View Full Version : VirusTotal Analysis for SB 8.5 #4754 compiled apps (2015/04/15)
NewsArchive
04-15-2015, 07:42 AM
SetupBuilder Developer Edition 8.5 #4754 compiled test install images
submitted to VirusTotal, a subsidiary of Google, for analysis.
---
VIRUSTOTAL TEST RESULTS:
https://www.virustotal.com/en/file/53f082eaf06f79eeba65da089aad7ab61cbf866d13e233f620 a84a62ac18dff4/analysis/1429102671/
File name: sb8virustotal_4754.exe
Detection ratio: 0 / 57
Analysis date: 2015-04-15
https://www.virustotal.com/en/file/905170c6ea9d58043f071a0daf7d075b4d947f3035f23c8212 9cd844c9e376c7/analysis/1429102835/
File name: sb8virustotalex_4754.exe
Detection ratio: 0 / 57
Analysis date: 2015-04-15
https://www.virustotal.com/en/file/c4a7dd2fb8e0c10cc15e58e5b8496d6e2c3b59418b3305212a 134a8fae79cea0/analysis/1429103302/
File name: sb85_4754_Dev.exe
Detection ratio: 0 / 57
Analysis date: 2015-04-15
Probably harmless! There are strong indicators suggesting that this file is
safe to use
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
NewsArchive
04-15-2015, 11:47 AM
Even the Chinese liked that one <g>
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-15-2015, 11:47 AM
>
> Even the Chinese liked that one <g>
>
Hehehehehe ;-)
Give them a few more days and see what happens <BG>
Friedrich
NewsArchive
04-15-2015, 11:48 AM
Yeah. A few hours later, you feel hungry again <g>.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-15-2015, 11:48 AM
>
> Yeah. A few hours later, you feel hungry again <g>.
>
<g> ;-)
Friedrich
NewsArchive
04-16-2015, 02:10 AM
Sigh....
(4754)
https://www.virustotal.com/en/file/ae702577105ad28cf67fa9aabd85aba13249f366a87d9ee2c7 37f6cedbea6b6d/analysis/1429158565/
Jane Fleming
NewsArchive
04-16-2015, 02:30 AM
Hi Jane,
AhnLab-V3 is still cool with my executables (tested one minute ago). And
even Jiangmin KV Antivirus (China) is <g>.
https://www.virustotal.com/en/file/a1bc70566074e4c306aaf1f818fe8b0434fc9809a87ecfa296 db2770ad5ca3ce/analysis/1429171704/
So perhaps the AhnLab-V3 antivirus pattern matcher looked for an unique
sequence of bytes that is specific to a piece of malware in your setup
executable and found it <g>. A simple re-compile might help, or not <g>.
But you should report it to AhnLab to make sure they do not have your
code-signing certificate "blacklisted": v3sos@ahnlab.com
Friedrich
NewsArchive
04-16-2015, 10:59 AM
Glad it's clear for you, Friedrich.
I tried two signed installers last night. Ahn complained about both.
I rebuilt one of the installers now and left it unsigned. Same thing.
Uploaded an earlier version of that file (March 5) signed with the same
certificate. Jiangmin and VBA32 complain, but Ahn has a happy green
checkmark.
Recompiled that exact same installer with 4754 and now Ahn doesn't like it
but Jiangmin and VBA32 are happy.
So I don't feel I'm special in Ahn's eyes. (Even though I am special, of
course <g>).
If it doesn't affect anybody else, I really don't care. (How's that for
attitude...?? )
jf
NewsArchive
04-16-2015, 11:00 AM
Hi Jane,
> If it doesn't affect anybody else, I really don't care. (How's that for
> attitude...?? )
I have created an empty project with #4754, compiled and uploaded it to
VirusTotal. And I did NOT code-sign it!
http://www.lindersoft.com/projects/Your_Project_Name-78.zip
https://www.virustotal.com/en/file/3badeb5117ff6df30941337b2fc333aeeeb1bb572244cbee42 57bf1f0ccabe1d/analysis/1429199003/
File name: Your Project Name-78.exe
Detection ratio: 0 / 57
Analysis date: 2015-04-16
So there seems to be "something" that Ahn doesn't like in your binary <g>
Friedrich
NewsArchive
04-16-2015, 11:00 AM
And another #4754 executable with all SB runtime files embedded.
https://www.virustotal.com/en/file/4c5c784d422e1526f0d9e023b25e7d294437bda185c375864f 26b55985bb88c1/analysis/1429200232/
File name: Your Project Name-79.exe
Detection ratio: 0 / 57
Analysis date: 2015-04-16
I'm very curious to know what might cause this.
Friedrich
NewsArchive
04-16-2015, 11:01 AM
Maybe she could send you her setup.exe?
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
#JeffWeCan https://www.youtube.com/watch?v=6UsHHOCH4q8&feature=youtu.be
NewsArchive
04-16-2015, 11:01 AM
> Maybe she could send you her setup.exe?
