PDA

View Full Version : Symantec Endpoint Protection absolutely hates ThinBundle



ab11374
08-08-2019, 16:38
Hi, I'm a brand new ThinBasic user, ver 1.10.7.0.

My tech group gave me the ok to use the ThinBasic and I created my first utility program using the ThinAir editor.

When I tried to ThinBundle it, Symantec Endpoint Protection blocked creation of the executable.

It reported a Heuristic Virus(Heur.AdvML.B) and Virus(Trojan.Gen) and deleted ThinBasic_Bundle_UIC.exe

I checked the Symantec support site and can't find any references to any of the ThinBasic suite of programs.


I would very much like to continue using this product but I need to be able to reassure my system administrator before they descend on my workstation and wipe it clean.
I also need to know how to create safe executables for distribution.

Any thoughts/suggestions ?

ErosOlmi
08-08-2019, 17:29
Ciao ab11374,

at office I use Trend Micro Office Scan Enterprise and I too time to time have similar issue.
Because I'm the developer of thinBasic ... my company trust me :D
and we have put into white list the path where thinBasic install itself and all distributed thinBasic executable.

What I can say is that I can guarantee that there are no any virus or any spyware or any user data stole or any threats inside thinBasic install as far as you download thinBasic from a thinBasic web site (thinbasic.com, thinbasic.biz, thinbasic.net, thinbasic.it, ...). I know it is not much, it is just my word but at the moment I cannot give you any other reassurances.

Maybe Petr Schreiber, my partner in developing thinBasic, can give you additional safety: he works for a well known AV global company.

That said, AV software do their job: they read signature of known virus, or they try to understand application behaves (heuristic) to see if they can be a kind of virus.
In future thinBasic versions we are already thinking on how to improve bundling process in order to reduce possibility AV software intercepts thinBasic as a threats.

Let me know if I can do anything to help you.

Ciao
Eros

Petr Schreiber
08-08-2019, 18:47
Hi ab11374,

I am really sorry you experience the difficulties, but please let me give you some background you can share with your IT department, if you want.

I work at Avast, which is a big player in the AV world and I have an insight from the other side, which I would like to share.

The things which make it difficult for us, as thinBASIC developers, to make the tool trusted by AV vendors are the following:
- thinBASIC has its community, but it still not a tool used at massive scale, this makes it suspicous
- thinBASIC is an interpreter and bundler, which means its behaviour is highly suspicious - it creates EXEs, modifies them, and manipulates DLLs in "suspicious" way for a common application
- thinBASIC is bundled by UPX, which is perfectly legal tool to reduce EXE size, sadly, UPX is very popular in the "bad guys" community as well, as it obfuscates the EXE a bit
- thinBASIC is a tool, which does not behave predictably - based on script, it does all kinds of different things
- thinBASIC modules and IDE have interfaces to communicate via network (to provide netwok functionality or simply to check for new version on demand in thinAir menu), this makes it again - suspicious

All in all - no wonder AV software considers thinBASIC highly suspicious.

There is a big push on AV programs to make the evaluation good-bad fast, to not "slow down PC", to not "bother the user". The strategy most tools use then is "better be pesimistic than threaten the user".
This is why thinBASIC is often triggered as suspicious, with threats often containing Win32 in name. Yes, it is even triggered by Avast.

The thing changes, once you submit the file for deeper analysis. Avast antivirus offers this option, and once you submit it, you get a reply in tens of minutes or sometimes even hours, that the file is... clean.
This is because instead of "fast and pesimistic check" a deep, time consuming check is performed.

