Suddenly FB executables are detected as Trojans or the philosophy about using Window / Linux ;-)

[marcov]

Other way around; heuristic scanning is inheritly patchy, so this is simply the default. The popular compilers have submitted enough false positives to get the AV to tweak their algorithms around them.

I'm not sure I buy that 100%. Did FreePascal have false positive issues and submitted samples?

Note that by popular compilers I did not mean FPC, but msvc,mingw etc, we might have a bit lower problems on the forum now, but I put that simply down to the age of the current FPC win32 release (2 years now).

I generally try to build FPC to benchmark new computers at work, and I have to exclude or turn off windows defender _every_ time. I usually turn off, and build time halves

[badidea]

Don't complain, the future will be worse:

"In 10 to 20 years from now, operating systems disable local data storage. All data will be stored in the cloud only and will be continuously checked by advanced AI for malware and deleted if judged so. Writing code will only be allowed with a license in an attempt to control the unmanageable rise of malware on all electronic devices. Code without a license with be automatically classified as malware. The act of writing unlicensed code will be treated as an act of terrorism. Obtaining a license involves a significant per program and monthly fee which in practice only large software companies are able to pay. The license fees are paid to a consortium of large software companies (probably the same) who check, with the help of the AI again, the source code and the executable in and isolated simulation. The whole process will actually be automated. A few humans will only receive a report with statistics. Which will probably look bad, so they will ask the government for financial support to improve the AI, by buying more data-centers for the AI to run on. This of course is no problem, because writing software by humans will become obsolete. The AI will do this for you way more efficient."

[paul doe]

Don't complain, the future will be worse:
...

Sounds pretty dystopian to me, unless you're joking of course ;)

[deltarho[1859]]

@UEZ

If I compile

Code: Select all
? "Hello world"
Sleep

then it will be detected as a Trojan just after the compilation has finished.

Just out of interest with FBC 1.07.1 (2019-09-27), built for win32 (32bit) I get a binary of 28672 bytes using -gen gcc -Wc -O3.

What do you get?

[marcov]

Viral (GPL) by nature.

Lacking humor cues, I will take the comment at face value. It's absolutely false. Let's stop spreading this kind of FUD. The GPL cannot magically infect proprietary source code. If you use GPL code without complying with the GPL term, and distribute the resulting derivative code, then you have 3 choices: 1. Comply with the GPL and GPL your derivative code, 2. negotiate favorable license terms with the copyright holders, or 3. remove the code.

And it is exactly that "my way or the highway" mentality that is considered viral, forcing to build parallel codebases since GPL and nearly every non GPL license doesn't mix.

To be honest the remark was just a bit for fun. Unixwise, I came from a BSD corner, so I'm well versed in these discussions. But they are mostly old news now. It gets tiring quickly if you have to fix BSD ports of FPC for broken LLVM linkers.

[caseih]

And it is exactly that "my way or the highway" mentality that is considered viral, forcing to build parallel codebases since GPL and nearly every non GPL license doesn't mix.

Sure but that's just whining, especially when it comes from proprietary companies. They'd have to deal with copyright and licensing regardless of whether they are dealing with something proprietary or something that's "open source."

To be honest the remark was just a bit for fun. Unixwise, I came from a BSD corner, so I'm well versed in these discussions. But they are mostly old news now. It gets tiring quickly if you have to fix BSD ports of FPC for broken LLVM linkers.

It's interesting that Linux has taken over just about everywhere, primarily because of large corporate backing, starting with IBM over a decade ago. This wouldn't have happened without that fateful decision to make the kernel GPL (Linus himself said this).

Back to the regular scheduled topic... Did FreePascal have to deal with antivirus false positives?

[marcov]

And it is exactly that "my way or the highway" mentality that is considered viral, forcing to build parallel codebases since GPL and nearly every non GPL license doesn't mix.

Sure but that's just whining, especially when it comes from proprietary companies.

As said the view came from the open source (as opposed to "Free Software") community. BSD, Bruce Perens etc.

It's interesting that Linux has taken over just about everywhere, primarily because of large corporate backing, starting with IBM over a decade ago. This wouldn't have happened without that fateful decision to make the kernel GPL (Linus himself said this).

I'm not so sure. IBM was a services company, sure. But at the point they were they would have used nearly anything to get back to the top.

Back to the regular scheduled topic... Did FreePascal have to deal with antivirus false positives?

Yes, same problems as FB. IOW in the same magnitude class. Not big enough to warrant enough avirus attention to fix it once and for all, and open source, so many versions in roulation.

As said, I routinely disable windows defender.

[caseih]

Question: If you use the GCC backend do you see the same problems with FB executables, and differences with various optimization levels?

Unfortunately the heuristics and patterns the AV programs are looking for are closely guarded trade secrets, which is a little ironic seeing as AV programs just don't work that well at detecting viruses and malware.

