Lazarus
Programming => Operating Systems => Windows => Topic started by: Josh on December 22, 2018, 11:42:18 am
-
Hi
Just recently I have had executables fire a virus warning.
So to test, I created a simple hellow world app, and sent it to virustotal for analysis and got warnings.
https://www.virustotal.com/en/file/f2c79891c4770ab23d5d9abeea80ce697c2bbb804125cb47f156ab06d3fc8652/analysis/1545474750/
The exe is created from a new application with a form create event to showmessage, create build modes for release/debug and compiled and sent the release version for test.
unit Unit1;
{$mode objfpc}{$H+}
interface
uses
Classes, SysUtils, FileUtil, Forms, Controls, Graphics, Dialogs;
type
{ TForm1 }
TForm1 = class(TForm)
procedure FormCreate(Sender: TObject);
private
public
end;
var
Form1: TForm1;
implementation
{$R *.lfm}
{ TForm1 }
procedure TForm1.FormCreate(Sender: TObject);
begin
showmessage('Hello World');
end;
end.
Using 1.8.5 svn 59122 fpc 3.0.5.
I have various Scanners on my machine to make sure no viruses, I have even created a new VM machine and created exe on that and submitted and get the same.
Anyone know of a way to stop/reduce the false positives...
-
On Windows you can codesign the executable. The scanners will subsequently not even examine the code. (This may even work with self-signed test certificates)
But the only real - free - option is the tedious task of reporting the false positives...
Note current virus scanners on Windows are a bit of legacy, since Microsoft's own solutions and mitigation are already a couple of years free and *a lot* better than paid.
-
Hi Thaddy,
Thanks fior the information.
I currently use comodo code signing certificate, do you prefer another?
I checked one of my app that is code signed and this also generates 1 warning (had to re-upload as the original hash was fine)
Trapmine malicious.moderate.ml.score
Trapmine is the latest thinng in Google AI arsenal, but as far as I can see I cannot locate a means of reporting a false positive against it.
Trying to convince users that their is no problem, and that they need to allow an app through their security wall is going to be a lot more common it would seem.
Additional: Just rescanned a code signed C application and this is having the same trapmine problem, so not just FPC..
-
On Windows you can codesign the executable. The scanners will subsequently not even examine the code. (This may even work with self-signed test certificates)
That's not quite true. Codesigning helps a lot to protect against "heuristic" detection, like it seems to take place here. But codesigning does not stop scanners completely. In fact, there's codesigned malware out there that would otherwise not be detected.
Note current virus scanners on Windows are a bit of legacy, since Microsoft's own solutions and mitigation are already a couple of years free and *a lot* better than paid.
Please allow me to doubt your "a lot". I recommended AV-Test and AV-Comparatives:
https://www.av-test.org/en/antivirus/home-windows/
https://www.av-comparatives.org/test-results/
Microsoft is somewhere near the top, but not on top. And speaking about legacy, "AV" in itself is kind of legacy - blacklisting only can go so far... but whitelisting isn't an option currently either, since it leads to closed ecosystems with their own problems, like Apple/Google/Microsoft App Stores (less viruses, but 90% spyware when you take a look at all the "telemetry").
-
From my observation heuristics really dislike small "dummy" apps.
Another issue might be, if the exe was compiled with debug info. I had it in the past that the exact same exe, but after stripping debug info, was ok.
Apparently for the AV, the debug info is just random data, that it will scan. And technically it would be possible to hide something in it.
-
Then you have to revert to the tedious task of reporting the false positives......