View Full Version : False-Positive Hell (need your help)
NewsArchive
03-21-2019, 11:51 AM
All,
I need your help! The false-positive rate on one of our compiler files
(0000.LIB) exploded. Of course, this file is virus- and malware free.
There seems to be a specific combination of bytes in the .lib which triggers
it.
The file is located in your SetupBuilder 2019.2 \Bin32 folder. I have
attached it (as ZIP).
If possible, please submit it as a false-positive whenever you have a
chance.
Thank you for your help.
Of course, I have already contacted all the major protection software
vendors.
Friedrich
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
Voice: +1.954.537.3701 | Fax: +1.954.537.3702
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
NewsArchive
03-21-2019, 11:52 AM
Friedrich,
> I need your help! The false-positive rate on one of our compiler files
> (0000.LIB) exploded. Of course, this file is virus- and malware free.
How do I know this is the REAL Friedrich Linder?!<g>
> If possible, please submit it as a false-positive whenever you have a
> chance.
Any help on how to do that would be appreciated?
Ad-Aware
ALYac
Arcabit
BitDefender
Cybereason
Emsisoft
eScan
GData
Jiangmin
MAX
McAfee
McAfee-GW-Edition
Palo Alto Networks
Qihoo-360
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
NewsArchive
03-21-2019, 11:53 AM
Lee,
>
> How do I know this is the REAL Friedrich Linder?!<g>
>
Well, you have my word on it <vbg> ;-)
>> If possible, please submit it as a false-positive whenever you have a
>> chance.
>
> Any help on how to do that would be appreciated?
>
> Ad-Aware
> ALYac
> Arcabit
> BitDefender
> Cybereason
> Emsisoft
> eScan
> GData
> Jiangmin
> MAX
> McAfee
> McAfee-GW-Edition
> Palo Alto Networks
> Qihoo-360
Some vendors make it nearly impossible to report a false-positive. They
even ask you to download and run an application to report it. WTH? THIS IS
RIDICULOUS! And then the program looks like the attached one.
To make it even worse, it's so hard to find the false-positive reporting
links (if available) and e-mail addresses (if available).
Here are some cool guys:
www.360totalsecurity.com/en/suspicion/
http://support.mwti.net/support/index.php?/Tickets/Submit
https://su.gdatasoftware.com/us/sample-submission/
To make it even worse, whatever SetupBuilder "stub" loader (0000.LIB) I
compile, even a simple "hello world" gets flagged. There seems to be a
specific combination of bytes in the Microsoft VC++ compiler that triggers
it.
This is a nightmare! Already spent 12 hours on this and false-positive rate
exploded from 5 to 16.
Friedrich
NewsArchive
03-21-2019, 11:54 AM
Friedrich,
> > How do I know this is the REAL Friedrich Linder?!<g>
>
> Well, you have my word on it <vbg> ;-)
Ok, if that's all you got!<g>
> This is a nightmare! Already spent 12 hours on this and false-positive rate
> exploded from 5 to 16.
It would nice if the virustotal.com list had the failed brand names
setup as links to access the individual submission forms.
Hey, are we having fun yet?!
--
Lee
NewsArchive
03-21-2019, 11:55 AM
Lee,
>> Well, you have my word on it <vbg> ;-)
>
> Ok, if that's all you got!<g>
<ROFL>
> It would nice if the virustotal.com list had the failed brand names
> setup as links to access the individual submission forms.
Absolutely!!!
>
> Hey, are we having fun yet?!
>
I found out what triggers it... wait a moment. This gets better and
better -- now I know that protection software products are worth every
penny...NOT.
Friedrich
NewsArchive
03-21-2019, 11:56 AM
Okay, here we go <g>. This is my analysis. All these brilliant systems
flagged the SetupBuilder 0000.LIB stub loader because of "Gen:Variant.Kazy"
https://community.f-secure.com/t5/F-Secure-SAFE/Gen-Variant-Kazy-79682-virus-How/td-p/29738
See the attached screenshots. 12 engines (three vendors already fixed their
bug) detected the virus in the TEXT STRING <g>.
