False Positives from AV

You can talk about anything related to LB Booster here, not covered in another category
Tasp
Posts: 16
Joined: Sun May 31, 2020 4:51 pm

False Positives from AV

Post by Tasp » Wed Oct 07, 2020 6:27 pm

For some reason as of Today, when I create EXE's using LBB, Kaspersky and VirusTotal.com shows them randomly as having Trojan:Win32/Wacatac.C!ml

After a full AV scan no other issues are found.
Attachments
Capture.JPG
Capture.JPG (45.58 KiB) Viewed 2532 times

guest
Site Admin
Posts: 154
Joined: Tue Apr 03, 2018 1:34 pm

Re: False Positives from AV

Post by guest » Wed Oct 07, 2020 7:30 pm

Tasp wrote:
Wed Oct 07, 2020 6:27 pm
For some reason as of Today, when I create EXE's using LBB, Kaspersky and VirusTotal.com shows them randomly as having Trojan:Win32/Wacatac.C!ml
Submit the EXE file to Kaspersky as a false positive. They will check it and modify their engine not to detect it.

Did you fill in the Version Info boxes at the bottom of the LBB 'Save standalone executable' dialog? Leaving those boxes empty makes the EXE look more suspicious, and increases the chance of a false positive detection.

Tasp
Posts: 16
Joined: Sun May 31, 2020 4:51 pm

Re: False Positives from AV

Post by Tasp » Thu Oct 08, 2020 5:19 pm

Yes all the version info boxes are populated.
It seems today that any file I make into an EXE is being classed with an issue :x
Attachments
Capture.JPG
Capture.JPG (46.56 KiB) Viewed 2526 times

guest
Site Admin
Posts: 154
Joined: Tue Apr 03, 2018 1:34 pm

Re: False Positives from AV

Post by guest » Thu Oct 08, 2020 5:53 pm

Unfortunately there's something of an 'arms race' between antivirus vendors, with more detections equalling 'better' even if they're false positives! The only precautions you can take are to ensure there's a valid VERSIONINFO resource, which you already are, and to sign the EXE if you have the capability. I appreciate that a Code Signing certificate can seem to be a significant expense for relatively little benefit.

If, by pure chance, there's a malware signature in the run-time engine that LBB bundles into its executables they will probably all trigger an alert. I'd do something about it if I could, but I don't know what I could do that would be guaranteed to help. Sorry.

Tasp
Posts: 16
Joined: Sun May 31, 2020 4:51 pm

Re: False Positives from AV

Post by Tasp » Thu Oct 08, 2020 5:59 pm

It was more of a heads up really. I understand LBB is EOL and no longer being developed etc.

As for signing certs, doesn't seem worth it, it's just a shame that any EXEs that are now created will end up being binned due to the AV pop ups.

guest
Site Admin
Posts: 154
Joined: Tue Apr 03, 2018 1:34 pm

Re: False Positives from AV

Post by guest » Thu Oct 08, 2020 7:27 pm

Tasp wrote:
Thu Oct 08, 2020 5:59 pm
As for signing certs, doesn't seem worth it, it's just a shame that any EXEs that are now created will end up being binned due to the AV pop ups.
As I said, you can solve the problem for specific EXEs by submitting them to the antivirus vendors' websites; they all provide the capability to upload false positives. But what they tend to do is to whitelist that specific file, it won't make any difference to other files you may compile. But nevertheless it is an effective solution if you don't mind the effort, and it will mean your EXEs aren't "binned".

If you want to consider the code signing route, which is what I do, the cheapest certificate vendor I know is Tucows, at $195 for three years.

Tasp
Posts: 16
Joined: Sun May 31, 2020 4:51 pm

Re: False Positives from AV

Post by Tasp » Fri Oct 09, 2020 5:01 pm

$195 for 3 years is actually quite good value. I've seen others charging £205 for a year! If I created more EXEs I'd probably consider it, I'm only really making programs to run on my machine anyway.

