Windows 10 defender don't like this short program

General FreeBASIC programming questions.
caseih
Posts: 1970
Joined: Feb 26, 2007 5:32

Re: Windows 10 defender don't like this short program

Post by caseih »

adeyblue wrote: Jan 24, 2022 0:27 Everytime this happens I wonder if construction workers have endless arguments about the brands of hammer they use, or doctors about where their sphygmomanometers were manufactured.
Tradesmen and construction folk certainly do! It's especially heated in the power tools department! Dewalt vs Milwaukee for example. But I digress.

Thinking back over the discussion, the frustrating thing is there really is no good solution to this AV false positive issue. All solutions are tedious, or unworkable if you were trying to distribute binary software commercially. There are many people, including corporations, who run commercial anti-virus solutions on all their platforms, so it's possible this could be an issue on macOS or Linux too. AV apps are like black lists. They are good tools, but they concentrate a lot of power in the hands of just a few.

@AurelVZAB, I never did hear from you about any differences between compiling with the normal ASM backend and with the GCC backend. I assume on 64-bit FB/Win you can use either.
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

No i use 32bit version, on win7-64bit i don't use FreeBasic ..only OxygenBasic
and YES it is a BIG problem
caseih
Posts: 1970
Joined: Feb 26, 2007 5:32

Re: Windows 10 defender don't like this short program

Post by caseih »

Oops my bad. It was Joshy that originally posted the program that triggered Windows Defender. Looks like FB does allow you to use the gcc backend on 32-bit FB actually. Would be interesting to know if that would make any difference for Joshy's example program. I suspect for many EXEs the gcc backend would produce faster, tighter binaries, especially with some optimization enabled. I also suspect that binaries generated through the GCC backend won't trigger as many false positives. But the GCC backend requires installing the GCC suite either to the path or to the win32 directory of the FB compiler
marcov
Posts: 3331
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: Windows 10 defender don't like this short program

Post by marcov »

false positives are not due to code generated, more due to system calls you do and DLLs you link against.
jj2007
Posts: 2327
Joined: Oct 23, 2016 15:28
Location: Roma, Italia
Contact:

Re: Windows 10 defender don't like this short program

Post by jj2007 »

marcov wrote: Jan 28, 2022 19:48 false positives are not due to code generated, more due to system calls you do and DLLs you link against.
Check this on VirusTotal. The source:

Code: Select all

#include once "windows.bi"
function remotefile(url as string, filePath as string) as HRESULT '0 = success
	dim hLib as integer, ret as HRESULT
	dim URLDownloadToFile as function(byval as integer, byval as string, byval as string, byval as integer, byval as integer) as HRESULT
	hLib = Dylibload("urlmon.dll")
	if hLib = null then return -1
	URLDownloadToFile = Dylibsymbol( hLib, "URLDownloadToFileA" )
	if URLDownloadToFile = null then dylibfree(hLib): return -2
	ret = URLDownloadToFile(0, url, filePath, 0, 0)
	Dylibfree(hLib)
	return ret
end function

print remotefile("https://www.freebasic.net/forum/search.php?search_id=unreadposts", "latest.txt")
sleep
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

what the frak is that Cylance ?
so i add few wrappers for api functions and use scintilla and voila
i get 6 to 8 alerts ...that is ardinary LIE...false and BS
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

I cannot beleive and i am angry :
app written in pure C + win32 api calls

what more bothering me is stupid VirusTotal AV scanners
it is a scam, how is possibile that is marked written in C
there is manifest

but look in results:
Detection ratio: 5/71
Security vendor Result Update
eGambit confirmed-timeout 20220130
SymantecMobileInsight failure 20211119
Cynet malicious 20220130
Cylance malicious 20220130
Cybereason malicious 20210330
APEX malicious 20220128
BitDefenderTheta malicious 20220125
We should protest...
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

If you don't want to read all here is main point:

Microsoft's conclusion: virustotal.com is fake and randomly generates false lists of malware.

