Announcement

Collapse
No announcement yet.

McAfee flagging Powerbasic

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Brice Manuel
    replied
    Originally posted by James McNab View Post
    Brice, what do you mean when you say that Win10 is not as heavy as Win7?

    Apologies for the delay in response, I was out of town for a month with no internet access.

    I mean it is not as resource-intensive and will run better on lower-end systems than Windows 7. I happily use Windows 10 every day on a system with only 2GB of RAM. I would never consider doing that with Windows 7. Of course, Windows 10 does have memory compression, so you get a little more use out of your 2GB of RAM.

    Leave a comment:


  • Michael Burns
    replied
    The September 14, 2018 McAfee scan on my QNAP server finally did not flag PBWin.exe. I just had Virustotal rescan it, and now only CrowdStrike Falcon flags it, and CrowdStrike Falcon flags it as "malicious_confidence_80% (D)". Only took McAfee 6 weeks of people reporting their false positive for them to clean up their act.

    https://www.virustotal.com/#/file/dd...8bf0/detection

    Leave a comment:


  • Mike Doty
    replied
    I did a google search using site:mcafee.com report false positive

    https://kc.mcafee.com/corporate/inde...ent&id=KB85567

    Leave a comment:


  • Eddy Van Esch
    replied
    Originally posted by Mike Doty View Post
    Would still keep the issue open with McAfee.
    I searched their site to see where I could post or send false positives, but I couldn't find it. That's probably no coincidence ... Or I simply didn't search hard enough.
    But since my company is MacAfee's customer, they probably wouldn't have accepted anything from me ...

    Leave a comment:


  • Mike Doty
    replied
    Missed that it was the compiler. Thanks.
    Would still keep the issue open with McAfee.

    Leave a comment:


  • Eddy Van Esch
    replied
    Originally posted by Mike Doty View Post
    Then send final program to customers and they all have a problem.
    Are you sure about this? PBWin.exe is the compiler. If that is flagged, that doesn't mean that the exe it produces is flagged, is it ..?

    Leave a comment:


  • Mike Doty
    replied
    Then send final program to customers and they all have a problem.
    I had same problem with Malwarebytes and they updated definitions in about 3-days.
    In other words, stick with it until they fix it.


    Leave a comment:


  • Eddy Van Esch
    replied
    Yes, the IT-guys at my company also had to white-list PBWin.exe to prevent it from being quarantained. Fortunately, they know PowerBASIC.

    Leave a comment:


  • richard robinson1
    replied
    Still not fixed, today my McAfee also decided to quarantine PBWin.exe, tried to speak to McAfee to get assistance, who told me my Anti-Virus was not running, how strange, must be magic or witch craft then.

    So to simply get around the issue as I trust PBWin.exe to be a safe bet, I added it to the excluded files list on the real time scanner, problem has now gone away and I can now get on with some work.

    Leave a comment:


  • Knuth Konrad
    replied
    There's another benefit of running files thru Virustotal: it shares the results with all participating AV companies:

    Upon submitting a file or URL basic results are shared with the submitter, and also between the examining partners, who use results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.
    BTW, there's an API to automate submission: https://support.virustotal.com/hc/en...69-API-scripts

    As for the matter of different products from the same vendor creating different results: as absurd as it may sound, but I remember that back in the day, some of the free or home user stuff provided, doesn't even us the AV scanning engine of business product line from the vendor itself, but a 3rd party engine, which they licensed and just wrapped an UI around it. Namly Trend Micro. Not sure if that's the case, though.

    Back to heuristic scanning: these days, there's basically no way around these, as anything but the most "dumb" viruses are generated on the fly, e.g. https://www.rapid7.com/db/modules/en...shikata_ga_nai, which ofc results in differing (AV) signatures.

    As a very basic (sic!) example, look no further than the myriads of Office documents prepared with malicious VBA scripts. Our spam filter caught lots of those by us simply blocking all *.doc, *.xls etc. I can tell you that the presentation of these emails and attached documents are very convincing. I actually was both surprised and shocked about how good they are. The best ones were addressed to HR, referring to a real current job opening, addressing HR employee's by name and include real nice looking CVs and certificates (with fake data, ofc). So no more "YO THERE, CLIK LINK FOR SUPPER IMPORTAND DOCUMENT" amateurish phishing attempts. It actually took me more than the typical couple of seconds to figure out that this email is malware. And that by having the advantage of having our spam filter's list of identical emails, where the seemingly same person in one email calls herself "Anna Smith", but in the second email its "Anne Miller", with otherwise identical documents, including "her" picture, ofc taken from a random website.

