PDA

View Full Version : thinBundle - Great, but my Norton antivirus doesn't like it



dcromley
17-11-2011, 00:51
I've got this (fabulous) program I'm going to post here and also share with some non-TB people. thinBundle does a great job of making a clean executable -- stand-alone with no install. But for some reason, my Norton antivirus doesn't like it. For a local TB.exe, it deletes it, but I can restore it. For a TB.exe on the internet, it deletes it, so I have to turn Norton off for awhile.

Has anybody else had this happen? A friend of mind didn't have a problem -- I think he has the AVG antivirus. I've posted a simple "Hello world" program at
http://dbarc.net/helloworld.exe

John Spikowski
17-11-2011, 07:42
Works fine here.

(Ubuntu 11.10 64 bit under Wine)

ErosOlmi
17-11-2011, 07:56
Here your application is working fine. I use "Microsoft Security Essential" and at work I have "Trend Office Scan Corporate edition"
I've also used online virus scan at http://virscan.org/ to check your example and found anything, see attached PDF scan result

It is (of course) a false positive and it can happen time to time because thinBundle uses techniques also possibly used in bad applications:

reduce executable size using EXE compression
memory execution on the fly of components (dlls)
What to do?
be sure your have you AV up to date to the latest version and av database signature
please let me know exactly what Norton application you have (name and version) and what is the version of the database signature
please let me know exactly what your AV indicates as virus: virus name and other details
Than I will try to send this material to Symantec support area.
I've already done this for other AV software companies and all of them were very responsible. For them having a false positive is a bad situation for their credibility.

Ciao
Eros

Petr Schreiber
17-11-2011, 09:24
Tested with ESET NOD32 and no problem found.

In the past, I had a problem with NOD32 and Oxygen, but I wrote them about the issue, sent a link to Charles website and they removed the false positive in next update.


Petr

dcromley
18-11-2011, 02:06
(You guys are SO responsive!)
I have an up-to-date NIS (Norton Internet Security) 18.6.0.29
On your VirSCAN.pdf I see Symantec 1.3.0.24.

I've attached related screenshots (4-in-1)
top: Windows XP Media Center Edition 2004
http://dbarc.net/helloworld.exe
1) NIS info (NIS 18.6.0.29)
2) Download info (helloworld.exe)
3) First NIS message (threat found)
4) Detail NIS info showing "threat removed"

So it's not detecting a virus, just few users?

By turning NIS off, things work fine.

I'll be glad to do any further testing.  Thanks, Dave

ErosOlmi
18-11-2011, 09:46
Symantec report this thread as the following: http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99
So it is not a virus but a series of reports got from Symantec cloud system interacting with Symantec users.

Can you please make the following try:
rename your "helloworld.tBasic" in something else like "MyFirstTBApp.tBasic" and bundle it again to see if something change?
I have the suspect in this case of threat the name matters.
do the rename as in point 1 but create your executable again using thinBasic beta version you can download from http://www.thinbasic.biz/projects/thinbasic/thinBasic_1.9.0.0.zip

If nothing will change, I will use Symantec while listing at https://submit.symantec.com/whitelist/isv/
or false positive web form at https://submit.symantec.com/false_positive/

Ciao
Eros

Michael Clease
18-11-2011, 10:47
You could try unpacking the bundle

http://upx.sourceforge.net/download/upx307d.zip

I make a bat file and drop the upx.exe and bat in the root of the thinbasic folder, it will make the file bigger but not by much. It helps with virus scanning because they don't have to unpack the file to scan it.


bat file :


upx -d -q *.*
upx -d -q lib\*.*


regards

Mike C.

dcromley
18-11-2011, 18:17
Eros,
OK, I made 2 executables:

1) MyFirstTBAppA.tBasic under my 1.8.9.0
Posted at dbarc.net/MyFirstTBAppA.exe (case sensitive)
Uses "Console"
printl "Hello world A"
printl "(Under thinBasic 1.8.9.0)"
waitkey

2) MyFirstTBAppB.tBasic under Beta 1.9.0.0
Posted at dbarc.net/MyFirstTBAppB.exe
Uses "Console"
printl "Hello world B"
printl "(Under thinBasic 1.9.0.0)"
waitkey

Both times, I did the "bundling" in an otherwise empty directory.

