Announcement

Collapse
No announcement yet.

Anti Virus thinks my exe is a virus...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anti Virus thinks my exe is a virus...

    I was putting an update on a customer machine today. Their Anti Virus software quarantined it.
    Anyone run into this? Could you fix it?
    Code signing??
    Last edited by David Clarke; 8 Oct 2018, 08:12 PM.

  • #2
    Dave, 2 things will help here and it is done with your resource code, create a manifest and a version control block. I normally use RC files but PB has the commands to directly inline resource code. Do both of these and you will have very few problems with AV scanners. I do have one example of using the native PB resource commands.
    Code:
    #resource RCDATA, 2000, "yourfile.ext"
    Later in the code section,
    Code:
    MyString$ = resource$(RCDATA, 2000)
    A manifest in normally an XML file, a version control block is usually written into an RC file.

    Here is a version of a manifest XML file.
    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <description>PowerBASIC Example</description>
    <dependency>
    <dependentAssembly>
    <assemblyIdentity
    type="win32"
    name="Microsoft.Windows.Common-Controls"
    version="6.0.0.0"
    processorArchitecture="X86"
    publicKeyToken="6595b64144ccf1df"
    language="*"
    />
    </dependentAssembly>
    </dependency>
    </assembly>
    This is a version control block for an RC file.
    Code:
    VS_VERSION_INFO VERSIONINFO
    FILEVERSION 1, 0, 0, 0
    PRODUCTVERSION 1, 0, 0, 0
    FILEOS VOS_WINDOWS32
    FILETYPE VFT_APP
    BEGIN
      BLOCK "StringFileInfo"
      BEGIN
        BLOCK "040904B0"
        BEGIN
          VALUE "CompanyName",      "Dave Clark Inc.\000"
          VALUE "FileDescription",  "Put your description here\000"
          VALUE "FileVersion",      "1.0\000"
          VALUE "InternalName",     "MyApp\000"
          VALUE "OriginalFilename", "MyApp.exe\000"
          VALUE "LegalCopyright",   "\251 2019 Dave Clark\000"
          VALUE "ProductName",      "MyApp\000"
          VALUE "ProductVersion",   "1.0\000"
        END
      END
      BLOCK "VarFileInfo"
      BEGIN
        VALUE "Translation", 0x409, 0x4B0
      END
    END
    Last edited by Steve Hutchesson; 9 Oct 2018, 05:35 PM. Reason: :) Didn't notice I had double pasted the version control block.
    hutch at movsd dot com
    The MASM Forum

    www.masm32.com

    Comment


    • #3
      Thanks Steve!
      What is publicKeyToken="6595b64144ccf1df" ??

      Comment


      • #4
        Originally posted by David Clarke View Post
        Thanks Steve!
        What is publicKeyToken="6595b64144ccf1df" ??
        That's the public key for Common Controls v6
        It needs to be in the manifest for Windows to use "Visual Styles" for common controls.

        https://docs.microsoft.com/en-us/win...kbook-overview

        Comment


        • #5
          I know the topic as well. I also have fewer problems with the tips.

          A digital signature is also very important. Unfortunately associated with costs. How exactly that works, I do not know. Maybe others know more about digital signatures.

          Comment


          • #6
            A malware writer can put in a manifest, and can put anyone's name or company name in a versioninfo block.

            I'll believe a manifest and versioninfo block stops false positives by some AV programs. But, any AV program that relies on manifest and/or versioninfo for identifying malware (yes or no) should be removed. The AV writer(s) were exceedingly lazy.

            '-----------------------------------------------------------------------
            Why would COMMON CONTROLS need a public key unless "they" plan to change the key in the future and charge for use of the controls?

            '------------------------------------------------------------------------

            A signature can be a secure hash of the exe and your name encrypted by your private key. If the signature decrypts with your public key, then only you could have created the signature. A secure hash of the exe is done, if it matches the hash in the signature, the exe has not been altered. A secure repository for public keys is needed, and they would charge for the service. Without a trusted repository a malware writer could write a virus, do a secure hash, add any bodies' name, encrypt with a private key, then say the mating public key belongs to who ever he/she named in the fake signature. Verifying identity before posting a public key would cost the repository.
            Dale

            Comment


            • #7
              Thanks all! Problem solved by adding:

              Code:
              #RESOURCE VERSIONINFO
              
              #RESOURCE FILEFLAGS 0
              
              
              #RESOURCE FILEVERSION 3, 2, 0, 6
              #RESOURCE PRODUCTVERSION 3, 2, 0, 6
              
              #RESOURCE STRINGINFO "0409", "04B0"
              
              #RESOURCE VERSION$ "CompanyName",      "DC Interconnect, Inc."
              #RESOURCE VERSION$ "FileDescription",  "HID IIS INTERFACE"
              #RESOURCE VERSION$ "FileVersion",      "03.02.0006"
              #RESOURCE VERSION$ "InternalName",     "HID IIS CGI"
              #RESOURCE VERSION$ "OriginalFilename", "IDOBJ.EXE"
              #RESOURCE VERSION$ "LegalCopyright",   "Copyright © 2011 DC Interconnect, Inc."
              #RESOURCE VERSION$ "ProductName",      "IDOBJ.CGI"
              #RESOURCE VERSION$ "ProductVersion",   "03.02.0006"
              #RESOURCE VERSION$ "Comments",         "Requires IIS CGI Permissions."

              Comment

              Working...
              X