Announcement

Collapse
No announcement yet.

McAfee flagging Powerbasic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Wow. This thread is a monument to ADHD.

    Anyway, I submitted the PBWin.exe ( SHA-256 hash DD26AF47C3973F67459A7C80826409C3A9AE59DACF1A5C177B0B9A094EAA8BF0) to McAfee back on August 3, but they've not fixed their detection files. On my own software, when I've had files flagged by McAfee, they have usually fixed their detection within a day or two. Virustotal now has 5 out of 66 AV products flagging PBWin.exe.

    Michael Burns

    Comment


    • #22
      In general, users assume that antivirus software must be infallible.
      We know from practical experience that this is not the case. No matter from which provider.
      Especially if the corresponding software works heuristically, only patterns are searched for. This offers fast protection, but is more susceptible to false alarms.
      Only, what do I tell customers who assume infallibility?
      More and more criminals will try to prey online in the future.
      And this increases user fear.
      For this reason, vendors are trying to protect their software with certificates to detect manipulation earlier.
      It is intended to convey security that may not exist in the end.
      • J. Buckel
        Amicus certus in re incerta cernitur.
        Marcus Tullius Cicero

      Comment


      • #23
        This is what I get from jotti in pbwin.exe
        Name: PBWin.exe
        Size: 840kB (860,160 bytes)
        Type: PE32 executable (GUI) Intel 80386, for MS Windows
        First seen: 15 August 2018 at 11:19:45 CEST
        MD5: b375ce0fc8f57e49069aab3c13ca704a
        SHA1: 8fad3a529e1a88fa6d503da9ee8433e3bf20200c
        Status: Scan finished. 0/16 scanners reported malware.
        Scan taken on: 15 August 2018 at 11:19:47 CEST
        0 out of 16 says there is nothing wrong with it.

        Time for your customers to change their AV scanners, junk that drops false positives needs to either be fixed or replaced.

        As has been mentioned above, make sure you have a valid manifest and version control block as the donkey end of AV scanners look for these things and if they are not present, they dump a false positive as they do not have the analytic capacity to evaluate a 32 bit PE file according to its specifications.
        hutch at movsd dot com
        The MASM Forum

        www.masm32.com

        Comment


        • #24
          Dang! I also found my PBWin.exe (V10) removed by that @#$%$& McAfee AV ... It's my work pc so I asked the IT guys at work that I can whitelist PBWin.exe. So far, no action from them
          On older PBWin.exe's (V7, V8 ...) I get the following error message when I try to run them: "The version of this file is not compatible with the version of Windows you're running. Check your ......" ....
          I don't know if this is a Windows thing or also related to McAfee .......
          Eddy

          Comment


          • #25
            Originally posted by Eddy Van Esch View Post
            On older PBWin.exe's (V7, V8 ...) I get the following error message when I try to run them: "The version of this file is not compatible with the version of Windows you're running. Check your ......" ....
            Ah, looks like I got that error message trying to run PBWin.exe of V7.0. That was still a 16-bit prog so it seems:
            Name: PBWin.exe
            Size: 257.99kB (264,180 bytes)
            Type: MS-DOS executable, NE for MS Windows 3.x
            First seen: August 24, 2018 at 10:38:11 AM GMT+2
            MD5: fbb315a22da54030a9b2d19882271cfb
            SHA1: 70c69de03d40644377c4f7fc6371fc6a9bfaf854
            PBWin.exe V8 and V9 run fine. V10 gets killed by McAfee ...
            Eddy

            Comment


            • #26
              McAfee has a Virtual Assistant and Virtual Technician found by using Google.
              McAfee can also remove network traffic which has to be configured.
              In a corporate environment it gets even more complicated, but they should be able to exclude PBwin for a user.
              When something went wrong, it was McAfee or BitDefender so I finally quit using them (though they are good products.)
              https://www.tesla.com/roadster