What we already do, as thinBASIC authors, to reduce these "trust" incidents?
- we have our build server equipped with AV, which checks the final build before it goes out
- we submit module DLLs and IDE to Avast - not for whitelisting, but for analysis, to make us sure
- in case of incident like yours, Eros tries hard to change the signatures of the EXE by some wild magic :)
- we opensource many parts of thinBASIC to show everyone, there is nothing bad - it takes time, as the code is a bit... complex... after 15 years of development with no opensourcing originally in mind
- Eros invests a lot of time and money to keep the website secure

What we can't, as thinBASIC authors do, to reduce these "trust" incidents:
- sign the interpreter and bundler with trusted digital signature -> why? It would allow malware authors misuse this to execute dangerous scripts with certified tool
- sign the bundled EXEs -> why? Again the same reason - people can create anything with thinBASIC, and we cannot guarantee it is correct

What could we, as thinBASIC authors do, to reduce these "trust" incidents?
- we could sign the thinBASIC installers, but only with community contribution: digicert certificate costs $500 a year (https://www.digicert.com/code-signing/), which is quite a lot for a project we do for free in our free time
- we could enhance the build process to collect MD5 signatures in isolated environment, to give some way to check you are using unmodified (un-infected) version of the build
- opensource more and more parts of thinBASIC, to show, there is nothing to be afraid of

What can you do to make your bundled application trusted?
- you can submit it for testing to as many AV vendors as you can BEFORE you release it
- you can pay for that digicert, but I realize it is a bit of overkill

We live in dangerous times, malware advanced to phase it uses AI - better to be oversensitive, than sorry ;)


Petr

ab11374
08-08-2019, 19:20
Thank you, gentlemen, for the reassurances and the insight. I will keep an eye out for any enhancements to ThinBasic that will address these issues.

I may also try and dedicate a stand-alone PC to create and scan executables until my technical staff is comfortable enough to white-list this function.


Talk to you later !

DirectuX
10-08-2019, 11:26
we could sign the thinBASIC installers, but only with community contribution: digicert certificate costs $500 a year (https://www.digicert.com/code-signing/), which is quite a lot for a project we do for free in our free time

Hi Petr,

is this low-cost code signing worth something here ?

https://account.ascertia.com/onlineCA/default

Petr Schreiber
11-08-2019, 09:41
Hi,

I will have a look, thank you!


Petr

Michael Hartlef
11-08-2019, 10:33
This bundling and extracting at runtime is not a stand alone feature of TB. Python and other tools do that too. Yet these are fine.
The problem i see here is the usage of upx. Also some oxygen stuff keeps triggering my av at times.
If certificates help in that regard, then it should be an option. Is the usage of upx needed?

ErosOlmi
12-08-2019, 09:18
Hi Petr,

is this low-cost code signing worth something here ?

https://account.ascertia.com/onlineCA/default

Ascentia root self signed certificate seems not distributed with the windows operating system like other root certificates.
That's why it costs so little.

If I buy an ascentia certificate I need to convince users to download and install ascentia root certificate in order to trust to my certificate.

ErosOlmi
12-08-2019, 09:22
This bundling and extracting at runtime is not a stand alone feature of TB. Python and other tools do that too. Yet these are fine.
The problem i see here is the usage of upx. Also some oxygen stuff keeps triggering my av at times.
If certificates help in that regard, then it should be an option. Is the usage of upx needed?

If I will buy a certificate, it will be used only to sign some of thinBasic tools like thiAir and thinBundle.
I cannot sign bundled exe because they are not thinBasic executables but user executables.
Every user shoul then sign that exe with their own certificate.

Anyway the problem seems only related to thinBundle and the phase where it creates a bundled exe.
Once the bundled exe is created, it seems not to be so suspicious.

Will see but I have other ways to reduce false positive.
One will be usage of FreeBasic to create bundled exe.

DirectuX
12-08-2019, 12:13
If I buy an ascentia certificate I need to convince users to download and install ascentia root certificate in order to trust to my certificate.

So that's of no interest as it's similar to self signing method (which I read being costless).

ErosOlmi
12-08-2019, 12:30
More or less yes.
To be valid, a certificate need to be signed by a CA (Certification authority) trusted world wide or you need to manually install a CA and trust it.

