False Malware flagged by Virus Software

Just starting out? Need help? Post your questions and find answers here.
davido
Addict
Addict
Posts: 1890
Joined: Fri Nov 09, 2012 11:04 pm
Location: Uttoxeter, UK

False Malware flagged by Virus Software

Post by davido »

From time-to-time others have reported that Windows exe files compiled by PureBasic have caused problems because the virus software mistakenly flagged them as malware and would not run them.
I've used Kaspersky for some time and felt I was immune from this problem - Hubris!

Whenever I've tried to use ListEx Module by Thorsten1867 from the thread below, False Malware was flagged.
It was so bad that I was forced to disinfect the machine!

I tried to isolate the problem but nearly gave up as I was getting fed up of disinfecting the machine.
At last a discovered what appeared to be the offending line of code: Line 4228

Code: Select all

  UsePNGImageDecoder()
Simply inserting the following code line before it completely removed the problem!

Code: Select all

UseJPEGImageDecoder()
viewtopic.php?p=533673#p533673

I have had this problem occur as follows:

Windows 10 - 1809 - 64 bit
PureBasic 5.70LTS 64 bit
on a Ryzen 1950x based machine
and also on an Intel 6950 based machine

Has any one else experienced similar problems?

I haven't a clue what is going on here, but I hope it might gives a clue to others.
DE AA EB
User avatar
Mijikai
Addict
Addict
Posts: 1360
Joined: Sun Sep 11, 2016 2:17 pm

Re: False Malware flagged by Virus Software

Post by Mijikai »

Usually AVs just do 3 things.
1. heuristic scan
2. signature scan
3. run file in vm
(4. exfiltrate data)

Most AVs are really flawed at 1. and 3.

There are 4 options when software gets detected for no reason:
1. ask the AV company to fix it
2. implement anti AV code
3. abuse the dection system
4. advise ur customers/users not to use the AV product

I personally would go with 2. and 4. at the same time.
Users can be educated and usually will avoid bad AV
products when simple workarounds are demonstrated.
I think theres no point in talking to the AV people as their
products have been and always will be flawed.

AVs are deeply integrated in your system and have access
to pretty much everything - keep that in mind.

Your security has already been breached.

Its risky to give all keys out if the security guy at the door is an idiot.
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: False Malware flagged by Virus Software

Post by Dude »

davido wrote:It was so bad that I was forced to disinfect the machine!
Do you mean you chose to disinfect, or your AV did actually force you to disinfect? It would've been a false-positive, which means you won't need to disinfect.

This false-positive problem occurs from time to time with PureBasic apps. One of my own had 38 out of 64 false positives, and I could never work out what triggered it, so I had to abandon that app and remove it from my website because people kept abusing me about it. A shame. :(

It's time like these that I understand why some people change their life (viewtopic.php?f=17&t=72446).
User avatar
CELTIC88
Enthusiast
Enthusiast
Posts: 154
Joined: Thu Sep 17, 2015 3:39 pm

Re: False Malware flagged by Virus Software

Post by CELTIC88 »

alternatif :
you can change purebasic pe signature to bypass av ...

Code: Select all

EnableExplicit
DisableASM

#IMAGE_SCN_CNT_CODE = 32
#IMAGE_SCN_CNT_INITIALIZED_DATA = 64
#IMAGE_SCN_CNT_UNINITIALIZED_DATA = 128
#IMAGE_SCN_MEM_DISCARDABLE = $2000000
#IMAGE_SCN_MEM_NOT_CACHED = $4000000
#IMAGE_SCN_MEM_NOT_PAGED = $8000000
#IMAGE_SCN_MEM_SHARED = $10000000                       
#IMAGE_SCN_MEM_EXECUTE = $20000000
#IMAGE_SCN_MEM_READ = $40000000
#IMAGE_SCN_MEM_WRITE = $80000000

Procedure FileToMem(File.s, *pMem.integer);Return Size File
  Protected hf = ReadFile(#PB_Any, File)
  If hf
    Protected sf = Lof(hf)
    *pMem\i = AllocateMemory(sf)
    If *pMem\i
      ReadData(hf,*pMem\i,sf)
    EndIf
    CloseFile(hf)
  EndIf
  If *pMem\i
    ProcedureReturn sf
  EndIf
EndProcedure

Procedure MemToFile(File.s,*pMem,Size)
  Protected fc = CreateFile(#PB_Any,File)
  If fc
    WriteData(fc, *pMem,Size)
    CloseFile(fc)
    ProcedureReturn Size
  EndIf
EndProcedure

