PDA

View Full Version : Cisco AMP doesn't much like thinBundle



EmbeddedMan
30-05-2019, 15:04
Situation: Corporate and personal user of thinBasic. Our IT group has Cisco AMP for Endpoints (v6.2.9.10881) installed company-wide. When trying to bundle any thinBasic script, I get the following message from AMP:

"Warning! Threat Quarantined. ThinBasic_Bundle_UIC_9717.exe has been detected as Win.Dropper.Generic::202042.in02. Quarantine was successful."

And of course ThinBasic_Bundle_UI detects this, and says "Bundling of <path to project>\PIGrapher\PIGrapher.exe was NOT OK!"

My question: What exactly is "ThinBasic_Bundle_UIC_9717.exe"? Is that the .exe that thinBundle tried to create (and then, I assume, rename to what my script is actually named)? Or is that the exe that actually does the bundling?

I'm trying to work through with our IT group how best to solve this.

*Brian

ErosOlmi
30-05-2019, 18:05
Ciao Brian,

that exe is the one that create the final bundled executable.
It is included in thinBundle as string resource, extracted to disk, executed with some parameters in order to let it know what it has to do and deleted at the end.
The number in name (in your reporting is _9717.) is generated randomly at run time because in the past some AV blocked that executable only by its name. Adding a random number resolved the problem at that time.
If AV detect it as danger, there is no way to have a final bundled exe.

I can guarantee there are no threats at all.
What can put Av and security system under suspect is the extract/create of an executable on the fly.

We (my colleagues and I) use thinBasic in the company we work in many aspects.
We use Trend Micro Worry-Free in every device we have in the company https://www.trendmicro.com/en_us/small-business/worry-free.html
Sometimes it happen that Trend intercept the same behave you reported, and few days later they recognize it as safe and fix the problem.


What thinBasic version do you use?
If you are using 1.10.7, try to use 1.10.6 or the other way round and see if it makes any difference:
http://www.thinbasic.biz/projects/thinbasic/thinBasic_1.10.6.0.zip
http://www.thinbasic.biz/projects/thinbasic/thinBasic_1.10.7.0.zip

Ciao
Eros

EmbeddedMan
30-05-2019, 19:40
Of course, *I* believe you that there is no malware in ThinBasic. :D

The problem is, of course, that your server can become compromised, or somebody in the middle can inject malware as it is being downloaded, or once it is installed on my computer other malware can infect it, etc. etc. While extremely extremely unlikely, we can't absolutely guarantee these things not to happen. Thus the very strict anti-virus protection.

I am currently running TB v1.10.5.0. To use a different version, I'll need to get our IT department to whitelist the other version as well, as the installers also show up as malware and get quarantined.

I'll let you know what I find out.

*Brian

Petr Schreiber
30-05-2019, 21:44
Hi EmbeddedMan,

I send each new release for analysis at Avast, where I work. Of course - it is wise to test the download anyway.

It is not surprising that AV software is sensing something suspicious in programming languages - be it thinBasic bundler, Rust compiler, PowerBASIC, from time to time I get some warning for them all.
They do many operations which would be really suspicious for normal program - creating EXE files, playing with DLLs... all very... non standard.

This situation like you experience will arise from time to time, unavoidibly.

In case you experience the issue, the best you can do is to submit the file to your AV vendor for deep analysis. The tests done on PC directly are usually designed to be with as low impact on PC performance as possible, that they prefer being sensitive and careful when not 100% sure and or embrace less performance intensive approach.

Once you submit file to AV vendor, they usually run much more detailed analysis, focused on that one file. If it is clean, it is hashed as OKay and you are good to go.

The approach we could take with thinBASIC would be signing the tools with some kind of certificate. However - we could make a step in wrong direction.

Imagine we sign thinBasic.exe. It is completely safe application, you can take our word for it. But - in case you bundle script, that very signed exe can execute any malicious code hidden in script done by some "evil" person.

So that is the reason why we cannot sign thin* proggies with calm heart. That is, why no interpreted language should be.


Petr

EmbeddedMan
30-05-2019, 21:57
Petr and Eros, I want to thank you for your very rapid replies and fantastic support for my questions. It goes a long way to helping convince other people that TB is a 'legit' tool. :-)

I'm working with our IT folks to try and figure out the best way to make this work. We may end up submitting the bundling application to Cisco for analysis as you suggest. That would help us out a lot.

Thanks again-

*Brian