              Comment


              • #27
                As of this evening:
                6 engines detected this file
                https://www.virustotal.com/#/file/dd...8bf0/detection
                SHA-256: dd26af47c3973f67459a7c80826409c3a9ae59dacf1a5c177b0b9a094eaa8bf0
                File name: PBWin.exe
                File size: 844 KB
                Last analysis: 2018-08-28 01:50:23 UTC
                Babable: Malware.HighConfidence
                Comodo: .UnclassifiedMalware
                CrowdStrike Falcon: malicious_confidence_80% (D)
                McAfee: RDN/Generic.RP
                McAfee-GW-Edition: RDN/Generic.RP
                TrendMicro-HouseCall: TROJ_GEN.R002H06H418
                Ad-Aware: Clean
                AegisLab: Clean
                AhnLab-V3: Clean
                ALYac: Clean
                Antiy-AVL: Clean
                Arcabit: Clean
                Avast: Clean
                Avast Mobile Security: Clean
                AVG: Clean
                Avira: Clean
                AVware: Clean
                Baidu: Clean
                BitDefender: Clean
                BkavvClean
                CAT-QuickHeal: Clean
                ClamAV: Clean
                CMC: Clean
                Cybereason: Clean
                Cylance: Clean
                Cyren: Clean
                DrWeb: Clean
                eGambit: Clean
                Emsisoft: Clean
                Endgame: Clean
                eScan: Clean
                ESET-NOD32: Clean
                F-Prot: Clean
                F-Secure: Clean
                Fortinet: Clean
                GData: Clean
                Ikarus: Clean
                Jiangmin: Clean
                K7AntiVirus: Clean
                K7GW: Clean
                Kaspersky: Clean
                Kingsoft: Clean
                Malwarebytes: Clean
                MAX: Clean
                Microsoft: Clean
                NANO-Antivirus: Clean
                Palo Alto Networks: Clean
                Panda: Clean
                Qihoo-360: Clean
                Rising: Clean
                SentinelOne: Clean
                Sophos AV: Clean
                Sophos ML: Clean
                SUPERAntiSpyware: Clean
                Symantec: Clean
                TACHYON: Clean
                Tencent: Clean
                TheHacker: Clean
                VBA32: Clean
                VIPRE: Clean
                ViRobot: Clean
                Webroot: Clean
                Yandex: Clean
                Zillya: Clean
                ZoneAlarm: Clean
                Zoner: Clean
                Alibaba: Unable to process file type
                Symantec Mobile Insight: Unable to process file type
                Trustlook: Unable to process file type
                Michael Burns

                Comment


                • #28
                  Michael .. At the time when I ran VirusTotal yesterday, there were only 5 of 66 detections. So one changed his mind ... ;-)
                  Jotti Malware scanner didn't find anything.
                  Our company's IT department is checking it out. According to McAfee it is the 'Artemis' virus. The IT guy said they have had serious problems with this virus in the company. So I assume they move with caution. Personally ..... I think it is that #$%&@ Heuristic scanning that is the culprit. Heuristic scanning is a remedy that is a little less worse than the disease .. but not much ... :-(
                  Eddy

                  Comment


                  • #29
                    Originally posted by Eddy Van Esch View Post
                    Heuristic scanning that is the culprit. Heuristic scanning is a remedy that is a little less worse than the disease .. but not much ... :-(
                    So, what's your proposed alternative, which can deal with self-modifing viruses? Signature-based scanning doesn't cut it any longer these days.

                    As a sysadmin. I can tell you that heuristics saved our rear more often than not.

                    Comment


                    • #30
                      Originally posted by Knuth Konrad View Post
                      As a sysadmin. I can tell you that heuristics saved our rear more often than not.
                      Ok, I will give you the benefit of the doubt ....

                      Eddy

                      Comment


                      • #31
                        The way AV makers that I've had conversations with stop a file being false positively flagged without messing with their heuristics algorithms is to have universal white lists for files that contain the file hash of the "known clean" version of the file. That allows them to uniquely identify that known clean version & over ride what the AV engine says.

                        All any of those AV makers have to do to deal with reported false positives is to actually examine the file and when they determine it's clean, add it and it's hash to their products universal white list. The operative phrase is "examine the file". Unfortunately, some AV makers are not just lazy about cleaning up their false positives, but simply flag a file if they see someone else flag it on Virus Total. In my experience getting my own software releases to be white listed if false positived by an AV maker takes a lot of work. The so-called "AI" AV makers are the worst as they often (I won't name names) don't have any false positive reporting systems for non-customers (and some not even for customers).

                        Drake, since it owns this product, should be driving this issue of getting Power Basic to not be flagged as infected, not us customers.

                        BTW, Jotti Malware is fine, but only scans against 15 AV products. (Avast, Dr. Web, Fortinet, Gdata, Sophos, Bitdefender, eScan, F-Prot, Ikarus, TrendMicro, ClamAV, ESET, F-Secure, K7, VBA32) all of which are a subset of Virus Total's 66 AV products. Jotti does not identify which product variant of some of the AV products it uses, which probably explains why it's "Trend Micro" does not flag PBWin.exe but Virus Total's "TrendMicro-HouseCall" does. They are using different product variants. (Same for K7, ESET, maybe more.) I always run my releases through Virus Total before the actual release & then start submitting false positive reports to any AV makers right away. I also put a comment on Virus Total identifying myself as the author, listing the "false flag bad boys" at the time of the scan with a statement that I have reported the false positives to them (or name who false positived but has no reporting mechanism). That way, any sysadmin who looks can at least see my comment & contact me if they want. I also rescan periodically & update the comment as the list of false positives changes. Ideally, that list eventually goes to zero.
                        Michael Burns

