just tell me where they are located, then i zip them and upload them.
This would be good so you can make things a bit more bulletproof.
In case i have also some larger files that are setup-files, how could i send them to you (Dropbox or something ?)?
0 -
Please find a folder "<your_disk>:\Users\All Users\Lavasoft\Ad-Aware 11\Quarantine", pack this folder and attach it here. If it will be rather big - please share a dropbox link.
0 -
Sorry, but if it's your real email address, that is visible in the last screen shot, it should be removed before someone uses it for spamming or hacking.
0 -
Hello,
Have you added your folder to Exclusions?
0 -
Thanks for your caution.
My e-mail is publicly available also on my web-site ( http://www.smart-package.com/), in facebook .. therefore anybody can use it.
I can't say that i get lots of Spam until now.Besides ... just realized that while you can open these attachments, i thing other people can't.
At least i can't. Therefore the problem is even smaller.0 -
Yes i did.
Here is a picture of my quarantine folder. I bet its all false positives.
Its 322 files and 16.5 MB
Let me see if i can attach them.Even though i have deactivated the AV WinRar was not able to touch all of the quarantained files see attached error msg.
I will split the whole bunch of files in two parts: Part 1 in this post, part 2 in teh next.
Use WinRar to get them together.
0 -
Ok, here is the second Part of the Archive with the 322 false positives.
There may be a few real "cookis" in there. But i do not expect real viruses.
If so i would like to know.
0 -
Ok. just got another one. This time i have completely deaktivated the AV to be able to recreate (recompile) the script.
Again the same effect, the AV prevents windows from creating a file with that name as long as it is running.
Unless i completely stop the AV, or reboot the computer. (Picture 2)
In this case its not enought ot stop the real-time protection - as i did yesterday - but it was necessary to completely deactivate the AV.
0 -
Ok. just got another one. This time i have completely deaktivated the AV to be able to recreate (recompile) the script.
Again the same effect, the AV prevents windows from creating a file with that name as long as it is running.
Unless i completely stop the AV, or reboot the computer. (Picture 2)
In this case its not enought ot stop the real-time protection - as i did yesterday - but it was necessary to completely deactivate the AV.
About this case - I found that the file is detecting by a set of AV vendors (https://www.virustotal.com/ru/file/c85f4d3808f975d66b6ca84dad6faa7fde73839cedcd21e6e1cc189c49061a71/analysis/1438937903/). I sent a request for a False Positive for your file "Compile_SPRE.exe"
0 -
I attach one of the files ... this files receives 11/55 from VT, see picture.
Its not a virus, as well as the others are not,.
These files are results from the Powerbasic-Compiler or from the WinRobots/Smart Package Robot Compiler / UPX-Packer or from the Bitsum Packer.
If you have questions or your developer have questions you can reach me via mail or other contact data.
0 -
theogott,we investigated your Quarantine and found that most of binary files are detecting as "Gen.Trjoan.Hezr.FU" (as you said). I have several assumptions about this fact:
- your files began to detect after compilation
- your files began to detect after packing (UPX, anything else)
Could you send me one compiled file NOT packed or send it to Virustotal for check?
0 -
This file is just compiled with Powerbasic.
Otherfiles are compiled and packed with UPX or the Bitsum Runtime Packer.
0 -
theogottIs this file just compiled or packed too? I trying to understand if compiler can produce "detected" piece of code or it is some part of a packer that was detected.
0 -
Can you send Powerbasic to check on Virustotal? Or send us binary or md5 hash.
0 -
Powerbasic is available here:
https://www.componentsource.com/product/powerbasic-compiler-windowsIt would not be legal for me to send ist.
I can send you a Download-Link and a keyfile for the "Smart Package Robot" Automatioon System,
but this is only possible with Mail.
0
Vous devez vous connecter pour laisser un commentaire.
Commentaires
19 commentaires