Last night I completed a client project, tested and uploaded to client.
This morning they advised me that McAfee was blocking the exe.
Too my suprise when I run it here Norton2011 Sonar stoped execution and deleted the exe.
So this mornings Norton update(and McAfee's??) has included a false positive again!! I have re-compiled a number of older projects on my main Win9/64bit/CS5 PC, all now get blocked/deleted. Which is NOT good. Infact old exes (compiled a few months ago also get blocked/deleted)
Interstingly a portable running Win7/ 64 bit but older Norton 2009 (doesnt have Sonar) worked okay.
I recompiled on a Vista machine with NC 3.6, and the app worked on all PC's.
1) What can I do if NC 3.8 created exe's for the moment is triggering false positives?
2) When is 3.9 due and will it solve the issue?
Note: I have tried simple and medium sized apps all of which used to work, most have embeded flvs or swfs and additional files. I suspect its the de-compression to and creation of the temp folder that triggers the Sonar warning "Suspicious activity'.
Anyone got the same issues?
The problem will never be solved completely because the antivirus companies can ship new virus definition files any time they want and we have no control over what they decide to flag as "virus like" activity. We've improved things in 3.9 by changing our player engine, but there's no guarantee that the antivirus companies will leave us alone.
Yep I hear your frustration.. it's not NC's fault.
Just a little bit of a problem when the antivirus s/w deleted the the EXE off the clients machine!
I re-installed NC 3.7 - Norton didnt like stub??.exe so killed the install.
NC did work after a re-boot, and the outputted EXE wasn't flagged as a virus.
But now after a few hours Norton has decided not to flag and delete all EXEs created with 3.8 ... so go figure?
Usually before a release I run a few test EXE files (using different features) through virustotal.com and then submit anything that gets flagged to the biggest antivirus vendors so they know about us before we release.
I just built a simple EXE with the current build of 3.9 and uploaded it to virustotal.com (see results below) and it only tripped 3 of the 43 scanners they support. I've never heard of Jiangmin and TrendMicro obviously uses the same scanner for both products.
We're going to try and stay on top of this as updates are released so the antivirus scanners don't get ahead of us until we can find a better solution for creating our EXE files that looks more like a standard EXE file.
AhnLab-V3 - 2011.03.07.06 - 2011.03.07 - -
AntiVir - 126.96.36.199 - 2011.03.07 - -
Antiy-AVL - 188.8.131.52 - 2011.03.06 - -
Avast - 4.8.1351.0 - 2011.03.07 - -
Avast5 - 5.0.677.0 - 2011.03.07 - -
AVG - 10.0.0.1190 - 2011.03.07 - -
BitDefender - 7.2 - 2011.03.07 - -
CAT-QuickHeal - 11.00 - 2011.03.07 - -
ClamAV - 0.96.4.0 - 2011.03.07 - -
Commtouch - 184.108.40.206 - 2011.03.07 - -
Comodo - 7907 - 2011.03.07 - -
DrWeb - 5.0.2.03300 - 2011.03.07 - -
Emsisoft - 220.127.116.11 - 2011.03.07 - -
eSafe - 18.104.22.168 - 2011.03.07 - -
eTrust-Vet - 36.1.8200 - 2011.03.07 - -
F-Prot - 22.214.171.124 - 2011.03.07 - -
F-Secure - 9.0.16440.0 - 2011.03.07 - -
Fortinet - 126.96.36.199 - 2011.03.07 - -
GData - 21 - 2011.03.07 - -
Ikarus - T188.8.131.52.0 - 2011.03.07 - -
Jiangmin - 13.0.900 - 2011.03.07 - Backdoor/Bifrose.ynm
K7AntiVirus - 9.92.4048 - 2011.03.07 - -
Kaspersky - 184.108.40.206 - 2011.03.07 - -
McAfee - 5.400.0.1158 - 2011.03.07 - -
McAfee-GW-Edition - 2010.1C - 2011.03.07 - -
Microsoft - 1.6603 - 2011.03.07 - -
NOD32 - 5934 - 2011.03.07 - -
Norman - 6.07.03 - 2011.03.07 - -
nProtect - 2011-02-10.01 - 2011.02.15 - -
Panda - 10.0.3.5 - 2011.03.07 - -
PCTools - 220.127.116.11 - 2011.03.07 - -
Prevx - 3.0 - 2011.03.07 - -
Rising - 23.48.00.06 - 2011.03.07 - -
Sophos - 4.63.0 - 2011.03.07 - -
SUPERAntiSpyware - 18.104.22.1686 - 2011.03.07 - -
Symantec - 2022.214.171.124 - 2011.03.07 - -
TheHacker - 126.96.36.199.145 - 2011.03.06 - -
TrendMicro - 188.8.131.522 - 2011.03.07 - PAK_ScramUPX
TrendMicro-HouseCall - 184.108.40.2062 - 2011.03.07 - PAK_ScramUPX
VBA32 - 220.127.116.11 - 2011.03.04 - -
VIPRE - 8630 - 2011.03.07 - -
ViRobot - 2011.3.7.4345 - 2011.03.07 - -
VirusBuster - 18.104.22.168 - 2011.03.07 - -
I couldn't find any decent info about Backdoor/Bifrose.ynm, just on Backdoor/Bifrose (very low risk according to Symantec) and some variants.
