Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
plouf
Enthusiast
Enthusiast
Posts: 250
Joined: Fri Apr 25, 2003 6:35 pm
Location: Athens,Greece

Re: Oh crap... PB ransomware

Post by plouf »

benubi wrote: Thu Jun 08, 2023 12:50 pm If that's so it proves there's no real way of fixing it on the PB side.

You can change all the standard libs, Mr. PureLocker compiles a new .exe and I guess it's then like russian roulette to what part of the virus will be taken as "the" signature. If AV's flag signed executables you can't even really buy your way out.

We may find work-arounds and restructure our code to make it more "acceptable" for the AV's, but the bad guys may follow and copy our techniques :(
thats the point... no matter what you do is pure luck to be "detection free"

extensive work to create a really "best guess" output of PB compiler, will give you small random time
additionaly doing so will create the impression to some, that every time a detection is made is PBCOMPILER fault... which offcourse is not and will make that impressio grow and puting th blame back everytime and more.....

therefore for all these reason judge if protfitable or not doing so....

obviously detection free fails back to popularity and manual submition tens of times to virus tools.... not even worth
Christos
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

Fred wrote: Mon Jun 05, 2023 10:34 am I checked the business Virus Total API price and it's like 20k$ a year (!). Big pass here haha
We are going to have to rent Fangles out for parties if we are going to raise that kind of money. :mrgreen:
Best wishes to the PB community. Thank you for the memories. ♥️
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

BarryG wrote: Wed Jun 07, 2023 8:20 am That damn tool says my app is malicious because it reads the clipboard. It's madness.
Many years back, the other PB was getting its EXEs flagged for some reason. Bob Zale managed to track down what the issue was IIRC, and from memory it was something equally as benign as reading from the clipboard. IIRC, it was a simple API being called that set things off.
Best wishes to the PB community. Thank you for the memories. ♥️
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

I just scanned an EXE made in the other PB for comparison and this is the result.

I think no matter what you use, language wise, there will usually be something flagged nowadays. Not sure how well Spider Basic created web apps would do in a scan, but I have always cursed the false positives generated by AV vendors.
Best wishes to the PB community. Thank you for the memories. ♥️
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

Scanned Trial Dungeon by RIcardo written in SB. CLEAN!

Considering only using SB from now on... Hmmm....
Best wishes to the PB community. Thank you for the memories. ♥️
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

Here is an EXE of one of my WIPs, just scanned it and only 2 niggles. This is a 64 bit EXE.

Nothing is perfect, but I can live with 2 niggles. :mrgreen: Very small tradeoff for the luxury of using a language like PB. However, I recognize for deployment in the corporate environment, any niggle is one too many.
Best wishes to the PB community. Thank you for the memories. ♥️
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

Something I wrote elsewhere back on 01 OCT 17


Software Protection...

The old software protection method I used for years was Armadillo. Handled registrations good, but was bloated and became increasingly insecure for the $$ it cost. For distribution on free stuff, I used Molebox and a proprietary method, both of which are in my stuff in storage and I can't access them. So, I explored the current offerings including new protection programs.

The mafioso protection racket designed by AV authors with their false positives has become absurd. I compiled a simple demo program in PowerBASIC.

1. As is, compiled and then tested in Virus Total, the program was 76k and scored a 2/64. Ironically, this is the ONLY one who flags Comodo. Native PB was the only one to flag what I consider to be one of the big boys and legitimate programs. I would be curious to retry this in PB 9, as PB 9 was a better product (much smaller compiled EXEs and often much faster compiled EXEs).

2. The same EXE compressed with ASPack was 42k and scored 15/62.

3. The same EXE compressed with UPX (ultra brute) was 37k and scored 10/63. Not only is UPX finally compressing smaller than ASPack, it also triggers less false positives. Needless to say, I will NOT be repurchasing ASPack (I own it, but it is in storage).

4. The same EXE, protected with a new protector which also compresses/encrypts was 54k and scored 24/64. Not bad on compression, given the type of product it is, but the false positives are concerning. But, the program works well and seems easy to use for me as well as potential customers.

These AV authors have literally made it almost impossible for an indie developer to exist. Something I have raved about for years, but it is getting increasingly worse over the years. Even if indie developers tell their customers the truth, that the program is fine and the AV company is wrong, the customers are still going to believe the multi-million dollar AV company and not run your software and bad mouth it for viruses.

As indie developers, we are expected to do the work of the lazy and incompetent AV authors and report false positives and hope and pray they safe list our program, which may or may not happen and may or may not require money changing hands. Self-proclaimed AV experts, have been running roughshod over indie authors for many years. The only ones who are not routinely dealing with false positives are the major software companies who do exchange some $$ with the AV authors.

I am amazed there have not been multiple class action suits against every AV author out there due to their continued false allegations that a program is or may be harmful when it is not.

Very hard to think about even trying to compete in today's software market...
Best wishes to the PB community. Thank you for the memories. ♥️
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Kuron wrote: Fri Jun 09, 2023 6:42 amHere is an EXE of one of my WIPs, just scanned it and only 2 niggles
Ah yes, Microsoft and SecureAge. They've both given me lots of false positives before, but the good news is they both quickly remove the false positive if you report it. Here's the links I use to report my false positives with them:

https://www.microsoft.com/en-us/wdsi/filesubmission

https://www.secureage.com/support/report-false-positive

I have these saved as shortcuts for easy reporting. Hehe.
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

I do not have a MS account, so could never submit something there.

I have actually seen one developer who scans with Virus Total and when it got a lot of hits, he advertised on his site his product scanned safe with 42 leading AV programs. :mrgreen:
Best wishes to the PB community. Thank you for the memories. ♥️
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Kuron wrote: Fri Jun 09, 2023 7:13 pmI do not have a MS account
Create one. It doesn't have to be linked your Windows install. I have two Microsoft accounts: one for using Windows, and one other that is never logged in or used except for reporting false-positives. I log out of it after the report is done. It's kind of the way life is these days for everything: one real account for family/friends, and one spare for spam and other things.

It's better to have a spare Microsoft account than your app getting flagged by VirusTotal and Windows Defender. A lot of people only use Windows Defender, so you need to make sure your app is white-listed with it.
Fred
Administrator
Administrator
Posts: 16618
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Oh crap... PB ransomware

Post by Fred »

Yes windows defender is the main one now, other AV are loosing traction
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

@BarryG Touché. I will do that.
Best wishes to the PB community. Thank you for the memories. ♥️
Post Reply