 |
|
|
Hi,
I just analyzed the image file with PeStudio (www.winitor.net/en/pestudio.html). The structure and other typical elements are just fine. I guess a cave is disturbing the AV programs.
Bests,
marc
|
|
|
|
|
|
|
I've compiled your speech.cpp/speech.vcproj from EmptyWinmainFalsePos.zip in VC++/VS 2008 and checked the Release build on virustotal today. The results are not as bad as for your EXE in EmptyWinmainFalsePos.zip.
virustotal reported 6 of 42 warnings for the file I compiled, bellow are false detected items:
a-squared 4.5.0.50 2010.05.10 Trojan-Downloader.Win32.Agent.blbx!A2
ClamAV 0.96.0.3-git 2010.05.18 Trojan.Downloader-67835
Norman 6.04.12 2010.05.17 W32/Agent.KNLG
Prevx 3.0 2010.05.18 Medium Risk Malware
ViRobot 2010.5.18.2321 2010.05.18 Trojan.Win32.Downloader.37892
VirusBuster 5.0.27.0 2010.05.17 Trojan.DL.Agent.GSZH
It is obviously a problem of the AV listed above.
I think the right way is not to find a way how to re-compile the file to get zero number of false detactions, but to contact the developers of these AV and describe the problem and ask them to fix it in their AV software.
---------
Note for readers not believing in this problem:
Be sure, my computer is not infected, I'm shareware developer and my own application EXE file has reported 0/42 warnings (also compiled in VC++/VS 2008) - very good result.
I know about this problem on my own experience - false detection of AV software.
It is difficult to get 0 false detections.
Sometimes re-compiling a project with other options may help to get better results, sometimes signing a file with code-signing cerificate may help, sometimes using other options in a software protection system used for your file may help.
But the right way is to contact developers of AV.
Once such a contact gave positive result - the developers... replied! 
modified on Tuesday, May 18, 2010 2:53 AM
|
|
|
|
|
|
|
The reason why it was not so bad at first scan is that a lot of av simply copy detections from other av.
Thus making False positives spread like a fire after few days. Try rescan the same exe and report results here along with a link if you can. I bet a lot more will catch it now. Also don't upload it in zip.
"There is always a better way"
|
|
|
|
|
|
|
a true story:
Years ago when Windows did not yet exist and virus chekers where young, i had a Borland C++ 2.0 compiler. I wrote beautiful programs. Until one day one of my programs was bounced by my companies inner network. When i informed at the helpdesk why it was bounced, they told me it contained a virus.  So i looked into the matter. I removed every line of code and the remaining executable was still bounced (sounds familliar?)
Until i took the crt0 module (the thing that starts up the "main" function) and removed the copyright word "Borland"...
From that moment on, my executables where fine and cleared every virus chekers of the nineteen-80's.
The morale:
The theory elsewhere in this forum, that virus chekers run blindly on heuristics, without human intervention, must contain some truth in it.....
|
|
|
|
|
|
|
Although I think you have a point, the files you uploaded for check-up are different;
Source of this image on vtotal;
File size: 20009 bytes
MD5 : c516b5f8e194c0f00994178c7db9b717
SHA1 : b187b95bd95ca157e4b75039c19ab1dbd571160a
SHA256: fad21b2be19f5619bbe538736ea720ff91ecc1f991087caa9d2cecb34d29c8ce
Next day it got worse (file size is doubled);
File size: 37888 bytes
MD5 : 92ccffff01d936f577b17028387dba62
SHA1 : 14c055acf4c8ee62e849affdd601375d613b792d
SHA256: fec02ba14a85a04690b5c38a431153749565b018fc17b5e0fb06d36642d0f9a3
|
|
|
|
|
|
|
yup. the first one is the same binary in zip file. Later I found out that two antiviruses don't scan inside archives but normally detect the file so I stopped uploading in zip. more av started catching it with or without zip and that was the message of second image. Anyway I should probably remove first image since.
"There is always a better way"
|
|
|
|
|
|
|
and it gets to your newly created exe file and when you upload it the antivirus software naturally detects it?
That would explain it
|
|
|
|
|
|
|
There is simple test for it. Just compile your own empty winmain with VS2008 and options mentioned in article(or use project file I attached to zip). You will endup with the same binary.
upload it to virustotal. And report results back to us 
"There is always a better way"
|
|
|
|
|
|
|
..or what if most commercial antivirus software are just big words and simplified counter-measures against any software? that would explain it.
|
|
|
|
|
|
|
Am I missing something - I do not see a change log that indicates what were the changes/enhancements to this article...I did bookmark it, to read back on, and I do not see any changes? Maybe it would be helpful in future to make note of changes - what statements, extra headings etc...for the benefit of the reader and also for your benefit in ranking your articles as well...