TrendMicro had this to say about PAK_ScramUPX. Basically they flag anything compressed with UPX as malware.
TrendMicro is an abortion. If you use AV, use anything but Trend Micro.
I didn't have many problems with Avira or Avast, and MSSE has been working quietly without issue.
If Trend does not like UPX packing why don't you give us an opportunity to switch it off?
I am sure most Northcode users will like to have a few additional megs rather than anti-virus warnings. Explaining why application is big is much more easier that explaining a false positive.
It will be a really nice feature to have unpacked *.exe if this stop this AntiVirus software mess.
I got a response from NOD ESET 32
Anti-Virus works on the wrapper used by you Molebox. It is targeted detection and will not be corrected.
The file is not detected as a virus, but as a potentially unwanted software.
Sincerely, Technical Support
Антивирус срабатывает на используемый Вами упаковщик Molebox. Это целенаправленное детектирование и исправлено не будет.
Файл детектируется не как вирус, а как потенциально нежелательное программное обеспечение.
С уважением, Служба технической поддержки
Pavel S: UPX should NEVER trigger antivirus software. UPX is for compression of EXE files to make them smaller, load faster, etc. They are not encrypted so the antivirus software can easily extract the original EXE and scan it to make sure it's clean. Any vendor that doesn't do this is either lazy or incompetent, there are no other explanations.
mashnin Molebox is a utility that allows the Flash OCX to be used without installing it on your system. Is it used by malware writers? Probably. I bet a lot more of them use Visual C++ but the morons from ESET didn't target Visual C++ did they? If enough people are using it that they specifically target it they should be talking to the vendor to find out more about it. But that takes time, money and someone who cares about doing a good job.
Instead, ESET is so scared of missing a virus (they claim to have a perfect detection record) that they just flag everything. That's lazy. The fact that they know a piece of technology is being used and don't take steps to investigate further tells me they really don't care about anything more than separating you from your money.
I'm fully agree that problem is with AV software, not northcode. But this false positives will appear on end users machines and we have no other choice but to solve this problem our self in that way or another. If unpacked executable will be this solution - lets try. If there are some technical problems with this functionality - please tell us. If for some reason you don't want to include this functionality to ordinary build - let's discuss possibility of creating customized build.
Just a quick update... I nuked UPX but we're still using compression and the EXE size is up from 3.8M to 4.0M, but the good news is that an EXE I just generated from the latest 3.9 beta didn't trigger any of the VirusTotal scanners (0/43). Much more testing is required but this is promising.