                        Comment


                        • #32
                          There's another benefit of running files thru Virustotal: it shares the results with all participating AV companies:

                          Upon submitting a file or URL basic results are shared with the submitter, and also between the examining partners, who use results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.
                          BTW, there's an API to automate submission: https://support.virustotal.com/hc/en...69-API-scripts

                          As for the matter of different products from the same vendor creating different results: as absurd as it may sound, but I remember that back in the day, some of the free or home user stuff provided, doesn't even us the AV scanning engine of business product line from the vendor itself, but a 3rd party engine, which they licensed and just wrapped an UI around it. Namly Trend Micro. Not sure if that's the case, though.

                          Back to heuristic scanning: these days, there's basically no way around these, as anything but the most "dumb" viruses are generated on the fly, e.g. https://www.rapid7.com/db/modules/en...shikata_ga_nai, which ofc results in differing (AV) signatures.

                          As a very basic (sic!) example, look no further than the myriads of Office documents prepared with malicious VBA scripts. Our spam filter caught lots of those by us simply blocking all *.doc, *.xls etc. I can tell you that the presentation of these emails and attached documents are very convincing. I actually was both surprised and shocked about how good they are. The best ones were addressed to HR, referring to a real current job opening, addressing HR employee's by name and include real nice looking CVs and certificates (with fake data, ofc). So no more "YO THERE, CLIK LINK FOR SUPPER IMPORTAND DOCUMENT" amateurish phishing attempts. It actually took me more than the typical couple of seconds to figure out that this email is malware. And that by having the advantage of having our spam filter's list of identical emails, where the seemingly same person in one email calls herself "Anna Smith", but in the second email its "Anne Miller", with otherwise identical documents, including "her" picture, ofc taken from a random website.

                          But just juggling with the name used throughout the documents, the author changed the hashes/signatures of these files, defeating any signature-based detection. And automating the creation of Office and PDF documents is quite easy and fast, in comparison to updating and especially distributing new AV signatures.

                          Comment


                          • #33
                            Still not fixed, today my McAfee also decided to quarantine PBWin.exe, tried to speak to McAfee to get assistance, who told me my Anti-Virus was not running, how strange, must be magic or witch craft then.

                            So to simply get around the issue as I trust PBWin.exe to be a safe bet, I added it to the excluded files list on the real time scanner, problem has now gone away and I can now get on with some work.
                            Richard

                            Comment


                            • #34
                              Yes, the IT-guys at my company also had to white-list PBWin.exe to prevent it from being quarantained. Fortunately, they know PowerBASIC.
                              Eddy

                              Comment


                              • #35
                                Then send final program to customers and they all have a problem.
                                I had same problem with Malwarebytes and they updated definitions in about 3-days.
                                In other words, stick with it until they fix it.


                                https://www.tesla.com/roadster

                                Comment


                                • #36
                                  Originally posted by Mike Doty View Post
                                  Then send final program to customers and they all have a problem.
                                  Are you sure about this? PBWin.exe is the compiler. If that is flagged, that doesn't mean that the exe it produces is flagged, is it ..?
                                  Eddy

                                  Comment


                                  • #37
                                    Missed that it was the compiler. Thanks.
                                    Would still keep the issue open with McAfee.

                                    https://www.tesla.com/roadster

                                    Comment


                                    • #38
                                      Originally posted by Mike Doty View Post
                                      Would still keep the issue open with McAfee.
                                      I searched their site to see where I could post or send false positives, but I couldn't find it. That's probably no coincidence ... Or I simply didn't search hard enough.
                                      But since my company is MacAfee's customer, they probably wouldn't have accepted anything from me ...
                                      Eddy

                                      Comment


                                      • #39
                                        I did a google search using site:mcafee.com report false positive

                                        https://kc.mcafee.com/corporate/inde...ent&id=KB85567
                                        https://www.tesla.com/roadster

                                        Comment


                                        • #40
                                          The September 14, 2018 McAfee scan on my QNAP server finally did not flag PBWin.exe. I just had Virustotal rescan it, and now only CrowdStrike Falcon flags it, and CrowdStrike Falcon flags it as "malicious_confidence_80% (D)". Only took McAfee 6 weeks of people reporting their false positive for them to clean up their act.

                                          https://www.virustotal.com/#/file/dd...8bf0/detection
                                          Michael Burns

                                          Comment

                                          Working...
                                          X