To check what CA are installed into your Windows Computer just do the following:


Press the Windows key + R to bring up the Run command, type certmgr.msc and press Enter.
When the Certificate Manager console opens, expand any certificates folder on the left. In the right pane, you'll see details about your certificates



Attached an example of one of my computers:
9993

rayleech
12-08-2019, 16:30
Not sure if it helps, you could try KSoftware. Relatively inexpensive ($84/yr). It is on my list of certs to test signing my own code.

https://www.ksoftware.net/code-signing-certificates/index.html#read_more

ErosOlmi
12-08-2019, 16:45
Thanks a lot.
Very nice we can collect personal thoughts and see if we can find a solution.

Also found that COMODO lower their prices for personal certificates:
https://comodosslstore.com/codesigning.aspx
https://comodosslstore.com/code-signing/comodo-individual-code-signing-certificate

primo
12-08-2019, 18:27
just recently the Symantec false positives discussed again with purebasic exe's, not only with thinbasic. i don't believe the purebasic team will ever buy a certificate for their product even it is a commercial product and that phenomena happened from many many years ago.
it is the responsibility of the end user. i think the best opinion in that purebasic thread is this one as far as i can see:
https://www.purebasic.fr/english/viewtopic.php?f=7&t=73234#p539448

DirectuX
12-08-2019, 19:18
Very nice we can collect personal thoughts and see if we can find a solution.

Personal though : of course it bother me when I've got AV alerts (had until whitelisted thinbasic). I already got on with trusting Eros & Petr, so, having thinbasic signed is not in my wish-list. However, if thinbasic's files could be CRC hash checked it would be a plus.



The problem i see here is the usage of upx. Also some oxygen stuff keeps triggering my av at times. Is the usage of upx needed?

I remember those alerts, same question.

ErosOlmi
13-08-2019, 18:41
Personal though : of course it bother me when I've got AV alerts (had until whitelisted thinbasic). I already got on with trusting Eros & Petr, so, having thinbasic signed is not in my wish-list. However, if thinbasic's files could be CRC hash checked it would be a plus.


Great suggestion.
Shortly I will add MD5 hash value to future thinBasic downloads.

In current thinBasic 1.10.8 you will find a tool under thinAir menu \Tools\User Tools\ called thinDownload (it is in a form of exe and thinBasic source code under \thinBasic\thiAir\Tools\ ...).
It is an experiment to add thinBasic download into thinAir.
I will add MD5 hash checking in that tool.

ErosOlmi
14-08-2019, 12:44
Added more download options in thinBasic web site download section:

.ZIP file
.7z file
.EXE file


It seems some AV software and Browser download are more sensible to one type and less to the other.


9999

DirectuX
14-08-2019, 15:32
Note: Symantec has many false positives: https://www.av-comparatives.org/tests/false-alarm-test-march-2019/
and code signing seems not to be a cure-all solution : https://stackoverflow.com/questions/52360025/how-to-stop-antivirus-false-positives-everytime-we-re-release-software

primo
14-08-2019, 19:07
There is what is like a sandbox look the utilities freeware and commercial
https://alternative.me/deep-freeze
there is a browser in a box
https://www.chip.de/downloads/BitBox-Browser-in-the-Box-Chrome-Edition_72247952.html
600 MB
https://www.chip.de/downloads/BitBox-Browser-in-the-Box-Firefox-Edition_48987303.html

it is said used in the German Gov offices , there are a free version and a paid version
i have tried to instal it years ago but failed since it needs components from the web and i can't access these components. but it seems nice. will try it again with windows 7 x64. if successful i will report. i am using old tool called Returnil in windows xp , and i don't use antiviruses at all from several years when mcafee destroyed all my windows settings.

Anna Shipman
01-08-2023, 13:59
Thanks a lot.
Very nice we can collect personal thoughts and see if we can find a solution.

Also found that COMODO lower their prices for personal certificates:
https://comodosslstore.com/codesigning.aspx
https://comodosslstore.com/code-signing/comodo-individual-code-signing-certificate

Well after the current HSM inclusion in the code signing process, the prices of certs have increased manifold, But I obtained a Comodo Code signing certificate from SignMyCode which also offers other OV and EV Code Signing Certificates at affordable pricing than others in the market!
https://signmycode.com/buy-code-signing-certificates