    But just juggling with the name used throughout the documents, the author changed the hashes/signatures of these files, defeating any signature-based detection. And automating the creation of Office and PDF documents is quite easy and fast, in comparison to updating and especially distributing new AV signatures.

    Leave a comment:


  • Michael Burns
    replied
    The way AV makers that I've had conversations with stop a file being false positively flagged without messing with their heuristics algorithms is to have universal white lists for files that contain the file hash of the "known clean" version of the file. That allows them to uniquely identify that known clean version & over ride what the AV engine says.

    All any of those AV makers have to do to deal with reported false positives is to actually examine the file and when they determine it's clean, add it and it's hash to their products universal white list. The operative phrase is "examine the file". Unfortunately, some AV makers are not just lazy about cleaning up their false positives, but simply flag a file if they see someone else flag it on Virus Total. In my experience getting my own software releases to be white listed if false positived by an AV maker takes a lot of work. The so-called "AI" AV makers are the worst as they often (I won't name names) don't have any false positive reporting systems for non-customers (and some not even for customers).

    Drake, since it owns this product, should be driving this issue of getting Power Basic to not be flagged as infected, not us customers.

    BTW, Jotti Malware is fine, but only scans against 15 AV products. (Avast, Dr. Web, Fortinet, Gdata, Sophos, Bitdefender, eScan, F-Prot, Ikarus, TrendMicro, ClamAV, ESET, F-Secure, K7, VBA32) all of which are a subset of Virus Total's 66 AV products. Jotti does not identify which product variant of some of the AV products it uses, which probably explains why it's "Trend Micro" does not flag PBWin.exe but Virus Total's "TrendMicro-HouseCall" does. They are using different product variants. (Same for K7, ESET, maybe more.) I always run my releases through Virus Total before the actual release & then start submitting false positive reports to any AV makers right away. I also put a comment on Virus Total identifying myself as the author, listing the "false flag bad boys" at the time of the scan with a statement that I have reported the false positives to them (or name who false positived but has no reporting mechanism). That way, any sysadmin who looks can at least see my comment & contact me if they want. I also rescan periodically & update the comment as the list of false positives changes. Ideally, that list eventually goes to zero.

    Leave a comment:


  • Eddy Van Esch
    replied
    Originally posted by Knuth Konrad View Post
    As a sysadmin. I can tell you that heuristics saved our rear more often than not.
    Ok, I will give you the benefit of the doubt ....

    Leave a comment:


  • Knuth Konrad
    replied
    Originally posted by Eddy Van Esch View Post
    Heuristic scanning that is the culprit. Heuristic scanning is a remedy that is a little less worse than the disease .. but not much ... :-(
    So, what's your proposed alternative, which can deal with self-modifing viruses? Signature-based scanning doesn't cut it any longer these days.

    As a sysadmin. I can tell you that heuristics saved our rear more often than not.

    Leave a comment:


  • Eddy Van Esch
    replied
    Michael .. At the time when I ran VirusTotal yesterday, there were only 5 of 66 detections. So one changed his mind ... ;-)
    Jotti Malware scanner didn't find anything.
    Our company's IT department is checking it out. According to McAfee it is the 'Artemis' virus. The IT guy said they have had serious problems with this virus in the company. So I assume they move with caution. Personally ..... I think it is that #$%&@ Heuristic scanning that is the culprit. Heuristic scanning is a remedy that is a little less worse than the disease .. but not much ... :-(

    Leave a comment:


  • Michael Burns
    replied
    As of this evening:
    6 engines detected this file
    https://www.virustotal.com/#/file/dd...8bf0/detection
    SHA-256: dd26af47c3973f67459a7c80826409c3a9ae59dacf1a5c177b0b9a094eaa8bf0
    File name: PBWin.exe
    File size: 844 KB
    Last analysis: 2018-08-28 01:50:23 UTC
    Babable: Malware.HighConfidence
    Comodo: .UnclassifiedMalware
    CrowdStrike Falcon: malicious_confidence_80% (D)
    McAfee: RDN/Generic.RP
    McAfee-GW-Edition: RDN/Generic.RP
    TrendMicro-HouseCall: TROJ_GEN.R002H06H418
    Ad-Aware: Clean
    AegisLab: Clean
    AhnLab-V3: Clean
    ALYac: Clean
    Antiy-AVL: Clean
    Arcabit: Clean
    Avast: Clean
    Avast Mobile Security: Clean
    AVG: Clean
    Avira: Clean
    AVware: Clean
    Baidu: Clean
    BitDefender: Clean
    BkavvClean
    CAT-QuickHeal: Clean
    ClamAV: Clean
    CMC: Clean
    Cybereason: Clean
    Cylance: Clean
    Cyren: Clean
    DrWeb: Clean
    eGambit: Clean
    Emsisoft: Clean
    Endgame: Clean
    eScan: Clean
    ESET-NOD32: Clean
    F-Prot: Clean
    F-Secure: Clean
    Fortinet: Clean
    GData: Clean
    Ikarus: Clean
    Jiangmin: Clean
    K7AntiVirus: Clean
    K7GW: Clean
    Kaspersky: Clean
    Kingsoft: Clean
    Malwarebytes: Clean
    MAX: Clean
    Microsoft: Clean
    NANO-Antivirus: Clean
    Palo Alto Networks: Clean
    Panda: Clean
    Qihoo-360: Clean
    Rising: Clean
    SentinelOne: Clean
    Sophos AV: Clean
    Sophos ML: Clean
    SUPERAntiSpyware: Clean
    Symantec: Clean
    TACHYON: Clean
    Tencent: Clean
    TheHacker: Clean
    VBA32: Clean
    VIPRE: Clean
    ViRobot: Clean
    Webroot: Clean
    Yandex: Clean
    Zillya: Clean
    ZoneAlarm: Clean
    Zoner: Clean
    Alibaba: Unable to process file type
    Symantec Mobile Insight: Unable to process file type
    Trustlook: Unable to process file type

    Leave a comment:


  • Mike Doty
    replied
    McAfee has a Virtual Assistant and Virtual Technician found by using Google.
    McAfee can also remove network traffic which has to be configured.
    In a corporate environment it gets even more complicated, but they should be able to exclude PBwin for a user.
    When something went wrong, it was McAfee or BitDefender so I finally quit using them (though they are good products.)

    Leave a comment:


  • Eddy Van Esch
    replied
    Originally posted by Eddy Van Esch View Post
    On older PBWin.exe's (V7, V8 ...) I get the following error message when I try to run them: "The version of this file is not compatible with the version of Windows you're running. Check your ......" ....
    Ah, looks like I got that error message trying to run PBWin.exe of V7.0. That was still a 16-bit prog so it seems:
    Name: PBWin.exe
    Size: 257.99kB (264,180 bytes)
    Type: MS-DOS executable, NE for MS Windows 3.x
    First seen: August 24, 2018 at 10:38:11 AM GMT+2
    MD5: fbb315a22da54030a9b2d19882271cfb
    SHA1: 70c69de03d40644377c4f7fc6371fc6a9bfaf854
    PBWin.exe V8 and V9 run fine. V10 gets killed by McAfee ...

    Leave a comment:


  • Eddy Van Esch
    replied
    Dang! I also found my PBWin.exe (V10) removed by that @#$%$& McAfee AV ... It's my work pc so I asked the IT guys at work that I can whitelist PBWin.exe. So far, no action from them
    On older PBWin.exe's (V7, V8 ...) I get the following error message when I try to run them: "The version of this file is not compatible with the version of Windows you're running. Check your ......" ....
    I don't know if this is a Windows thing or also related to McAfee .......

    Leave a comment:


  • Steve Hutchesson
    replied
    This is what I get from jotti in pbwin.exe
    Name: PBWin.exe
    Size: 840kB (860,160 bytes)
    Type: PE32 executable (GUI) Intel 80386, for MS Windows
    First seen: 15 August 2018 at 11:19:45 CEST
    MD5: b375ce0fc8f57e49069aab3c13ca704a
    SHA1: 8fad3a529e1a88fa6d503da9ee8433e3bf20200c
    Status: Scan finished. 0/16 scanners reported malware.
    Scan taken on: 15 August 2018 at 11:19:47 CEST
    0 out of 16 says there is nothing wrong with it.

    Time for your customers to change their AV scanners, junk that drops false positives needs to either be fixed or replaced.

    As has been mentioned above, make sure you have a valid manifest and version control block as the donkey end of AV scanners look for these things and if they are not present, they dump a false positive as they do not have the analytic capacity to evaluate a 32 bit PE file according to its specifications.

    Leave a comment:


  • Joerg Buckel
    replied
    In general, users assume that antivirus software must be infallible.
    We know from practical experience that this is not the case. No matter from which provider.
    Especially if the corresponding software works heuristically, only patterns are searched for. This offers fast protection, but is more susceptible to false alarms.
    Only, what do I tell customers who assume infallibility?
    More and more criminals will try to prey online in the future.
    And this increases user fear.
    For this reason, vendors are trying to protect their software with certificates to detect manipulation earlier.
    It is intended to convey security that may not exist in the end.

    Leave a comment:

Working...
X