caseih
Posts: 1970
Joined: Feb 26, 2007 5:32

Re: Windows 10 defender don't like this short program

Post by caseih »

Be careful with that link. The whole thing is pretty suspicious. I'm not sure the first poster who made that claim actually talked to a real support person and was not scammed. MS's free support personnel are not going to spend hours to remotely scan your computer and remove malware and viruses during an interactive phone call session. Huge red flag anytime remote control of your computer is concerned. So the "agent" who claimed that virustotal.com was fake was probably lying to the poor guy. That's a truly odd read that you linked to.

virustotal is legit as far as I can tell. They really do pass their samples through the various virus scanners.
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

How is that normal to you ?
don't be naive ...who know what agenda is behind VirusTotal.
caseih
Posts: 1970
Joined: Feb 26, 2007 5:32

Re: Windows 10 defender don't like this short program

Post by caseih »

To what are you referring? The problem that FB exes are routinely flagged falsely? That indeed should not be accepted as normal. I agree.

Or are you referring to the fact that virustotal has a bank of computers with different AV programs on that they try a sample you submit against? I do indeed think that is normal, and very useful. virustotal has a good reputation that goes back many years. I've used it numerous times myself. Not sure what you're getting at. Why would they have any kind of agenda or indeed why should we care what their agenda is? Or put in another way, what would this evil agenda be? It's just a service and a database. The only issue I could see is if they were doing something improper with the samples they received, like using them to infect others, or possibly steeling intellectual property from the submitted binaries.

I re-read that Microsoft support forum topic. The poor guy. It's pretty clear he was scammed by one of those remote support scams. Fortunately it seems like one of the security programs his bank required him to use saved him from being completely powned.
aurelVZAB
Posts: 590
Joined: Jul 02, 2008 14:55
Location: [url]https://aurelsoft.ucoz.com[/url]
Contact:

Re: Windows 10 defender don't like this short program

Post by aurelVZAB »

leave aside a poor guy
I see this as PURE DISCRIMINATION on free compilers/interpreters

it is not just FreeBasic
read link JJ posted on MASM forum...

MASM
NASM - IonicWindCompiler
OxygenBasic
Purebasic
even
PowerBasic
caseih
Posts: 1970
Joined: Feb 26, 2007 5:32

Re: Windows 10 defender don't like this short program

Post by caseih »

Oh sure. I agree with you there. I'm at a loss, though, as to what virustotal has to do with it. You're just shooting the messenger as it were. It's not just these small free languages either. People who bundle their Python scripts in an EXE format also routinely get tripped up by Windows Defender and others.

One partial solution is to sign your exe. I've read this makes a big difference. I believe this can be done without paying MS, but it does require buying a signing certificate from a certificate authority company. Now I personally believe the whole certificate signing industry is a bit of scam like NFTs are, but that's a different issue. If you want to experiment with it, there are instructions out there to make your own certificate (which only will work on your computer) to test signing exes and how it affects AV detection.
marcov
Posts: 3331
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: Windows 10 defender don't like this short program

Post by marcov »

caseih wrote: Jan 31, 2022 14:36 Oh sure. I agree with you there. I'm at a loss, though, as to what virustotal has to do with it. You're just shooting the messenger as it were. It's not just these small free languages either. People who bundle their Python scripts in an EXE format also routinely get tripped up by Windows Defender and others.
(and FPC too)
One partial solution is to sign your exe. I've read this makes a big difference. I believe this can be done without paying MS, but it does require buying a signing certificate from a certificate authority company. Now I personally believe the whole certificate signing industry is a bit of scam like NFTs are, but that's a different issue. If you want to experiment with it, there are instructions out there to make your own certificate (which only will work on your computer) to test signing exes and how it affects AV detection.
I've seen remarks that even signing EXEs with a self signed certificates increases its reputation. Also make sure it is thoroughly free from debug code (stripped)
Post Reply