Discussion:
After Install/Run antivirus software classifies my EXEs as 'suspicious'
(too old to reply)
GS
2013-12-20 02:33:20 UTC
Permalink
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless of
where the app is located. Is there a standard 'flag' that needs
setting, at design time, or registration action required on install?
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
ralph
2013-12-20 03:41:46 UTC
Permalink
Post by GS
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless of
where the app is located. Is there a standard 'flag' that needs
setting, at design time, or registration action required on install?
LOL.

First off, is this a joke? Of course there is no such 'flag'! If there
really was such a thing the very first step anyone, planning evil,
would do is to set the 'flag'. <G>

Your application is considered 'suspicious' because when scanned by
antivirus software it appears to contain malicious code. Exactly what
that code might be can be difficult at times to determine. Your app
may in fact, albeit innocently, be attempting to do something
considered nefarious.

Take a hard look at what your application is doing. If it is taking
liberties with security - re-write it.

Or it may be a false positive. This happens on occasion and can come
about purely by accident. Some arrangement within your application of
perfectly benign statements creates a series of bits in the binary
which map 'signatures' of known malware.

Can be very tough to ferret out. Unfortunately, the usual procedure is
to remove blocks of functionality until you can isolate the problem to
a limited area, then often a simple rearrangement of code can resolve
the problem.

Then of course your compiler, components, or installer may have picked
up a virus. Is your development box clean?

Most antivirus software allow you to over-ride some complaints.
Generally consider unwise to grant exceptions but can be employed in a
pinch. In-house that is. Don't expect any customers to be so trusting.
<g>

-ralph
GS
2013-12-20 04:03:34 UTC
Permalink
Post by ralph
First off, is this a joke? Of course there is no such 'flag'! If there
really was such a thing the very first step anyone, planning evil,
would do is to set the 'flag'. <G>
Yeah.., dumb Q now that I think of it!
Post by ralph
Your application is considered 'suspicious' because when scanned by
antivirus software it appears to contain malicious code. Exactly what
that code might be can be difficult at times to determine. Your app
may in fact, albeit innocently, be attempting to do something
considered nefarious.
They're frontloader EXEs that automate Excel, mostly. (One is an actual
VB6 app)
Post by ralph
Take a hard look at what your application is doing. If it is taking
liberties with security - re-write it.
Not the case, though they all use WMI at startup.
Post by ralph
Or it may be a false positive. This happens on occasion and can come
about purely by accident. Some arrangement within your application of
perfectly benign statements creates a series of bits in the binary
which map 'signatures' of known malware.
Can be very tough to ferret out. Unfortunately, the usual procedure is
to remove blocks of functionality until you can isolate the problem to
a limited area, then often a simple rearrangement of code can resolve
the problem.
Perhaps I'll test without the code using WMI. Everything else is basic
VB...
Post by ralph
Then of course your compiler, components, or installer may have picked
up a virus. Is your development box clean?
Yes!
Post by ralph
Most antivirus software allow you to over-ride some complaints.
Generally consider unwise to grant exceptions but can be employed in a
pinch. In-house that is.
Yeah, I have to set exceptions on their top level folder in my
antivirus software.
Post by ralph
Don't expect any customers to be so trusting.
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Tony Toews
2013-12-20 05:59:39 UTC
Permalink
Post by ralph
Exactly what
that code might be can be difficult at times to determine.
I once had a Microsoft Access database with queries, forms, reports
and VBA code flagged as malicious. I was happily working in it and my
A/V software happily deleted it on me.

A true PITA to work with. I sent a copy of the MDB to the anti virus
vendor and worked on something else for a few days until the problem
stopped happening after an update.

Tony
Mayayana
2013-12-20 04:06:00 UTC
Permalink
Karl Peterson had an interesting piece about that
kind of problem a few years ago. I might be of some
value in your case:

http://visualstudiomagazine.com/articles/2008/01/29/are-you-safer-now.aspx

I haven't noticed any particular trouble with AV, but
those programs have become blown way out of
proportion, and there's an increasing tendency to
simply cast suspicion on anything unknown. If it's
not a common, corporate program then it's guilty
until proven innocent.