.... or just try leaving the virus out of the files to be installed
perhaps<g>?
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
04-16-2015, 11:02 AM
Hmm.
I did the same and DID sign it. No problem with my signed "hello world"
installer.
And built a from-scratch installer including the same 40 files, same
compression, same dual code-signing with the same certificate, same injected
installer icon as one of the ones it doesn't like... and Ahn is fine with
that one.
Wonder what it's tripping on?
If I'm interested enough, I'll create a from-scratch installer exactly
duplicating the one it hates and try to figure out exactly what it is.
But I probably won't be interested enough.....
jf
NewsArchive
04-17-2015, 03:52 AM
All right.
It wasn't any good anyway.
So I've lost my mind. Life seems so much simpler now.....
YOU have spent how many hours with this idiocy, Friedrich??
Attached is a simple project file. And two compiled versions.
Switch OFF the version info, and Ahn is happy.
https://www.virustotal.com/en/file/63a5555a70742af21f3f1cae4b3b83180bb1f2cc90ae731d15 ddb4405e2bfe55/analysis/1429247032/
Switch ON the version info, and Ahn is unhappy.
https://www.virustotal.com/en/file/307963b06e0c8a2591a1d9e115a1915acf2b1c69188cec2a29 c3f33d7cef4f99/analysis/1429246918/
It's just like the mind games in the Manchurian Candidate. Argh. I'm going
to start seeing Angela Lansbury in my dreams.....
Argh.
Jane Fleming
NewsArchive
04-18-2015, 10:14 AM
Friedrich,
Curious as to whether you got the same result with this test file?
Doesn't matter what I put on the version screen. Can leave all the fields
blank and Ahn gets triggered. Omit it and it doesn't.
jf
NewsArchive
04-18-2015, 10:15 AM
Jane,
Compiled your original "Friedrich.sb8" here on my machines and I can confirm
it:
https://www.virustotal.com/en/file/a31a60d35576af7f856d4027a094e949dfbdc697cd22f9a150 af2164c9e42246/analysis/1429370730/
Switch OFF the version info, and Ahn is happy.
Switch ON the version info, and Ahn is unhappy.
Even code-signing with my certificate does NOT help.
Very good finding.
Okay, but here's another scary finding:
Change the version resource in your original "Friedrich.sb8" to the attached
one... and Ahn is happy <vbg>
https://www.virustotal.com/en/file/dbebd4c96ed5eb96d7450fe3bc7a2b487341ad4ec7034add4b c1dfe88caeafea/analysis/1429371687/
This is how antivirus works. Reliable, stable, trustworthy... You are well
protected. Nothing can happen. Yeah, of course <g>
Friedrich
NewsArchive
04-18-2015, 10:22 AM
Added to the "Hall of Shame" and reported as false-positive.
http://www.lindersoft.com/forums/forumdisplay.php?17
Friedrich
NewsArchive
04-18-2015, 12:32 PM
Thanks!
That one took me a couple of hours of trial-and-error rebuilding an
installer piece-by-piece until I happened on the item that tripped the
false-positive.
Morons!!
Jane
NewsArchive
04-20-2015, 02:01 AM
Look at this:
Yesterday, the "empty.exe" test file triggered one "false-positive"
(AhnLab-V3). Symantec was cool.
https://www.virustotal.com/en/file/441b1d7ae1ac5730b44df81fad8fe84aea734d975b658eca3e 3161c1d64b059b/analysis/1429372997/
15 hours later I did a re-analyze of the VERY SAME "empty.exe" and Symantec
reports "WS.Reputation.1" now.
https://www.virustotal.com/en/file/441b1d7ae1ac5730b44df81fad8fe84aea734d975b658eca3e 3161c1d64b059b/analysis/1429514045/
There is absolutely no logic behind anti-virus systems and they went out of
control !!!
http://community.norton.com/en/forums/clarification-wsreputation1-detection
"...WS.Reputation.1 is a detection for files that have a low reputation
score based on analyzing data from Symantec's community of users and
therefore are likely to be security risks..."
This "empty.exe" test file is NOT code-signed and it already had a very low
reputation yesterday <g> (only one user, and that's me). You simply cannot
trust any protection software. The protection tool is the worst enemy of
all software applications.
Friedrich
NewsArchive
04-20-2015, 02:01 AM
Ahn said:
> First, sorry for the inconvinience about using your program.
>
> I requested that analyzes the file("empty.exe") to our assistance team.
>
> As soon as I get a feedback from that department, I will let you know the
> result.
Friedrich
NewsArchive
04-20-2015, 04:05 AM
Update:
> Hi, This is AhnLab Global Techniacal Assitance Center.
>
> In the last analysis, your software("empty.exe") was decided as
> a Normal file.
