Software Protection...

[Petr Schreiber]

This topic could have evolved into forging an approach together to get proggies checked in a way the customers don't get false alerts once they reach their PCs.

Searching for the mistakes on the other side is... the simple approach to feel better, for a while. Not an effective approach to make things better.


Petr

[Kuron]

One cannot fix, what they haven't broken. An indie developer is only responsible for bugs in their software, not the software of AV vendors. It would be nice someday to have a round table with indie developers and representatives of all major AV vendors. Probably would never happen as it would turn into a bare knuckle brawl with the amount of abuse indie developers have had to suffer through from AV developers over the many years.

Back to BASICs...

I compiled one of the samples for the latest version of PureBasic, 5.61 at this writing. PureBasic has certainly become bloated, the canvas gadget example compiles to 291k for the 32-bit version. Virus Total triggers 3 warnings on this one. The only one of any remote popularity, is McAfee and it hasn't been too popular since the DOS days. Even in the latter DOS days, I was using F-Prot as it was a better product. Still, McAfee manages to get itself on many systems as shovelware.

[Kuron]

ThinBasic, trying the AntiTetris example. On VirusTotal it gets a score of 3 and the only major one is McAfee. Awesome score IMHO.

Compiled size is fairly comparable to what the same thing would be in PureBasic. The more I use TB, the more blown away I am by it. I can definitely see myself releasing some software in TB and not using it just for prototyping. I had to make a few tweaks to my registration method being used, but it now works flawlessly with TB created EXEs.

[Michael Hartlef]

Does compressing with UPX has anything to do with the false alerts? If yes, I suggest not to compress anything TB related to avoid such false alerts.

[ErosOlmi]

Compressing with UPX is not an automatic symptom that let an AV software to say there is a threat.
Would be that simple ... I will remove UPX right now.

[Kuron]

Mike, since all of my systems, software and backups are packed up, I am kinda really starting new. I have been trying to find replacements for Molebox and the proprietary bundler I used to use as well as find a new product to handle registrations and have a limited trial. Things have changed a good bit, some for the better, but the one thing that hasn't changed is all of those things like to trigger false positives.

[mike lobanovsky]

Brice, due to its extreme popularity UPX compression should be very well known to the AV analyzers by now, whether its "signatures" are present in the packed exe or not. (yes, you can clean the exe manually of a lot of UPX patterns yet the AVs would unmistakably determine it as UPX, which isn't per se a symptom of malicious intentions)

Still there are quite a lot of heuristic criteria by which SW is regarded as potentially malicious, just to name but a few:

• inconsistency in the Windows PE headers (bad checksum, non-standard section layout, etc.)
• lack of resources (manifest, version info, etc.)
• executable code compression (and especially custom non-UPX exe packing)
• lack (or minimum) of external library calls, especially if none are present but LoadLibrary/GetProcAddress
• many, many more -- in fact, too many to even mention here

None of the AV vendors are eager to specify exactly why they've labeled this or that exe as potentially malicious -- just because they wouldn't want virus writers to know of, and bypass, their booby traps. But the algos to determine if the code is packed or not are quite simple regardless of the sophistication of exe packer itself. The AV just analyzes the frequency of unique byte patterns in the code sections and, if it is sufficiently high, then the exe is considered packed. (clearly, the main objective of data compression is to ultimately eliminate any byte pattern repetition at all)

So, whichever the compression utility, you are always suspected of ill intentions even if the only exe packer you're using is UPX.

[Kuron]

[*]inconsistency in the Windows PE headers (bad checksum, non-standard section layout, etc.)

How the EXE was laid out was really an issue back in the day. Back then ASPack was better than UPX in that it produced smaller EXEs, But some things ASPack and UPX could not compress, so I used a product called Neolite that was very good. IIRC, Neolite was fairly costly, but it was good and reliable, but it would not compress some EXEs that ASPack would.

I have always been big on EXE compression. In the DOS days I used Diet which besides being an EXE compressor, it could also be loaded as a TSR and could be used to compress your whole hard drive and uncompress files on the fly. In the Windows 3.1 days, my friend Doren wrote a 16-bit Windows EXE compressor that was very good.