Recent

Author Topic: Simple Hello world app (VirusTotal Failure).  (Read 793 times)

josh

  • Hero Member
  • *****
  • Posts: 700
Simple Hello world app (VirusTotal Failure).
« on: December 22, 2018, 11:42:18 am »
Hi

Just recently I have had executables fire a virus warning.

So to test, I created a simple hellow world app, and sent it to virustotal for analysis and got warnings.
https://www.virustotal.com/en/file/f2c79891c4770ab23d5d9abeea80ce697c2bbb804125cb47f156ab06d3fc8652/analysis/1545474750/
The exe is created from a new application with a form create event to showmessage, create build modes for release/debug and compiled and sent the release version for test.
Code: [Select]
unit Unit1;

{$mode objfpc}{$H+}

interface

uses
  Classes, SysUtils, FileUtil, Forms, Controls, Graphics, Dialogs;

type

  { TForm1 }

  TForm1 = class(TForm)
    procedure FormCreate(Sender: TObject);
  private

  public

  end;

var
  Form1: TForm1;

implementation

{$R *.lfm}

{ TForm1 }

procedure TForm1.FormCreate(Sender: TObject);
begin
  showmessage('Hello World');
end;

end.

Using 1.8.5  svn 59122 fpc 3.0.5.

I have various Scanners on my machine to make sure no viruses, I have even created a new VM machine and created exe on that and submitted and get the same.

Anyone know of a way to stop/reduce  the false positives...
Development Installation Lazarus 1.3, FPC 2.7.1,Windows 7/8 32/64, OSX, *nix

Test Environment Lazarus & FPC Trunk on Windows and OSX (Cocoa Mainly on OSX). Testing also Crosscompile windows to OSX.. 
Any posts made from 2015 will be based on Lazarus Trunk.

Thaddy

  • Hero Member
  • *****
  • Posts: 7338
Re: Simple Hello world app (VirusTotal Failure).
« Reply #1 on: December 22, 2018, 11:52:32 am »
On Windows you can codesign the executable. The scanners will subsequently not even examine the code. (This may even work with self-signed test certificates)

But the only real - free - option is the tedious task of reporting the false positives...
Note current virus scanners on Windows are a bit of legacy, since Microsoft's own solutions and mitigation are already a couple of years free and *a lot*  better than paid.
« Last Edit: December 22, 2018, 11:59:27 am by Thaddy »
Brexit. My Indonesian and Dutch friends know what " Tempo doeloe" means....There is no empire.

josh

  • Hero Member
  • *****
  • Posts: 700
Re: Simple Hello world app (VirusTotal Failure).
« Reply #2 on: December 22, 2018, 01:00:39 pm »
Hi Thaddy,

Thanks fior the information.

I currently use comodo code signing certificate, do you prefer another?

I checked one of my app that is code signed and this also generates 1 warning (had to re-upload as the original hash was fine)
Trapmine    malicious.moderate.ml.score
Trapmine is the latest thinng in Google AI arsenal, but as far as I can see I cannot locate a means of reporting a false positive against it.

Trying to convince users that their is no problem, and that they need to allow an app through their security wall is going to be a lot more common it would seem.

Additional: Just rescanned a code signed C application and this is having the same trapmine problem, so not just FPC..
« Last Edit: December 22, 2018, 01:05:56 pm by josh »
Development Installation Lazarus 1.3, FPC 2.7.1,Windows 7/8 32/64, OSX, *nix

Test Environment Lazarus & FPC Trunk on Windows and OSX (Cocoa Mainly on OSX). Testing also Crosscompile windows to OSX.. 
Any posts made from 2015 will be based on Lazarus Trunk.

CCRDude

  • Sr. Member
  • ****
  • Posts: 468
Re: Simple Hello world app (VirusTotal Failure).
« Reply #3 on: January 07, 2019, 10:24:01 am »
On Windows you can codesign the executable. The scanners will subsequently not even examine the code. (This may even work with self-signed test certificates)

That's not quite true. Codesigning helps a lot to protect against "heuristic" detection, like it seems to take place here. But codesigning does not stop scanners completely. In fact, there's codesigned malware out there that would otherwise not be detected.

Note current virus scanners on Windows are a bit of legacy, since Microsoft's own solutions and mitigation are already a couple of years free and *a lot*  better than paid.

Please allow me to doubt your "a lot". I recommended AV-Test and AV-Comparatives:

https://www.av-test.org/en/antivirus/home-windows/
https://www.av-comparatives.org/test-results/

Microsoft is somewhere near the top, but not on top. And speaking about legacy, "AV" in itself is kind of legacy - blacklisting only can go so far... but whitelisting isn't an option currently either, since it leads to closed ecosystems with their own problems, like Apple/Google/Microsoft App Stores (less viruses, but 90% spyware when you take a look at all the "telemetry").

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 5030
    • wiki
Re: Simple Hello world app (VirusTotal Failure).
« Reply #4 on: January 07, 2019, 12:27:22 pm »
From my observation heuristics really dislike small "dummy" apps.

Another issue might be, if the exe was compiled with debug info. I had it in the past that the exact same exe, but after stripping debug info, was ok.
Apparently for the AV, the debug info is just random data, that it will scan. And technically it would be possible to hide something in it.

Thaddy

  • Hero Member
  • *****
  • Posts: 7338
Re: Simple Hello world app (VirusTotal Failure).
« Reply #5 on: January 07, 2019, 12:44:06 pm »
Then you have to revert to the tedious task of reporting the false positives......
Brexit. My Indonesian and Dutch friends know what " Tempo doeloe" means....There is no empire.