>
> This analysis will be reflected to our V3 engine after Apr.21
> 12:00 A.M.(GMT +09:00).
>
> After V3 engine updating, V3 will not detect your software as a malware.
Friedrich
NewsArchive
04-20-2015, 06:35 AM
Finally! A response, let alone a fix!
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-20-2015, 06:35 AM
Hi Russ,
>
> Finally! A response, let alone a fix!
>
Did a re-analyze and the good news is, Ahn fixed it. Cool.
https://www.virustotal.com/en/file/441b1d7ae1ac5730b44df81fad8fe84aea734d975b658eca3e 3161c1d64b059b/analysis/1429532565/
But Symantec is another story. As you can see above, it still reports
"WS.Reputation.1" because "WS.Reputation.1" is a detection for files that
have a low reputation score based on analyzing data from Symantec's
community of users and therefore are likely to be security risks. Hmmm, how
to fix this one? Wait, I have an idea. I'll compile a brand new
"empty1.exe" (same setup script <g>) with zero reputation and Symantec is
happy again. Ohhh boy...
https://www.virustotal.com/en/file/ae6266d145545029c0d35cef19ea7d0eb5c8ca622547240024 8049b2dec0d168/analysis/1429532826/
Friedrich
NewsArchive
04-20-2015, 07:43 AM
The Hydra was a multi-headed beast in ancient Greek mythology (famously
killed by Heracles) that grew two heads for every one cut off. Hmmm, you
can cut off one of the heads, after which the hydra grows! Ouch!
Protection software is "The Hydra" and developers of protection systems are
"hydra-headed" software vendors.
#hashtag Big Dislike!
Friedrich
NewsArchive
04-20-2015, 09:34 AM
Release the Kraken!
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-20-2015, 09:35 AM
I think I see the problem. If they are taking the community detection
traffic, are they then gathering many false positives as proof something
is bad?
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-20-2015, 09:35 AM
Russ,
> I think I see the problem. If they are taking the community
> detection traffic, are they then gathering many false positives
> as proof something is bad?
Interesting question. I have absolutely no idea :-(
Friedrich
NewsArchive
04-20-2015, 09:36 AM
I think they were bought out by wikipedia
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
#JeffWeCan https://www.youtube.com/watch?v=6UsHHOCH4q8&feature=youtu.be
NewsArchive
04-20-2015, 09:36 AM
>
>I think they were bought out by wikipedia
>
LOL
Friedrich
NewsArchive
04-21-2015, 02:04 AM
Its an old intelligence trick. Spread something false to multiple
sources. When someone hears something from multiple sources, it must be
true. Except those sources could have heard the same bad data.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-21-2015, 02:05 AM
Did a realize of the "Bad Friedrich" app I attached to my 4/16 message.
Now Ahn is clean, but Symantec has also decided that I don't have a
reputation ..... Which is VERY impolite of them!~
https://www.virustotal.com/en/file/307963b06e0c8a2591a1d9e115a1915acf2b1c69188cec2a29 c3f33d7cef4f99/analysis/1429561921/
jf
NewsArchive
04-21-2015, 02:05 AM
Realize = reanalyze
Jane Fleming
NewsArchive
04-21-2015, 02:06 AM
Hi Jane,
> Did a realize of the "Bad Friedrich" app I attached to my 4/16 message.
>
> Now Ahn is clean, but Symantec has also decided that I don't have a
> reputation ..... Which is VERY impolite of them!~
> https://www.virustotal.com/en/file/307963b06e0c8a2591a1d9e115a1915acf2b1c69188cec2a29 c3f33d7cef4f99/analysis/1429561921/
Yes, same here <g>.
https://www.virustotal.com/en/file/4dc869745e044dad21a4dc2b708fb70ff4d68d6f2696215266 8703c631b80655/analysis/1429597759/
Symantec is #hashtag #theworst
Friedrich
NewsArchive
04-21-2015, 12:29 PM
Same here. I think any new programs (or those with new names) will get
this attribute. Sounds like Symantec is causing more scares than giving
reassurances.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-21-2015, 12:30 PM
Hi Russ,
> Same here. I think any new programs (or those with new names) will get
> this attribute. Sounds like Symantec is causing more scares than giving
> reassurances.
If you analyze a new application file (not code-signed) with a Symantec
product then it does not complain. Symantec stores a hash of that file in
their mega database. But after a few hours, and if the reputation level did
change, you'll see "WS.Reputation.1". That is a cool technology...NOT.
Friedrich
NewsArchive
04-21-2015, 12:31 PM
It works for the tabloids.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
#JeffWeCan https://www.youtube.com/watch?v=6UsHHOCH4q8&feature=youtu.be
NewsArchive
04-21-2015, 12:32 PM
Good lord!
Would using the billboard feature go a long way to warn those running
installs about some of these practices? :-)
--
Russ Eggen
RADFusion International, LLC
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.