EDIT: I can search for and see some reports for MingW GCC-generated binaries flagging antivirus. Can't determine how widespread it is. So yeah maybe it's just the rubbish that is antivirus software.

[marcov]

Question: If you use the GCC backend do you see the same problems with FB executables, and differences with various optimization levels?

I don't use fb much, and the few times that I do, I use the asm backend. I had problems with mingw in the past (I used mingw to build binutils and gdb for FPC), but since FPC has internal GAS and LD, I rarely do that anymore.

So basically I don't use gcc on Windows but msvc. (VS2015 to be exact)

Unfortunately the heuristics and patterns the AV programs are looking for are closely guarded trade secrets, which is a little ironic seeing as AV programs just don't work that well at detecting viruses and malware.

EDIT: I can search for and see some reports for MingW GCC-generated binaries flagging antivirus. Can't determine how widespread it is. So yeah maybe it's just the rubbish that is antivirus software.

I think it is more linker and libraries than actual compiler. Also things like stripping, exe packing etc, and anything else doctoring the exe. Probably it is a constantly bayesian weighted stat with both positive and negative contributions.

That is the theory. Not very bright, but the actual implementation is worse. See, those weights have to balanced, probably by human staff, so they are heavily biassed to just letting known signatures through as a cost saving method. (even if it is not a perfect match)

Likewise they simply don't care to spend too much time on boutique compilers (or boutique builds of known programs, e.g. 3rd party installer), unless they get popular.

That means doctoring of EXEs with traits of known linkers/compilers are considered too leniently, and the ones of unknown ones too strictly because nobody bothered to properly make a study of them to see if they have own "positive" signatures.

[UEZ]

@UEZ

If I compile

Code: Select all
? "Hello world"
Sleep

then it will be detected as a Trojan just after the compilation has finished.

Just out of interest with FBC 1.07.1 (2019-09-27), built for win32 (32bit) I get a binary of 28672 bytes using -gen gcc -Wc -O3.

What do you get?

I get the same size.

Btw "Hello world" code doesn't produce a false alarm anymore. Maybe an def. update of the AV might caused it.

But another code with Winapi calls produces an alert when compiling it as x86, but not on x64 compilation.

This is the code:

Code: Select all

#Include "fbgfx.bi" 
#Include "windows.bi"

Using FB 

#Define Alpha(colors)               ((colors Shr 24) And 255)
#Define Red(colors)                 ((colors Shr 16) And 255)
#Define Green(colors)               ((colors Shr 8) And 255)
#Define Blue(colors)                (colors And 255)

Dim As Uinteger xres = 600, yres = 600

Dim As String sTitle = "Drag the points With the mouse" 

Dim evt As Event 

Screencontrol FB.SET_DRIVER_NAME, "GDI"
Screenres xres, yres, 24, 1, GFX_HIGH_PRIORITY Or GFX_NO_SWITCH 
Windowtitle sTitle 

Dim As HWND hHWND
Screencontrol(GET_WINDOW_HANDLE, Cast(Integer, hHWND))

Dim as BITMAPINFO tBITMAP
With tBITMAP.bmiheader
   .biSize = Sizeof(BITMAPINFOHEADER)
   .biWidth = xres
   .biHeight = -yres
   .biPlanes = 1
   .biBitCount = 32
   .biCompression = BI_RGB
End With
Dim As ULong Ptr aBitmap

Dim As Any Ptr  hDC = GetDC(hHWND), _
				hHBitmap = CreateDIBSection(hDC, @tBITMAP, DIB_RGB_COLORS, @aBitmap, NULL, NULL), _
				hGfxDC = CreateCompatibleDC(hDC), _
				hObjOld = SelectObject(hGfxDC, hHBitmap), _
				hPen = GetStockObject(DC_Pen), _
				hPen_old = SelectObject(hGfxDC, hPen), _
				hBrush = GetStockObject(DC_BRUSH), _
				hBrush_Old = SelectObject(hGfxDC, hBrush)
					
Dim hFont As HFONT = CreateFont(24, 0, 0, 0, 0, 0, 0, 0, _
								DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, PROOF_QUALITY, DEFAULT_PITCH, "Times New Roman")

Dim As Any Ptr hObjOld2 = SelectObject(hGfxDC, hFont)
								        
SetDCPenColor(hGfxDC, &h808080)
SetDCBrushColor(hGfxDC, &h404040)
SetTextColor(hGfxDC, &h1010FF)
SetBkMode(hGfxDC, TRANSPARENT)
SetStretchBltMode(hGfxDC, STRETCH_HALFTONE)

'TT's points
Dim As Point pts(7)={(10,10),(80,40),(40,190),(190,50),(100,170),(180,170),(100,20),(30,30)}
Var k=3.0  'blow up a Bit
For n As Long=0 To 7
    pts(n).x=k*pts(n).x
    pts(n).y=k*pts(n).y
Next n