I changed the text to "Hello Lee. We are having fun" and the virus is gone
<vbg>. This is magic ;-)
Now I have to find the exact word or combination of bytes in my original
text string that triggers the virus flag. Oh boy :-(
Friedrich
NewsArchive
03-21-2019, 11:57 AM
Friedrich,
> I changed the text to "Hello Lee. We are having fun" and the virus is gone
> <vbg>. This is magic ;-)
Try adding "THIS FILE IS VIRUS FREE" and see what THAT does?!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
NewsArchive
03-21-2019, 11:57 AM
Lee,
> Try adding "THIS FILE IS VIRUS FREE" and see what THAT does?!<g>
That's a killer idea <vbg>.
Okay, it's definitely in the following specific string. I have to remove
word for word and re-compile and re-test.
"%s problem and needs to close. Please contact the vendor of this product
with the error code below for support.\n\nThe most likely cause for this
error is having too high of a security level on your PC. Please disable your
virus and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"
I bet $1.00 on "virus" and another $1.00 on "anti-spyware" <vbg>
Friedrich
NewsArchive
03-21-2019, 11:57 AM
Okay, I changed the text string from:
"%s problem and needs to close. Please contact the vendor of this product
with the error code below for support.\n\nThe most likely cause for this
error is having too high of a security level on your PC. Please disable your
virus and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"
to:
"%s problem and needs to close.\n\nThe most likely cause for this error is
having too high of a security level on your PC. Please disable your virus
and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"
and the "Gen-Variant-Kazy" false-positive is gone <g>
In other words, all these super duper high tech protection software products
dislike the sentence "Please contact the vendor of this product with the
error code below for support."
This is scary. Really scary.
Friedrich
NewsArchive
03-21-2019, 12:19 PM
Friedrich,
> This is scary. Really scary.
To say the least!
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
NewsArchive
03-21-2019, 02:05 PM
Okay, it can't be stopped. Already 17 engines detect this 0000.LIB compiler
component. One protection vendor copies false-positives from another.
We have to make a hotfix available tomorrow to work around this issue.
I am sorry for the inconveniences.
Friedrich
NewsArchive
03-21-2019, 02:05 PM
Friedrich,
> I am sorry for the inconveniences.
If YOU were responsible then you could apologize but you aren't so
don't. Got it? Good!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
NewsArchive
03-21-2019, 02:06 PM
>> I am sorry for the inconveniences.
>
> If YOU were responsible then you could apologize but you aren't so
> don't. Got it? Good!<g>
<G>. I got it ;-)
I just looked in the mirror and it freaked me out a little bit <g>. What a
day...
Friedrich
NewsArchive
03-21-2019, 02:09 PM
Guess I should wait to make a new install... right?
Ray Rippey
VMT Software
On 03/21/19 10:44 AM, Friedrich Linder wrote:
> and the "Gen-Variant-Kazy" false-positive is gone <g>
NewsArchive
03-21-2019, 02:10 PM
> Guess I should wait to make a new install... right?
YES!!!! :-)
Friedrich
NewsArchive
03-22-2019, 08:53 AM
> In other words, all these super duper high tech protection software
> products dislike the sentence "Please contact the vendor of this product
> with the error code below for support."
Update: even Microsoft flaggs it as "PUA:WIN32/PRESENOKER" now. It's a kind
of highly dangerous Trojan virus which silently infiltrates your PC by
stealth and starts executing malicious activities in the background.
And all the false-positives are triggered by the sentence: "Please contact
the vendor of this product with the error code below for support."
Unbelievable. So there is a specific combination of bytes in this sentence
that represents the footstep of a dangerous thing. I don't trust protection
products any longer <g>.
Down to "10 engines detected this file". But we'll make a new build
available today. We have to recompile all #6187 generated apps.
Friedrich
NewsArchive
03-22-2019, 08:54 AM
You'll get it figured out my friend. You always do.
Don
NewsArchive
03-22-2019, 08:54 AM
>
> You'll get it figured out my friend. You always do.
>
THANK YOU, Don !!
Friedrich
NewsArchive
03-28-2019, 03:10 AM
My Avira antivirus passed it as clean. 8-)
Maybe try storing the text in a different form, so it has different
bits? 16bit char? Or encrypt it? But encrypting might make them even
more suspicious...
Break the string into shorter parts, then put them together at
runtime? Or maybe rephrase it, like you would on an unsecure phone
line, to remove suspicious words.
I wonder if the filename it's self is suspicious? Call it
LindersoftStub.dll, at least it would not seem like hiding it ! 8-)
HTH,
Carl Sumner
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.