Take care,
Tom.
#define SIG 1
#ifdef SIG
Tommie Brennan - ^(\w{6})\w*\s+\b(\w{1})\w*$
Visit my blog @ http://blog.tbits.ie
#endif
|
|
|
|
|
|
|
Does any virus scanner false-detect program built from the same project but with different entry point?
in another thousand years we'll be machines or gods█
|
|
|
|
|
|
|
i think it is because of the signature....
mostly the avs reports of torjan signature matches with empty winmain.
|
|
|
|
|
|
|
That worked for me.
But why is that ?
|
|
|
|
|
|
|
19/39 flag it as trojan/virus :|
|
|
|
|
|
|
|
Getting better ... 20/40 = 50% of all AV catch it now. virustotal[^];)
"There is always a better way"
|
|
|
|
|
|
|
For some reason, one of the top anti-virus rating organizations gave Symantec AV a top rating. Not sure why, as it was undeserved. But that sparked a lot of interest.
While the newer Symantec product is not as bloated and cumbersome as their previous AV's, their detection algorithms are horrible. But worse than that, they have very few options for turning off things that may end up disastrous. The lack of user-set options, combined with the numerous false positives, can result in the loss of important files and data.
I believe that Kaspersky and Nod32 continue to be the most reliable AV programs. Still not foolproof, but their detection is way ahead of the lesser players like Symantec. (Note: I don't work for either company)
|
|
|
|
|
|
|
Here is a thread that talks about it.
Link
Look on page 2 at a post by Gary Egan (employee)
|
|
|
|
|
|
|
Heuristic scanning uses a bunch of statistical data and some sorts of AI algorithms (as far as I know Norton is using Fuzzy Logic Algorithm) AV companies allow their software more and more non-malicious code to be detected as malicious.
Recently my NOD32 started reporting that one of my IIS log files is a virus... It's just a text file, Eset!!  On the other hand if you write a program that runs "format c:" command it will not be detected as malicious
I just don't think that anything can be done to stop these things from happening since there is no cure for paranoia...
|
|
|
|
|
|
|
My own personal favorite is probably one of the shittiest antivirus out there, F-Secure, terminating applications without any notification to the user (not to mention asking for permission to terminate a running application). If it sees a "threat" in any running app, it can just kill it from kernel without any notification whatsoever.
Nice article!
Edit: For the record, I have sent multiple copies of my software to antivirus heurestic scan coders to examine and possibly fix in their detections somehow. The feedback I got via email was: "Thanks for these samples, could you possible provide more samples that we can add to the suspicious list? Best Regards, blabla".
I have no idea for what these guys are paid for.
|
|
|
|
|
|
|
More and more AV started detecting the file on vtotal. Will update article with new screenshot
"There is always a better way"
|
|
|
|
|
|
|
Hmm today I rescaned the file on vtotal and the good news is that symantec "suspicious-insight" is gone. Bad news is that now it is symantec "Backdoor.Trojan" ;D.
"There is always a better way"
|
|
|
|
|
|
|
I tried this as well, however I didn't get the same results, only symantec flagged it:
Symantec 20091.2.0.41 2010.04.07 Suspicious.Insight
Everything else was clear. I tried 2 sample, on built with a Win32 App with a single .cpp file with your sample code in it, and another from a blank C++ Empty project. Both targeted for static Multi-threaded CRT (/MT) linking.
So other than the fact that the Symantec part is bogus (undoubtedly some bug in their code), everything else seems fine - I don't think the issue is with WinMain.
What happens if you test the app itself, as opposed to the zip file?
test1[^]
test2[^]
|
|
|
|
|
|
|
I added to zip with binary also vs2008 dsp file. You should be able reproduce the same binary.
"There is always a better way"
|
|
|
|
|
|
|
OK, well then maybe the problem is not with the exe at all, but the combination of:
1) a really small exe
2) an exe inside of a zip file
Maybe some of the virus scanners see both and "assume" the worst?
|
|
|
|
|
|
|
Well I think it's more about libc and that AV started to treat it as malware than size or zip Meantime I found combination of switches that was causing aditional 38% AV to go on my poor old projectfile Nuts . I added them to updated article
"There is always a better way"
modified on Wednesday, April 7, 2010 3:18 PM
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Rant 
Admin