#Define onscreen (mx>10) And (mx<xres-10) And (my>10) And (my<yres-10)
#Define incircle(cx,cy,radius,x,y) (cx-x)*(cx-x)+(cy-y)*(cy-y)<= radius*radius
Dim As Integer mx,my,mb
Dim Shared As RECT tRect, tRect2

#Macro DrawBezier
	BitBlt(hGfxDC, 0, 0, xres, yres, hGfxDC, 0, 0, WHITENESS)
	For n As Ubyte = 0 To 6
		tRect.Left = pts(n).x
		tRect.Top = pts(n).y
		tRect.Right = pts(n).x + 10
		tRect.Bottom = pts(n).y + 10
		
		tRect2.Left = tRect.Left - 20
		tRect2.Top = tRect.Top - 10
		tRect2.Right = pts(n).x + 30
		tRect2.Bottom = pts(n).y + 30
		Ellipse(hGfxDC, tRect.Left - 5, tRect.Top - 5, tRect.Right, tRect.Bottom)
		DrawText(hGfxDC, (Str(n + 1)), -1, @tRect2, DT_SINGLELINE)
	Next
	Polybezier(hGfxDC, @pts(0), 7)
	'QA(hGfxDC, xres, yres)
	BitBlt(hDC, 0, 0, xres, yres, hGfxDC, 0, 0, SRCCOPY)
#Endmacro

Do 
	Getmouse mx,my,,mb
	If onscreen Then
		If mb = 1 Then
			Dim As Long x=mx,y=my,dx,dy
			While mb = 1
				Getmouse mx,my,,mb
				For n As Long=Lbound(pts) To Ubound(pts)
					If incircle(pts(n).x,pts(n).y,10,mx,my) And mb=1 Then	
						If mx<>x Or my<>y  Then
							dx = mx - x
							dy = my - y
							x = mx
							y = my
							pts(n).x=x+dx
							pts(n).y=y+dy
						End If						
					End If
				Next
				DrawBezier
				Sleep(1, 1)
			Wend
		End If
	Else
		DrawBezier
	End If
	
	
	If (Screenevent(@evt)) Then 
		Select Case evt.Type 
			Case SC_ESCAPE, EVENT_WINDOW_CLOSE
				SelectObject(hGfxDC, hObjOld2)
				DeleteObject(hFont)
				SelectObject(hGfxDC, hBrush_Old)
				DeleteObject(hBrush)
				SelectObject(hGfxDC, hPen_old)
				DeleteObject(hPen)
				SelectObject(hGfxDC, hObjOld)
				ReleaseDC(hHWND, hDC)
				DeleteObject(hHBitmap)
				DeleteDC(hGfxDC)
				Exit Do 
			End Select 
	Endif 
	Sleep(10, 1) 
Loop 

Can somebody compile it as x86 , upload it to http://www.virustotal.com and post the results please?

[deltarho[1859]]

@UEZ

I got four detections out of 70.

McAfee, Rising, McAfee-GW-Edition and VBA32.

I got the same four with -gen gas.

However, with -gen gcc I also got four but, interestingly, no McAfee this time.

[dodicat]

Called the file wintest.exe.
compiled with 32 bit fb 1.07.1 on win10.
used -O3 optimisation.
Got 3/69.
(with 64 bit I got 0/70)

[UEZ]

Thank you @dodicat and @deltarho[1859] for your reply. It doesn't matter whether I compile it with default with -gen gcc or not or as console or GUI.

Seems that I'm the lucky winner as McAfee is installed on my company notebook....

I must compile the code as x64 if feasible to avoid alerts. ¯\_(ツ)_/¯

[dodicat]

You should get yourself an old second hand computer banger (from Ebay maybe), then you can do with it as you wish.
Unfortunately Win 10 tries to rule your every move, which makes much more mischievous (not leprechaun mischievous but manipulative mischievous) than previous Microsoft products.
Perhaps Linux is a good idea, but we would miss all your GDI/windows stuff, the Wine sandbox doesn't really bring out the very best of winapi.

[UEZ]

You should get yourself an old second hand computer banger (from Ebay maybe), then you can do with it as you wish.
Unfortunately Win 10 tries to rule your every move, which makes much more mischievous (not leprechaun mischievous but manipulative mischievous) than previous Microsoft products.
Perhaps Linux is a good idea, but we would miss all your GDI/windows stuff, the Wine sandbox doesn't really bring out the very best of winapi.

Well, I've an old desktop pc (approx. 15 years old) but I'm using it rarely. It is very convenient to use one pc where you have all your stuff and it is portable. Additionally, I'm coding also at work.

I'm almost 50 and to learn Linux means to invest a lot of time which I don't have yet. Currently, I'm doing more for my health and spending 4 days a week in the gym.