Procedure align(Size, Alignment)
  Protected	ADDsize = Size / Alignment
  If (Size % Alignment) <> 0
    ADDsize + 1
  EndIf
  ProcedureReturn ADDsize  *  Alignment
EndProcedure

Structure sectionHeaderar
  sectionHeader.IMAGE_SECTION_HEADER[0]
EndStructure

Procedure Pe_patchepessignature(*Pe,SizePe,*SizeNewPe.long)
  
  Protected SizeSection = 5 ;size of shellcode
  Protected shellcode.q = 0
  Protected *pSection = @shellcode
  
  Protected FixNameSection.s{8} = "PATCH" ; name of new section
  *SizeNewPe\l = SizePe 
  
  Protected *Sb_Dh.IMAGE_DOS_HEADER = *Pe ; get pe info
  
  If *Sb_Dh\e_magic <> 23117 ; is pe?
    ProcedureReturn 0
  EndIf
  
  Protected *Sb_Nh.IMAGE_NT_HEADERS= *Sb_Dh+*Sb_Dh\e_lfanew
  
  Protected *pStub = AllocateMemory(SizePe + (SizeSection+ (*Sb_Nh\OptionalHeader\FileAlignment*2)))  ; calculate the new size of pe
 

  If Not *pStub:ProcedureReturn 0:EndIf
  CopyMemory(*Pe,*pStub,SizePe)
  
  *Sb_Dh = *pStub
  *Sb_Nh= *Sb_Dh+*Sb_Dh\e_lfanew
  Protected *Sb_Sh.sectionHeaderar=*Sb_Nh+SizeOf(IMAGE_NT_HEADERS)
  Protected nbSections = *Sb_Nh\FileHeader\NumberOfSections
  
  Protected newSection.IMAGE_SECTION_HEADER 
  newSection\Characteristics = #IMAGE_SCN_MEM_READ|#IMAGE_SCN_MEM_EXECUTE ; set new section Characteristics
  
  PokeS(@newSection\SecName,FixNameSection,8,#PB_Ascii)
  
  Protected	virtualAddress = align(*Sb_Sh\sectionHeader[nbSections - 1]\VirtualSize ,
           	                       *Sb_Nh\OptionalHeader\SectionAlignment) +
           	                      *Sb_Sh\sectionHeader[nbSections - 1]\VirtualAddress ; virtual Address of new section
  
  newSection\VirtualAddress = virtualAddress    
  
  PokeB(*pSection, $E9) ; jmp opcode
  PokeL(*pSection + 1, -(virtualAddress-*Sb_Nh\OptionalHeader\AddressOfEntryPoint+5)) ; relative "jmp" to real EntryPoint
  
  newSection\VirtualSize = SizeSection
  newSection\SizeOfRawData = align(SizeSection, *Sb_Nh\OptionalHeader\FileAlignment)
  Protected ptrRawData = align(*Sb_Sh\sectionHeader[nbSections - 1]\PointerToRawData + 
                               *Sb_Sh\sectionHeader[nbSections - 1]\SizeOfRawData, *Sb_Nh\OptionalHeader\FileAlignment)
  *SizeNewPe\l = ptrRawData  + align(SizeSection, *Sb_Nh\OptionalHeader\FileAlignment)
  newSection\PointerToRawData = ptrRawData     
  CopyMemory(*pSection, *pStub+ptrRawData, SizeSection)
  
  CopyMemory(@newSection, @*Sb_Sh\sectionHeader[nbSections], SizeOf(IMAGE_SECTION_HEADER))
  
  *Sb_Nh\OptionalHeader\SizeOfImage + align(newSection\VirtualSize, *Sb_Nh\OptionalHeader\SectionAlignment)
  
  *Sb_Nh\FileHeader\NumberOfSections + 1
  
  *Sb_Nh\OptionalHeader\AddressOfEntryPoint = virtualAddress ; set new AddressOfEntryPoint to new section address
  
  ProcedureReturn *pStub
EndProcedure

Procedure _Main()
  
  Protected pbexe.s  = ProgramParameter()
  If pbexe = ""
    pbexe  = OpenFileRequester("select purebasic exe","","exe|*.exe",0)
  EndIf
  If pbexe = ""
    End
  EndIf
  Protected *pExe = 0
  Protected SizeExe = FileToMem(pbexe,@*pExe)
  If SizeExe = 0
    MessageRequester("","error read exe file")
    End
  EndIf
  
  Protected SizeNewPe = 0
  Protected *NewpExe = Pe_patchepessignature(*pExe,SizeExe,@SizeNewPe)  
  
