PDA

View Full Version : Virus Checks for Oxygen Please :)



Charles Pegge
18-06-2010, 16:56
I have made some important changes to the BASIC prolog and use of PE sections. To a virus checker the executables will look very different, so I wonder if those of you who have had false positives from Avira or Nod32 antivirus sofware would be so kind as to check the files zipped below and see whether the alarm bells still sound.


Charles

PS: Not necessary for checking but if you want to run these files, you will need the new Oxygen for compatibility.
http://community.thinbasic.com/index.php?topic=2517

MikeStefanik
18-06-2010, 17:11
You might want to submit them to VirusTotal (http://www.virustotal.com/) who will scan them with a collection of all of the major AV engines out there and give you a detailed report of who gives you a pass, and who has any issues. It's free, and the only limitation is that they won't accept a file that's >20MB.

Charles Pegge
18-06-2010, 18:07
Many thanks Mike,

I had no idea there were so many virus checkers out there!

Out of the 41 virus checkers I only got one false positive. This was from AntiVir who thought that my PortViewer and HelloWin1 programs contained a Trojan called TR/Crypt.XPACK.GEN

Charles

ErosOlmi
18-06-2010, 18:13
Charles,

do not let them pass this.
Send a mail to AntiVir support.

Ciao
Eros

Petr Schreiber
18-06-2010, 18:14
Hi Charles,

I tried Nod32 4, and no problems reported. Good news is that I got new notebook with 64bit Windows 7, so I could run your test64bit.exe.

The odd thing is that the rest of programs did not do anything when I clicked on them.

The test64bit.tBasic script, in the examples of latest Oxygen download, does complain about unidentified symbol.


Petr

Charles Pegge
18-06-2010, 18:31
Thanks Petr,
If the offending symbol in the 64bit script may be proc_address_list, It should now be import_address_table.
Also The ExitProcess params are not correct though it still works, (and has no dependency on Oxygen).


The other progs may not be able to find thinBasic_Oxygen. Have you hidden it in an unusual place :)

Eros,
I will carry out a few more tweaks before reporting to any of these antivirus producers.


I went on to submit thinBasic_Oxygen.dll and got 1 false positive:

McAfee-GW-Edition 2010.1 2010.06.18 Heuristic.BehavesLike.Win32.Dropper.H

I then submitted thinCore.dll and got one false positive as well:

Comodo 5143 2010.06.18 Heur.Packed.Unknown

Charles

ErosOlmi
18-06-2010, 18:46
On Comodo: Heur.Packed.Unknown
heuristic packed unknown equals "I do not know what it is, it is packed, so it must be a virus"
I will write to them, be sure!

On AntiVir:
http://www.avira.com/en/threats/section/fulldetails/id_vir/3488/tr_crypt.xpack.gen.html
From that page: "In order to aggravate detection and reduce size of the file it is packed with a runtime packer"
Again: "I do not know what it is, it is packed, so it must be a virus"


If I would apply the same logic in my job I would loose it right now.
AV companies have chosen a job where high precision MUST be the logic. They cannot just simply mark virus what they do not know using the "heuristic" umbrella. They have to go deeper.

Aurel
18-06-2010, 20:23
Avira is simply crazy when see packed or compressed files even if is compressed in memory
,but dont respond on binary files which are binded to exe-thats good...

kryton9
19-06-2010, 02:45
You might want to submit them to VirusTotal (http://www.virustotal.com/) who will scan them with a collection of all of the major AV engines out there and give you a detailed report of who gives you a pass, and who has any issues. It's free, and the only limitation is that they won't accept a file that's >20MB.

Thanks Mike that is a cool site and perfect for this sort of stuff!

ErosOlmi
19-06-2010, 09:59
I will write to them, be sure!


I've submitted an incident to Comodo support center (Ticket ID: NDY-541351).
I'm Comodo customer so I have access to their Support Center (https://support.comodo.com/index.php)

Will see.
Eros

ErosOlmi
19-06-2010, 11:56
Comodo reply:



Hi Eros Olmi,

Thank you for contacting us.

Please submit the file from here so that we can analyze it further.
http://www.comodo.com/home/internet-security/submit.php

Please do not hesitate to contact us should you have any queries.

To serve you better in the near future, Kindly provide your valuable feedback to feedback@comodo.com

Regards,
Technical Support

Ticket Details
===================
Ticket ID: NDY-541351


Files sent to them as requested:


Thank-you!

Your File was uploaded successfully and will shortly undergo analysis by Comodo technicians. Your valuable contribution will help improve the effectiveness of Comodo products and so help us in our mission to provide the very highest levels of security to users worldwide.


Will wait and see.
Eros

ErosOlmi
19-06-2010, 20:17
I have to say that Comodo has been super very fast professional:



Hi,

This is to inform you that false-positive with <thinCore.dll> (SHA1: <62d5b24bb00818d7ed07c821359c081c35c748bd>)
has been fixed.
You can update to AV database Version <5152> of Comodo Internet Security
Version<4.1.150349.920> and confirm it.
Thanks.

Kind Regards,
Erik M.
Comodo AntiVirus Lab


I hope I do not have to upload a new thinCore.dll to they false positive form every time I recompile the engine ...
Eros

ErosOlmi
20-06-2010, 10:43
thinBasic programming language Antivirus report done by Download3k.com (http://www.download3k.com/Antivirus-Report-thinBasic-programming-language.html)

Charles Pegge
20-06-2010, 11:47
If you create any compiled programs, the chances are you will get a false positive on one of those 41 virus checkers. I have seen it submitting both PB and FB compiled code.

So maybe we all have to go through this procedure before making any public distribution of software.

Charles