The results are the same in all cases. The same screenshots apply.

My career was with IBM mainframes -- it's no more fun chasing this
kind of stuff now than it was back then. :) Regards, Dave

dcromley
18-11-2011, 18:31
Michael,

I downloaded upx -- it looks like a good packer/unpacker.

Please be more specific about "I make [what] bat file" and "it will
make [what] file bigger". For this business, I wasn't doing any packing/
/unpacking (except maybe thinBundle was without my knowledge).

Showing my age, I am quite satisfied with Yoshi's LHA:
http://en.wikipedia.org/wiki/LHA_(file_format) (http://en.wikipedia.org/wiki/LHA_%28file_format%29)

If it were more common, I would use it. I have no need for
"smaller and faster" :)

Regards, Dave

Michael Clease
18-11-2011, 20:40
Thinbasic library's are packed using UPX and so is the thinBundle.

What you call the bat file is up to you it won't change what it does, it will make any file that is UPX packed unpack.

dcromley
19-11-2011, 06:00
So I download thinbasic_1.9.0.0.zip (12,865KB)
It unzips to thinbasic_1.9.0.0.exe (12,885KB) which I execute.

Now, you could say, "Why zip?" "Why not just download the *.exe?"

But, where does upx come in?

zak
19-11-2011, 10:30
Hi Dave i have downloaded your file from http://dbarc.net/helloworld.exeits size about 255 kb i copied it to some folder together with the file upx.exe downloaded from http://upx.sourceforge.net/download/upx307d.zip
now (http://upx.sourceforge.net/download/upx307d.zipnow) from the command prompt write: upx -d -q helloworld.exe after that check its size you will see that it is about 388 kb, so this is the real inflated size. now check this bigger size file with your antivirus to see its report.
now regarding why zip and not exe ? i remember i tried to upload a file to a public mail site as an exe file, and the site refuses that for security reasons, so i have compressed it to zip and uploaded it again. i guess something like that here, some users are using company servers and the company servers prohibit downloading exe files. this is my quess.

ErosOlmi
19-11-2011, 10:34
So I download thinbasic_1.9.0.0.zip (12,865KB)
It unzips to thinbasic_1.9.0.0.exe (12,885KB) which I execute.

Now, you could say, "Why zip?" "Why not just download the *.exe?"

Web browser are too much sensible to executable.
Also some firewalls are too much sensible to downloading executable.
Many company policies prohibit to download executable.
One way to bypass this is to distribute a .ZIP file.



But, where does upx come in?

All .exe and .dll files distributed with thinBasic are compressed with UPX otherwise thinBasic would come out with a 30Mb setup file.

All bundled exe contain executable (thinBasic.exe, thinCore.dll plus all the module needed by the script) compressed with UPX.
This, again, in order to reduce executable size.

UPX is used all over the world in order to reduce size of executable and dlls

dcromley
21-11-2011, 00:40
OK, Michael and Zak,

I was skeptical, but I (finally) did what you suggested:
I copied MyFirstTBAppA.exe to MyFirstTBAppC.exe.
Then "upx -d -q MyFirstTBAppC.exe" and, as you said, it was 388KB.
Checking that with Norton gave "few users".
Then I uploaded it to http://dbarc.net/MyFirstTBAppC.exe
When I downloaded that, NIS (Norton Internet Security) noted "few users" and
suggested that it was suspect. When I executed it, it again noted "few users"
and gave me the option of running it or deleting it.
This is much more reasonable. Acceptable.

Regardsing upx, you said:
"It helps with virus scanning because they don't have to unpack the file to scan it."

Can you say a few more words about that? What does Norton see in the non-upx
version that makes it worse than the upx-version?

And I do see that browsers and firewalls could be more sensitive to executables
than to zipped or otherwise packed files.

So the bottom line is -- I will "upx" my thinBundle executables. Thank you. Dave

[edited just after post] I just ran the old http://dbarc.net/MyFirstTBAppC.exe with
the same results. Eros must have had Norton change something. ??