AhnLab-V3 - 2011.03.15.02 - 2011.03.15 -
AntiVir - 22.214.171.124 - 2011.03.15 -
Antiy-AVL - 126.96.36.199 - 2011.03.15 -
Avast - 4.8.1351.0 - 2011.03.14 -
Avast5 - 5.0.677.0 - 2011.03.14 -
AVG - 10.0.0.1190 - 2011.03.14 -
BitDefender - 7.2 - 2011.03.15 -
CAT-QuickHeal - 11.00 - 2011.03.15 -
ClamAV - 0.96.4.0 - 2011.03.14 -
Commtouch - 188.8.131.52 - 2011.03.15 -
Comodo - 7985 - 2011.03.15 -
DrWeb - 5.0.2.03300 - 2011.03.15 -
Emsisoft - 184.108.40.206 - 2011.03.15 -
eSafe - 220.127.116.11 - 2011.03.14 -
eTrust-Vet - 36.1.8215 - 2011.03.14 -
F-Prot - 18.104.22.168 - 2011.03.15 -
F-Secure - 9.0.16440.0 - 2011.03.14 -
Fortinet - 22.214.171.124 - 2011.03.15 -
GData - 21 - 2011.03.15 -
Ikarus - T126.96.36.199.0 - 2011.03.15 -
Jiangmin - 13.0.900 - 2011.03.15 -
K7AntiVirus - 9.93.4100 - 2011.03.14 -
Kaspersky - 188.8.131.52 - 2011.03.15 -
McAfee - 5.400.0.1158 - 2011.03.15 -
McAfee-GW-Edition - 2010.1C - 2011.03.15 -
Microsoft - 1.6603 - 2011.03.15 -
NOD32 - 5953 - 2011.03.14 -
Norman - 6.07.03 - 2011.03.14 -
nProtect - 2011-02-10.01 - 2011.02.15 -
Panda - 10.0.3.5 - 2011.03.14 -
PCTools - 184.108.40.206 - 2011.03.11 -
Prevx - 3.0 - 2011.03.15 -
Rising - 23.49.01.03 - 2011.03.15 -
Sophos - 4.63.0 - 2011.03.15 -
SUPERAntiSpyware - 220.127.116.116 - 2011.03.15 -
Symantec - 2018.104.22.168 - 2011.03.15 -
TheHacker - 22.214.171.124.150 - 2011.03.15 -
TrendMicro - 126.96.36.1992 - 2011.03.15 -
TrendMicro-HouseCall - 188.8.131.522 - 2011.03.15 -
VBA32 - 184.108.40.206 - 2011.03.14 -
VIPRE - 8708 - 2011.03.15 -
ViRobot - 2011.3.15.4357 - 2011.03.15 -
VirusBuster - 220.127.116.11 - 2011.03.14 -
This is really good news! Do you have any planned date when version 3.9 will be ready?
There's an issue with virtualized registry support in the beta right now and there is some outstanding documentation that needs to be written and updated. The doc issues can be resolved in a day or two, the registry stuff is all that's holding us up right now. Join the beta and stay in the loop :)
Just did it) Will check your build with couple of W7 and Vista machines. I am using a lot of swf studio functionality, so I believe it can help.
QUOTE: from northcode;52379
A beta Page?!
WoHo! I am IN!
I'm sure Tim will remember me from the amount of mails I've sent regarding false positive flags.
I'd like to share my experience.
After switching from v2.2 to v3.8, I got a lot of reports in my forum about virus/trojan/worms.
My exe packs 2 plugins, http and filesys.dll
Uses Inno Setup for installation.
I also use VirusTotal to check.
The're not 100% reliable, and what is safe today may not be tomorrow. (but better than nothing)
Many attempts were made at trying to calm down my users that the virus flag are false, and should fix itself after next definition update or so.
And I do get the impression that my fans believe me.
Problem is, they can't do anything to prevent their AV scanner from deleting my exe. Nor will those who already paid yearly subscription want to switch.
I don't fault those who don't believe me too. I'm a 1 man unknown developer releasing a freeware vs a known brand.
As lazy and incompetent as they are, they score higher in confidence to the masses.
How I fixed the false positive:
It seems that dlls extracted during runtime was the culprit.
Maybe it was just filesys.dll - purpose to access/modify. I don't know.
My solution is NOT to bundle plugins into the exe.
Nothing is ticked in the Plugins Tab.
The 2 dlls that I needed were added and installed through InnoSetup.
Destination was set to the same folder as my exe.
This way, the dlls are not extracted during runtime.
It worked for me, and haven't have any false positive issue since.
I'm glad NC is looking hard into false positive issue in 3.9. But frankly, since I'm already deploying using a 3rd party installer, I will still continue this way, better safe then sorry.
I am unable to use SWF Studio now because Norton Sonar just deletes the exe file.
Which EXE file? Studio.exe or the EXE files that SWF Studio creates? If it's complaining about Studio.exe you can add it to the exclusion list, if it's the EXE files that are created... there was a post about joining the 3.9 beta to see if that resolves your anti-virus issues.
edit: just saw your beta request, it's on the way
It's the exe file that studio creates.
I just wanted to let you know that photoman's solution (see above) works fine for me.
I have created a Chinese vocabulary trainer in Flash that needs to save data reliably (i.e. in text files instead of shared objects). I am only able to do that thanks to SWF Studio V 3.8.
When trying to upload my SWF Studio enhanced application to my server www.hantrainerpro.de, the FTP server rejects the file with the message
" 550 Virus Detected and Removed: Trojan.Bifrose-14946"
I have now followed the advice by photoman in the forum ( http://www.northcode.com/forums/showthread.php?p=52660#post52660) and set the executable type (in output > output file) to "Unbundled + Flash". This works (i.e. no false positive). I am guessing that the compression might have been the reason for the false positive in my case.
It would be great if there was another "executable type" such as "Standalone (no compression)" to avoid such cases.