"GS" <***@somewhere.net> wrote in message news:l90a9j$n0l$***@dont-email.me...
| What does other installed apps have that prevents antivirus software
| from blocking them? I have a problem with being blocked regardless of
| where the app is located. Is there a standard 'flag' that needs
| setting, at design time, or registration action required on install?
|
GS
2013-12-20 04:48:53 UTC
Permalink
Post by Mayayana
Karl Peterson had an interesting piece about that
kind of problem a few years ago. I might be of some
http://visualstudiomagazine.com/articles/2008/01/29/are-you-safer-now.aspx
I haven't noticed any particular trouble with AV, but
those programs have become blown way out of
proportion, and there's an increasing tendency to
simply cast suspicion on anything unknown. If it's
not a common, corporate program then it's guilty
until proven innocent.
Post by GS
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless
of where the app is located. Is there a standard 'flag' that needs
setting, at design time, or registration action required on install?
Thanks for that! My apps don't use the Registry for anything.., not
even file associations! The jist of the article does align with Ralph's
comments, though.

Just did some testing with apps that do use the Registry and they run
fine. Also tested apps that don't use WMI and they also run fine. Looks
like I might need to put that code in a DLL. Note that my Excel addins
that use WMI run fine. Hmm...
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Mayayana
2013-12-20 13:32:07 UTC
Permalink
| Just did some testing with apps that do use the Registry and they run
| fine.

That was just an example he ran across. There could be
other strings that might have an effect. AV that I've seen
tends to be "dumb on the safe side", doing things like raising
flags on all .vbs files, simply because they were used years
ago to write malware, rather than looking at the code....
and all the while giving EXEs a pass.

| Also tested apps that don't use WMI and they also run fine. Looks
| like I might need to put that code in a DLL. Note that my Excel addins
| that use WMI run fine. Hmm...

It seems odd that AV might be set off by WMI. It's
used extensively in corporate IT. On the other hand,
most of WMI is just bloated, slow, redundant wrappers.
I can't think of anything it has that isn't easily got
elsewhere, with one exception: The system information
functions are very extensive and seem to be in WMI-
specific libraries. Even in scripting I only use WMI for
system info and for the Registry functions (because
WScript.Shell.Reg* functions are not dependable).
ralph
2013-12-20 16:39:24 UTC
Permalink
On Fri, 20 Dec 2013 08:32:07 -0500, "Mayayana"
Post by Mayayana
It seems odd that AV might be set off by WMI. It's
used extensively in corporate IT. On the other hand,
most of WMI is just bloated, slow, redundant wrappers.
I can't think of anything it has that isn't easily got
elsewhere, with one exception: The system information
functions are very extensive and seem to be in WMI-
specific libraries. Even in scripting I only use WMI for
system info and for the Registry functions (because
WScript.Shell.Reg* functions are not dependable).
Just for the record, you do understand that WMI (Microsoft Windows
Management Instrumentation) is design for *script* administrative
management? It is based on an Industry Standard (CIM).

http://en.wikipedia.org/wiki/Common_Management_Information_Protocol

"Lean 'n mean" has never been a goal. <g>

-ralph
Mayayana
2013-12-20 23:09:17 UTC
Permalink
| Just for the record, you do understand that WMI (Microsoft Windows
| Management Instrumentation) is design for *script* administrative
| management? It is based on an Industry Standard (CIM).
| http://en.wikipedia.org/wiki/Common_Management_Information_Protocol
|
| "Lean 'n mean" has never been a goal. <g>
|
But it's noticeably slow even compared to VBS.
I can't say I'm impressed with official "industry
standards", either. WMI is monstrously designed.
It's such a mess that I have to look up the syntax
and copy/paste every time I use it. On top of all
that, it provides very little that script can't already
do.

Oddly, I remember VBPJ doing an excited feature
issue on WMI when it came out. It was touted as
an almost endless, new toolbox for VB.
ralph
2013-12-20 23:22:21 UTC
Permalink
On Fri, 20 Dec 2013 18:09:17 -0500, "Mayayana"
Post by Mayayana
| Just for the record, you do understand that WMI (Microsoft Windows
| Management Instrumentation) is design for *script* administrative
| management? It is based on an Industry Standard (CIM).
| http://en.wikipedia.org/wiki/Common_Management_Information_Protocol
|
| "Lean 'n mean" has never been a goal. <g>
|
But it's noticeably slow even compared to VBS.
I can't say I'm impressed with official "industry
standards", either. WMI is monstrously designed.
It's such a mess that I have to look up the syntax
and copy/paste every time I use it. On top of all
that, it provides very little that script can't already
do.
Oddly, I remember VBPJ doing an excited feature
issue on WMI when it came out. It was touted as
an almost endless, new toolbox for VB.
True.

