Avira antiVirus

[Arnold]

Hi Charles,

since I must use a different AV scanner with my notebook I experience restless times sometimes. Of course I know that there must be at least a basic protection against malware but sometimes it is a little bit problematic, e.g. I read this blog and the responses:

http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

As I wanted to learn a bit more about malware I found a link for some tools at:
https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/

I used the freeware version of PEStudio - which is no virus scanner but looks for markers - for a quick start, because I wanted to know why gxo2.exe and oxygen.dll are not marked as infected but co2.exe and oxide.exe are flagged as malware by some AV scanners. I found that oxygen.dll and gxo2.exe contain some strings with gcc... which might be sufficient for these scanners.

I experimented a little bit and added version info and manifest to co2.exe and oxide.exe and I can confirm Mike's statement that this helps with some AV scanners (results got down from 9 to 4). Maybe using an icon group with 32*32/256 and 16*16/256 will help too.

As this did not work for Avira I reported the original files and was confirmed that these results were false positives. Thus the original co2.exe/14.11.2016 and oxide.exe/15.11.2016 will be accepted by Avira, the executables created by the apps will not. Even worse: my co2.exe with version info and manifest are still marked as TR/Crypt.XPACK.Gen2 although it is the same compiled code. So Avira must use a different heuristic but I got no detailed information.
 
I looked for some information about TR/Crypt.XPACK.Gen2 and found this link:
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=9217231

Virus characteristics show other names used:
McAfee Detection  RDN/Ransom!el
AVG (GriSoft)       Win32/DH{O1AWgQVU}
avira                   TR/Crypt.XPACK.Gen2
Kaspersky            HEUR:Trojan.Win32.Invader
Dr.Web                Trojan.Encoder.815
Microsoft              Ransom:Win32/Denisca.A
Symantec             Suspicious.MH690.A
Eset                     a variant of Win32/LockScreen.BHI
norman                Dogkild.E
vba32                  BScope.Trojan.Diple

It seems that you have to satisfy at least Avira, McAfee, Avast/Avg, Symantic to be on the safe side. Mike's other hints about checksums certainly can help further. Is there an instructive link anywhere about PE files?

Roland

[Mike Lobanovsky]

You've done a great job, Roland, thanks a lot!

Judging by the time it took you to dig up all this info since your last post on the site, you now realise in full how laborious and complicated the task of fighting AV false positives is. And how in fact destructive all this AV business has become, both morally and materially, to the interests of law abiding indie developers in the recent 10 years or so.

I recon a compiler development project should enroll at least one technician on a full-time basis to handle all the relevant bureaucracy. But this is something that a one person project like OxygenBasic simply cannot afford. The developer is meant to develop and not to waste his life fighting the spam and unfair competition on behalf of the numerous AV sharks all around that have turned their "free" scanners into a kind of ransomware that's much, much worse than the malware it is allegedly supposed to fight.

[JRS]

I'm about to releease a beta test of Script BASIC for Windows and not looking forward to the AV noise that might come of it. My hope being an interpreter the bastards will cut me some slack.

[Charles Pegge]

Binaries created by GCC and VS are less prone to AntiVirus attack, which is why gxo2.exe and Oxygen.dll, using FreeBasic, which in turn, uses the GCC toolchain, are not attacked.

In my search for a new notebook, I came across a customer review, which described how installing AVG on his new PC (after removing macafee), trashed the Windows OS, requiring a full re-installation - taking several hours to recover.

[Arnold]

Hi Charles,

although I know that I cannot be of any help with this issue, I wanted at least inform you about my observations (and my frustration).
As long as oxygen.dll, gxo2.exe, co2.exe and oxide.exe are accepted by the scanners I do not encounter problems with running the .o2bas files. So using oxygen.dll embedded in other languages like Thinbasic or Scriptbasic there should be no problem.

The trouble starts if I compile the files to an exe, with or without Rtl32.inc - Rtl64.inc seems to have less problems at the moment. So probably you have to find a solution for the runtime.

Checking some files with PeStudio and studying the information of Virustotal I found that some compiled files have a signature (e.g. Pelles C), some files compiled with freebasic contain strings gcc... and  Powerbasic files contain Powerbasic in the string section. I read about authentihash, imphash, TrID but in fact I do not know if anything could really help to improve the acceptance of the runtime library.

This is the third (Freeware version) of AV scanner which I installed on my old machine and I will keep it until it is broken or Vista is completely dead. But I feel like expressed in this blog:

http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html

Three weeks ago there was peace and harmony with my machine. Now I am surrounded by all kind of threats. Lot of apps experience an extreme vetting, green cards are not valid any more, general travel bans are in command. My apps end up in quarantine and ask: what have we done? Are we really the threat?

BTW: I tried to start the LV StatusBar.exe of Chris just some minutes ago - hush - it was shooed into inquisition. Now the app is blocked and I have to wait for permission to start the example. I know I can treat this differently, but I wanted to feel like thousands (millions?) of trusting users.

Roland

[chrisc]

Hi Roland

I have attached a Virustotal antivirus scan of LV statusbar.exe showing there is NO virus except 2 false positive?
This is just an exe file from Powerbasic compiler?


.

[Arnold]

Hi Chris,

there is nothing wrong with your files. I just wanted to show the behaviour of my AV scanner. Even Powerbasic files and Pelles C compiled files are scanned heavily by my scanner. But all (Free version) scanners do this. Sometimes more, sometimes less.
The difference with Oxygen compiled exe files is that these scanners block the files and report them as (possible) malware. I tested a little bit and reported some of the files and they are all (all) confirmed as false positives. But what does this help? The next time I compile the same file some minutes later again the trouble starts anew, only because of a different sha checksum. It is dreary.

Roland

[Charles Pegge]

Our o2 DLLs do not seem to trigger any false positives, testing with VirusTotal.com. So I wonder whether this phenomenon can be utilised to find a solution.