Announcement

Collapse
No announcement yet.

Anti Virus thinks my exe is a virus...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anti Virus thinks my exe is a virus...

    I was putting an update on a customer machine today. Their Anti Virus software quarantined it.
    Anyone run into this? Could you fix it?
    Code signing??
    Last edited by David Clarke; 8 Oct 2018, 08:12 PM.

  • #2
    Dave, 2 things will help here and it is done with your resource code, create a manifest and a version control block. I normally use RC files but PB has the commands to directly inline resource code. Do both of these and you will have very few problems with AV scanners. I do have one example of using the native PB resource commands.
    Code:
    #resource RCDATA, 2000, "yourfile.ext"
    Later in the code section,
    Code:
    MyString$ = resource$(RCDATA, 2000)
    A manifest in normally an XML file, a version control block is usually written into an RC file.

    Here is a version of a manifest XML file.
    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <description>PowerBASIC Example</description>
    <dependency>
    <dependentAssembly>
    <assemblyIdentity
    type="win32"
    name="Microsoft.Windows.Common-Controls"
    version="6.0.0.0"
    processorArchitecture="X86"
    publicKeyToken="6595b64144ccf1df"
    language="*"
    />
    </dependentAssembly>
    </dependency>
    </assembly>
    This is a version control block for an RC file.
    Code:
    VS_VERSION_INFO VERSIONINFO
    FILEVERSION 1, 0, 0, 0
    PRODUCTVERSION 1, 0, 0, 0
    FILEOS VOS_WINDOWS32
    FILETYPE VFT_APP
    BEGIN
      BLOCK "StringFileInfo"
      BEGIN
        BLOCK "040904B0"
        BEGIN
          VALUE "CompanyName",      "Dave Clark Inc.\000"
          VALUE "FileDescription",  "Put your description here\000"
          VALUE "FileVersion",      "1.0\000"
          VALUE "InternalName",     "MyApp\000"
          VALUE "OriginalFilename", "MyApp.exe\000"
          VALUE "LegalCopyright",   "\251 2019 Dave Clark\000"
          VALUE "ProductName",      "MyApp\000"
          VALUE "ProductVersion",   "1.0\000"
        END
      END
      BLOCK "VarFileInfo"
      BEGIN
        VALUE "Translation", 0x409, 0x4B0
      END
    END
    Last edited by Steve Hutchesson; 9 Oct 2018, 05:35 PM. Reason: :) Didn't notice I had double pasted the version control block.
    hutch at movsd dot com
    The MASM Forum

    www.masm32.com

    Comment


    • #3
      Thanks Steve!
      What is publicKeyToken="6595b64144ccf1df" ??

      Comment


      • #4
        Originally posted by David Clarke View Post
        Thanks Steve!
        What is publicKeyToken="6595b64144ccf1df" ??
        That's the public key for Common Controls v6
        It needs to be in the manifest for Windows to use "Visual Styles" for common controls.

        https://docs.microsoft.com/en-us/win...kbook-overview

        Comment


        • #5
          I know the topic as well. I also have fewer problems with the tips.

          A digital signature is also very important. Unfortunately associated with costs. How exactly that works, I do not know. Maybe others know more about digital signatures.

          Comment


          • #6
            A malware writer can put in a manifest, and can put anyone's name or company name in a versioninfo block.

            I'll believe a manifest and versioninfo block stops false positives by some AV programs. But, any AV program that relies on manifest and/or versioninfo for identifying malware (yes or no) should be removed. The AV writer(s) were exceedingly lazy.

            '-----------------------------------------------------------------------
            Why would COMMON CONTROLS need a public key unless "they" plan to change the key in the future and charge for use of the controls?

            '------------------------------------------------------------------------

            A signature can be a secure hash of the exe and your name encrypted by your private key. If the signature decrypts with your public key, then only you could have created the signature. A secure hash of the exe is done, if it matches the hash in the signature, the exe has not been altered. A secure repository for public keys is needed, and they would charge for the service. Without a trusted repository a malware writer could write a virus, do a secure hash, add any bodies' name, encrypt with a private key, then say the mating public key belongs to who ever he/she named in the fake signature. Verifying identity before posting a public key would cost the repository.
            Dale

            Comment


            • #7
              Thanks all! Problem solved by adding:

              Code:
              #RESOURCE VERSIONINFO
              
              #RESOURCE FILEFLAGS 0
              
              
              #RESOURCE FILEVERSION 3, 2, 0, 6
              #RESOURCE PRODUCTVERSION 3, 2, 0, 6
              
              #RESOURCE STRINGINFO "0409", "04B0"
              
              #RESOURCE VERSION$ "CompanyName",      "DC Interconnect, Inc."
              #RESOURCE VERSION$ "FileDescription",  "HID IIS INTERFACE"
              #RESOURCE VERSION$ "FileVersion",      "03.02.0006"
              #RESOURCE VERSION$ "InternalName",     "HID IIS CGI"
              #RESOURCE VERSION$ "OriginalFilename", "IDOBJ.EXE"
              #RESOURCE VERSION$ "LegalCopyright",   "Copyright © 2011 DC Interconnect, Inc."
              #RESOURCE VERSION$ "ProductName",      "IDOBJ.CGI"
              #RESOURCE VERSION$ "ProductVersion",   "03.02.0006"
              #RESOURCE VERSION$ "Comments",         "Requires IIS CGI Permissions."

              Comment


              • #8
                I've had my virus scanner flag my executables as viruses when I added some timing routines to display how long a particular operation took, (like compressing files). I had to get creative with the timing routines to get the virus scanner to leave my executable alone. No idea why the resource thing worked for you, perhaps I'll try that too to see if it fixes my original flagged code, could prove an interesting experiment.
                http://www.softcon.com]


                for hosting/internet


                access.

                Comment


                • #9
                  Travis,

                  The requirement of a manifest file and a version control block is basically to shut up junky AV scanners. If the junky end of AV scanners cannot find a manifest and version control block, they often flag the app as "suspicious". The better AV scanners don't do it. It does not add much size to the app and it gets rid of many false positives from the junky AV scanners. Compressed executables are starting to be flagged as suspicious by the junk AV scanners so you will have to be careful there, perhaps 2 version to handle both situations.
                  hutch at movsd dot com
                  The MASM Forum

                  www.masm32.com

                  Comment


                  • #10
                    Originally posted by Steve Hutchesson View Post
                    Compressed executables are starting to be flagged as suspicious by the junk AV scanners so you will have to be careful there, perhaps 2 version to handle both situations.
                    Form a sysadmin's PoV, I disagree with the notion that AV scanners flagging compressed executables to be considered "junk". We're not living in the 90ies anymore, where floppy disks with 1,44 MB still were the norm and therefore saving a couple of bytes might be worth it. In today's world, executable compression has become an issue with malware, where it tries to hide its malicious purpose. AV scanners unable to analyze the executbale properly go with the "better-safe-than-sorry" approach. From a sysadmin's prespective, that's the preferable way to handle it.

                    Comment


                    • #11
                      I imagine a sysadmin who prefers false positives to published specifications is in trouble in any case. When the OS vendor publishes the specifications for portable executable files, it is not the place of amateurs to think they know more than the OS vendor. False positives are reasonably rare in the high end of AV software, the rest are junk as marketing rises its ugly head with claims of higher hit counts when in fact they leave serious holes in software protection.

                      If an AV scanner is free or cheap, you get what you pay for.
                      hutch at movsd dot com
                      The MASM Forum

                      www.masm32.com

                      Comment


                      • #12
                        I am going to try "signing my code" and see if that puts this to bed. Plus signed code can be downloaded from the internet without setting off alarms. At least that is what I am told.

                        Comment


                        • #13
                          Originally posted by Steve Hutchesson View Post
                          I imagine a sysadmin who prefers false positives to published specifications is in trouble in any case. When the OS vendor publishes the specifications for portable executable files, it is not the place of amateurs to think they know more than the OS vendor. False positives are reasonably rare in the high end of AV software, the rest are junk as marketing rises its ugly head with claims of higher hit counts when in fact they leave serious holes in software protection.

                          If an AV scanner is free or cheap, you get what you pay for.
                          Actually - disregard what I wrote the this [i]specific[I] case, as I have misread the "compressing files" part and thought it meant "use an EXE compressor". Which doesn't seem to be the case and I therefore completely agree with you here, Steve.

                          However - I stand by my opinion in regards to using EXE compression (utilitities) for "saving space" or "anti-cracking" technique.

                          Comment

                          Working...
                          X