Anything "scripting" to most of the IT industry meant (and still
means) "VB". <g>

-ralph
GS
2013-12-20 18:05:48 UTC
Permalink
Post by Mayayana
Post by GS
Just did some testing with apps that do use the Registry and they
run fine.
That was just an example he ran across. There could be
other strings that might have an effect. AV that I've seen
tends to be "dumb on the safe side", doing things like raising
flags on all .vbs files, simply because they were used years
ago to write malware, rather than looking at the code....
and all the while giving EXEs a pass.
Post by GS
Also tested apps that don't use WMI and they also run fine. Looks
like I might need to put that code in a DLL. Note that my Excel
addins that use WMI run fine. Hmm...
It seems odd that AV might be set off by WMI. It's
used extensively in corporate IT. On the other hand,
most of WMI is just bloated, slow, redundant wrappers.
I can't think of anything it has that isn't easily got
elsewhere, with one exception: The system information
functions are very extensive and seem to be in WMI-
specific libraries. Even in scripting I only use WMI for
system info and for the Registry functions (because
WScript.Shell.Reg* functions are not dependable).
I find this interesting that all my EXEs using WMI get blocked by a/v,
and all that don't use it run fine! Note that I use your recommended
method for creating a ref late bound. Perhaps it's the way the code is
structured, because the apps don't mess with anything other than their
own files, and user files saved to wherever. Note also that, in
deference to Tony's report, none of my VBA projects using WMI have
problems with a/v apps.
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Farnsworth
2013-12-20 05:01:36 UTC
Permalink
What does other installed apps have that prevents antivirus software from
blocking them? I have a problem with being blocked regardless of where the
app is located. Is there a standard 'flag' that needs setting, at design
time, or registration action required on install?
Try using Virus Total:

https://www.virustotal.com/

McAfee is well known for flagging many EXE's as suspicious even when all
other AV program say it's clean.
GS
2013-12-20 19:50:22 UTC
Permalink
Post by Farnsworth
Post by GS
What does other installed apps have that prevents antivirus
software from blocking them? I have a problem with being blocked
regardless of where the app is located. Is there a standard 'flag'
that needs setting, at design time, or registration action required
on install?
https://www.virustotal.com/
McAfee is well known for flagging many EXE's as suspicious even when
all other AV program say it's clean.
Thanks for your suggestion!
Did this and got a clean bill for 49 a/v apps (including mine). I
submitted the file to Avast for analysis of 'false positive'!
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Tony Toews
2013-12-20 06:02:33 UTC
Permalink
Post by GS
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless of
where the app is located.
Is there an exact type of message or virus definition name from the
client? What A/V software are they using? Can you setup a repro on
a guest OS?

Also try rearranging the order of a few subroutine/function calls each
each module. <shrug> Just guessing.

Tony
ObiWan
2013-12-20 07:29:06 UTC
Permalink
:: On Thu, 19 Dec 2013 21:33:20 -0500
:: (comp.lang.basic.visual.misc,microsoft.public.vb.general.discussion)
Post by GS
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless of
where the app is located. Is there a standard 'flag' that needs
setting, at design time, or registration action required on install?
what does the AV software report ? I mean, which "virus" name ?

Also, try uploading your exe to https://www.virustotal.com/ scan it
and check which AVs are flagging your app and "how" (virus name)