I tend to compile to EXE to test, as sometimes I write stuff in LB and it's not always directly compatible with LBB. So sending every version to the AV vendors wouldn't be an option. If I ever get t o a final build of any program I probably will.

I've added an exception to my AV to exclude this particular folder, so at least it doesn't quarantine, then delete them immediately, it just seemed odd that it would start picking them up all of a sudden. I wondered if it was the way the EXE are being created or including something that it creating the false positives. I don't know enough about the process other than to say I really like LBB's ability to make EXE's so simply with minimal effort and knowledge, it's a darn sight better and cleaner than having to include all the DLL and SLL's into the folder.

I did run another full scan again, just in case something else was infecting them, but both Kaspersky and Malwarebytes drew a blank.

guest
Site Admin
Posts: 154
Joined: Tue Apr 03, 2018 1:34 pm

Re: False Positives from AV

Post by guest » Fri Oct 09, 2020 8:57 pm

Tasp wrote:
Fri Oct 09, 2020 5:01 pm
I wondered if it was the way the EXE are being created or including something that it creating the false positives.
I don't understand what point you are making. Of course the contents of the EXE depend on "the way it is being created" but if, as it seems, it contains (by chance) the identical sequence of bytes as a virus signature then it's going to trigger a false positive detection. A virus signature isn't a virus!

It has been said, with some justification, that antivirus programs are themselves 'malware'. One definition of malware is a program which, if present on your PC, causes annoyance or inconvenience. That's exactly what Kaspersky is doing; get rid of it!

sarmednafi
Posts: 31
Joined: Fri Apr 06, 2018 6:27 am

Re: False Positives from AV

Post by sarmednafi » Fri Oct 09, 2020 11:29 pm

Hi all,

I should check the BBC executables if it is accepted by Kasper with no problem, then the problem with LBB.

We all know most of the virus strategies are to separate themselves into threads then it is assembled in suitable conditions (after they all available for example).

What should Richard do (if he wants)?
Go to his old PC install Kaspersky antivirus update it, clean his PC then compile a new version of LBB. Only this can be serve.
But as I saide, No one has right to demand that, it is up to him.
Unfortunately I have to say our PCs in our Aerea can not live without antivirus, may be in Europ the service providers use some central antivirus so Windows defender is enough. But in other countries, it doesn't like that. We give all the priority to antivirus or we lose our files.

All thanks to you Richard for your Wonderfull LBB.

Regards

guest
Site Admin
Posts: 154
Joined: Tue Apr 03, 2018 1:34 pm

Re: False Positives from AV

Post by guest » Sat Oct 10, 2020 2:13 am

sarmednafi wrote:
Fri Oct 09, 2020 11:29 pm
I should check the BBC executables if it is accepted by Kasper with no problem, then the problem with LBB.
An executable created using BBC BASIC for Windows will never be identical to one created by LB Booster because they are using different versions of the run-time engine. You cannot draw any conclusions from that.
Go to his old PC install Kaspersky antivirus update it, clean his PC then compile a new version of LBB. Only this can be serve.
You seem to believe that LBB executables contain a genuine virus. You can easily discover if that is the case by submitting an LBB executable to Kaspersky for analysis. Instructions for doing that are here.

Look more carefully at the 'virus' description given by Kaspersky: it begins HEUR. This is short for heuristic which means that it has not detected an actual virus signature in the EXE but instead is making a judgement based what it considers to be 'virus-like characteristics'. Factors likely to be taken into account are whether the executable is signed, whether it contains a valid VERSIONINFO resource and so on. An important consideration may simply be that LBB executables are unusual, which is sufficient to raise the risk profile.
But in other countries, it doesn't like that. We give all the priority to antivirus or we lose our files.
Windows Defender is an antivirus program, and a good one. It doesn't matter where you are, you do not need an additional program to provide adequate protection.

Locked