  If *NewpExe = 0
    MessageRequester("","error set code")
    End
  EndIf
  
  If MemToFile("crypted_" + GetFilePart(pbexe),*NewpExe,SizeNewPe) = 0
    MessageRequester("","error write exe file")
    End
  EndIf
  FreeMemory(*NewpExe)
  FreeMemory(*pExe)
  
EndProcedure

_Main()
interested in Cybersecurity..
User avatar
skywalk
Addict
Addict
Posts: 3972
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: False Malware flagged by Virus Software

Post by skywalk »

I had similar problems with tiny tools. I could change the AVS alert by adding more size to my exe. Just adding a UsePNGImageDecoder() or UsePNGImageEncoder() passed their sniff test.
In the end it was too annoying so I created a white list exclusion list.

This is why I was hoping PB would allow us to define an explicit path for compiles. Debugging small code without saving to a file currently goes to PureBasic_compilationX.exe within a user's temp folder. That I cannot exclude.

More help could come from easier signing methods within our exe's. On Windows I use the resource file method.
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: False Malware flagged by Virus Software

Post by Bitblazer »

A lot of antivirus software seems to still be very poorly written. I switched to Kaspersky AV and that solved the Problem for myself. I fear we will have to live with bogus AV alerts for a while due to the serious lack of detection quality. You can find tests and discussions about this on multiple software development forums. I was about to pay for a yearly certificate to get rid of this problem, but i found out in time that even signed binaries with a valid signature can get flagged.

The best solution i found for now, is to release binaries with valid SHA1/2 checksums on your webpage and trying to educate users to use a more trustworthy AV engine in the long run.

Things i tested which only work on some engines:
  • bloat the exe
  • reporting false positives to AV engine creators
  • avoid certain libraries like PNG
  • sign Binaries
  • white listing
  • release sources with detailed compilation instructions
Nothing worked for all users/AV engines. Some methods work for some AV engines though - in some cases this can be enough.
webpage - discord chat links -> purebasic GPT4All
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: False Malware flagged by Virus Software

Post by Dude »

CELTIC88 wrote:you can change purebasic pe signature to bypass av
Hi CELTIC88, I tried your code with my "infected" exe and it instantly reduced the number of false-positives:

Before: 26/68 false positives -> https://i.imgur.com/AUqnp8A.png
After: 10/69 false positives -> https://i.imgur.com/h9ZKj1r.png

Woohoo! :D My modded exe ran normally too, without any issues. Before, Win 10 quarantined it: https://i.imgur.com/0B2En73.png

Many thanks for the code! 8) I did have to make one little change: the crypted file wasn't written next to the original file, so I didn't find it at first. So I just changed the following line so the new exe goes in the same folder as the old exe:

Code: Select all

;If MemToFile("crypted_" + GetFilePart(pbexe),*NewpExe,SizeNewPe) = 0
If MemToFile(GetPathPart(pbexe) + "crypted_" + GetFilePart(pbexe),*NewpExe,SizeNewPe) = 0
I will definitely be using your code on my exes in future. You have no idea how happy this has made me! :mrgreen:
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: False Malware flagged by Virus Software

Post by firace »

Interesting! Thanks CELTIC88.

And thanks to Dude for the test. BTW, are those screenshots from VirusTotal? The layout looks quite different from the VirusTotal I know - is there a new theme or something?
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: False Malware flagged by Virus Software

Post by Dude »

Yes, VirusTotal web results from my uploads. Been that way for a while.
davido
Addict
Addict
Posts: 1890
Joined: Fri Nov 09, 2012 11:04 pm
Location: Uttoxeter, UK

Re: False Malware flagged by Virus Software

Post by davido »

Thank you all for your very helpful replies.

Dude wrote:
davido wrote:It was so bad that I was forced to disinfect the machine!
Do you mean you chose to disinfect, or your AV did actually force you to disinfect? It would've been a false-positive, which means you won't need to disinfect.

This false-positive problem occurs from time to time with PureBasic apps. One of my own had 38 out of 64 false positives, and I could never work out what triggered it, so I had to abandon that app and remove it from my website because people kept abusing me about it. A shame. :(

It's time like these that I understand why some people change their life (viewtopic.php?f=17&t=72446).
From previous posts regarding these types of problems I was certain that this was a 'false-positive' and also the code I compiled was from a safe source.
At first I didn't see a way forward except by disinfecting. However, I did eventually find a way of ignoring the apparent ultimatum.
DE AA EB
Post Reply