then just check the details related to that malware and you'll see why
the AVs are flagging your app and possibly find a way to solve the
issue
GS
2013-12-20 17:57:50 UTC
Permalink
Post by ObiWan
Post by GS
Post by ObiWan
On Thu, 19 Dec 2013 21:33:20 -0500
(comp.lang.basic.visual.misc,microsoft.public.vb.general.discussion)
What does other installed apps have that prevents antivirus software
from blocking them? I have a problem with being blocked regardless
of where the app is located. Is there a standard 'flag' that needs
setting, at design time, or registration action required on install?
what does the AV software report ? I mean, which "virus" name ?
Also, try uploading your exe to https://www.virustotal.com/ scan it
and check which AVs are flagging your app and "how" (virus name)
then just check the details related to that malware and you'll see
why the AVs are flagging your app and possibly find a way to solve
the issue
Thanks! This is what Farnsworth suggested also. Looks worth a try...
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
GS
2013-12-20 18:16:32 UTC
Permalink
The a/v reports Win32:evo-gen [susp] as the virus.
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Farnsworth
2013-12-20 19:21:59 UTC
Permalink
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
--
Garry
Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
[Added GS to the "Do not respond to" list]
GS
2013-12-20 19:28:37 UTC
Permalink
Post by Farnsworth
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
-- Garry
Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion
---
This email is free from viruses and malware because avast!
Antivirus protection is active.
http://www.avast.com
[Added GS to the "Do not respond to" list]
??
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
CoderX
2013-12-22 17:57:41 UTC
Permalink
Post by Farnsworth
[Added GS to the "Do not respond to" list]
??
He's trying to say politely that you're a goofus and he's not wasting time
on you anymore. Clear enough?
Wolfgang Enzinger
2013-12-23 22:12:00 UTC
Permalink
Post by Farnsworth
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
-- Garry
Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion
---
This email is free from viruses and malware because avast!
Antivirus protection is active.
http://www.avast.com
[Added GS to the "Do not respond to" list]
??
I guess the confusion might be a result of the subject change. Some
newsclients then display that post as beginning of a new thread. So in
Farnsworth's perception this post may have looked like off-topic, if not like
spam (with regard to the Avast footer ;-)

Wolfgang
Brian Kelly
2013-12-20 20:52:45 UTC
Permalink
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
I've had a few of those from Avast disk scans recently, usually against
perfectly innocuous stuff I've been using for years
--
Brian Kelly
Home Page http://kellybk.com
Follow me on Twitter http://twitter.com/Bra1nK
GS
2013-12-20 21:08:48 UTC
Permalink
Post by Brian Kelly
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
I've had a few of those from Avast disk scans recently, usually
against perfectly innocuous stuff I've been using for years
Thanks! It's good to know that it's just not me. I have submitted the
file to Avast for analysis of a 'false positive' and so I'm anxious for
there reply. Note that TotalVirus scored the file 0/49, which included
Avast. I keep Avast up to date but I don't know what version TotalVirus
uses. What's interesting is that multiple scans of its folder report no
threats!!! Something 'bugy' about that...
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Wolfgang Enzinger
2013-12-21 11:36:42 UTC
Permalink
Post by GS
Post by Brian Kelly
Post by GS
The a/v reports Win32:evo-gen [susp] as the virus.
I've had a few of those from Avast disk scans recently, usually
against perfectly innocuous stuff I've been using for years
Thanks! It's good to know that it's just not me. I have submitted the
file to Avast for analysis of a 'false positive' and so I'm anxious for
I've had all kinds of issues with AV software and my applications in the
past, all of them being confirmed to be false positives so far. Submitting
the file to the AV vendor is the way to go.
Post by GS
there reply. Note that TotalVirus scored the file 0/49, which included
Avast. I keep Avast up to date but I don't know what version TotalVirus
uses. What's interesting is that multiple scans of its folder report no
threats!!! Something 'bugy' about that...
[susp] as mentioned above obviously means that the AV software thinks it
detected some suspicious behaviour. This is called "heuristic analysis" and
is nothing more than pure speculation. Therefore oftenly this kind of
analysis can be disabled. This may explain the difference between your own
and the VirusTotal result.

The reasons for such a false classification can be astonishing sometimes.
Once I had an application that was marked as Malware by some scanner. I
sent it to that company, they confirmed the false classification and
whitelisted the application's checksum in their signature file. However, I
had to make frequent changes / additions to this app, so every new version
was falsely flagged again. After some time I told them that whitelisting is
no longer a solution. They gave me a hint: I should move my project files
to a different directory. Why? I used to compile that app with debug info,
so the project path was compiled into the EXE. And this path contained the
string "encrypted". This alone was enough to trigger the false positive.
Duh.

Currently I have another issue with another AV vendor. One of my
applications retrieves data (images, XML) from the Intra- / Internet via
HTTP. Now some customers reported that constantly these data are corrupted.
I found out that the data stream was interrupted by a certain scanner
somewhere in the middle of the receiving process. I contacted the AV
vendor, they were actually grateful for my hint and are working on a patch
right now. They were absolutely unaware of that behaviour and the fact that
the data stream interruption isn't even reported in any log file.

Wolfgang
ralph
2013-12-21 13:12:49 UTC
Permalink
On Sat, 21 Dec 2013 12:36:42 +0100, Wolfgang Enzinger
snipped
The reasons for such a false classification can be astonishing sometimes.
Once I had an application that was marked as Malware by some scanner. I
sent it to that company, they confirmed the false classification and
whitelisted the application's checksum in their signature file. However, I
had to make frequent changes / additions to this app, so every new version
was falsely flagged again. After some time I told them that whitelisting is
no longer a solution. They gave me a hint: I should move my project files
to a different directory. Why? I used to compile that app with debug info,
so the project path was compiled into the EXE. And this path contained the
string "encrypted". This alone was enough to trigger the false positive.
Duh.
Wow. Thanks for sharing that.

I've often wondered if certain 'words', embedded strings in the data
section, could trigger AV complaints. Then I said to myself - Naw!
They wouldn't do anything like that. It has to be binary. <bg>
Currently I have another issue with another AV vendor. One of my
applications retrieves data (images, XML) from the Intra- / Internet via
HTTP. Now some customers reported that constantly these data are corrupted.
I found out that the data stream was interrupted by a certain scanner
somewhere in the middle of the receiving process. I contacted the AV
vendor, they were actually grateful for my hint and are working on a patch
right now. They were absolutely unaware of that behaviour and the fact that
the data stream interruption isn't even reported in any log file.
I too have been pleasantly surprised at how quickly and well AV
vendors will work with you on specific problems. Of course you have to
be very specific when you talk to them. Cursing and ranting that it
"doesn't work" doesn't get you very far. <g>

-ralph
Wolfgang Enzinger
2013-12-23 22:12:06 UTC
Permalink
Post by ralph
I too have been pleasantly surprised at how quickly and well AV
vendors will work with you on specific problems. Of course you have to
be very specific when you talk to them. Cursing and ranting that it
"doesn't work" doesn't get you very far. <g>
Usually being the receiving end of such complaint transmissions makes it easy
to figure that out. ;-)

Wolfgang
GS
2013-12-21 15:54:37 UTC
Permalink
Large thanks! I ditto Ralph's remarks.

Interesting about the string "encrypted" because all of the apps being
blocked contain crypto code because their sole purpose is to validate
licensing, and store license validation in encrypted files.
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
ObiWan
2013-12-22 17:08:01 UTC
Permalink
Post by Wolfgang Enzinger
Currently I have another issue with another AV vendor. One of my
applications retrieves data (images, XML) from the Intra- / Internet
via HTTP. Now some customers reported that constantly these data are
corrupted. I found out that the data stream was interrupted by a
certain scanner somewhere in the middle of the receiving process.
lemme guess... Sophos :) ?
Wolfgang Enzinger
2013-12-23 22:11:53 UTC
Permalink
Post by ObiWan
Post by Wolfgang Enzinger
Currently I have another issue with another AV vendor. One of my
applications retrieves data (images, XML) from the Intra- / Internet
via HTTP. Now some customers reported that constantly these data are
corrupted. I found out that the data stream was interrupted by a
certain scanner somewhere in the middle of the receiving process.
lemme guess... Sophos :) ?
Nope, TrendMicro, in my case.

Wolfgang
GS
2013-12-20 19:34:35 UTC
Permalink
VirusTotal reports 0/49, meaning no virus found by 49 a/v apps.
(Including mine!)
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
CoderX
2013-12-22 17:59:04 UTC
Permalink
Dude, seriously? File under 'who gives a fuck' and stop posting OT shit.
Or find another forum, as pertains to VB, this does not.
VirusTotal reports 0/49, meaning no virus found by 49 a/v apps. (Including
mine!)
--
Garry
Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Tony Toews
2013-12-22 19:52:30 UTC
Permalink
Post by CoderX
Dude, seriously? File under 'who gives a fuck' and stop posting OT shit.
Or find another forum, as pertains to VB, this does not.
From the subject of his original posting "After Install/Run antivirus
software classifies my EXEs as 'suspicious'" How is that off topic?
Assuming his exe is a VB6 exe.

Tony
GS
2013-12-23 00:51:01 UTC
Permalink
Post by Tony Toews
Post by CoderX
Dude, seriously? File under 'who gives a fuck' and stop posting OT
shit. Or find another forum, as pertains to VB, this does not.
From the subject of his original posting "After Install/Run antivirus
software classifies my EXEs as 'suspicious'" How is that off topic?
Assuming his exe is a VB6 exe.
Tony
Added CoderX to "Do NOT respond to" List!<g>
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
CoderX
2013-12-23 20:57:19 UTC
Permalink
Post by GS
Added CoderX to "Do NOT respond to" List!<g>
OH NOES! Whatevers will I do? I'm...I'm, just so broken on the inside now.
How can I go on?

LOL!

Goofus.
CoderX
2013-12-23 20:59:28 UTC
Permalink
Post by Tony Toews
Post by CoderX
Dude, seriously? File under 'who gives a fuck' and stop posting OT shit.
Or find another forum, as pertains to VB, this does not.
From the subject of his original posting "After Install/Run antivirus
software classifies my EXEs as 'suspicious'" How is that off topic?
Assuming his exe is a VB6 exe.
It's off topic (now) because it's an AV problem, and posts on reports is
kinda irrelevent. On the Inno board, we direct peeps to the AV website and
have them report it there. Just sayin'.

I don't suppose we could start a political discourse and at least make it
interesting?
Abhishek
2013-12-21 11:58:35 UTC
Permalink
It is a false positive, and quite common, you need to report it to the AV
company to get it resolved. you can also scan you exe using virustotal.com

Possible Reaons for false positive -
* compressing the exe using a exe complressor
* downloading files from internet and opening them without user consent
* using some kind of trial schemes
* working with memory directly

you need to find out the code which is causing the problem, rewrite it or
remove it. that is the only way forward.

--
Abhishek P
http://vb6zone.blogspot.com



"GS" <***@somewhere.net> wrote in message news:l90a9j$n0l$***@dont-email.me...
| What does other installed apps have that prevents antivirus software
| from blocking them? I have a problem with being blocked regardless of
| where the app is located. Is there a standard 'flag' that needs
| setting, at design time, or registration action required on install?
|
| --
| Garry
|
| Free usenet access at http://www.eternal-september.org
| Classic VB Users Regroup!
| comp.lang.basic.visual.misc
| microsoft.public.vb.general.discussion
|
|
|
| ---
| This email is free from viruses and malware because avast! Antivirus
protection is active.
| http://www.avast.com
|
Mayayana
2013-12-21 14:08:40 UTC
Permalink
| you need to find out the code which is causing the problem, rewrite it or
| remove it. that is the only way forward.
|

Unfortunately, AV programs are getting bigger
and more aggressive, which probably makes sense
for them. As long as they don't flag programs like
MS Office, Photoshop and AutoCad, the vast majority
of potential customers will only know them for their
success rate, so they don't stand to lose much
with reckless flagging of unknown programs.

I only know two people using AV. Both are using
Avast, which I set up for them. Avast doesn't seem
to be too bad. But I did run into trouble with it on a
recent program I wrote to get Google streetview/maps/
satellite. Avast, like many other AV programs, has added
everything but the kitchen sink, expanding out into
quasi-firewall activity. Their "web shield" and "network
shield" functions flagged my program as malware because
it's trying to go online, which is considered suspicious.
I don't write to companies like that. It's a losing battle.
I just try to inform potential end-users of the issue.
I wouldn't have even known about the Avast problem if
I hadn't tried to run my software on a friend's machine.
I haven't used AV since about 2000.

For anyone who distributes software, rewriting it
is not much of a way forward. If you fix a false
positive from your own AV there might easily be 4
more false positives from other vendors that you'll
never hear about.

It's increasingly becoming a situation where non-
corporate software is simply not welcome, but there's
also the problem of AV software simply being
overproduced. I've been noticing a fairly new bit of
nonsense lately: I can tell which visitors to my website
use Trendmicro AV because whenever they download a
ZIP or EXE, Trendmicro follows a few seconds later,
downloading at least one copy themselves. And they
don't keep track of what they've downloaded. They
seem to be scanning the source in real time. Every time
a file is downloaded, they download it. It doesn't make
any sense at all, since the same file is being downloaded
to the client machine where their AV is presumably running.
Trendmicro seems to be building a sort of Rube Goldberg
database, filled with lots of data about lots of binaries
online -- all of which data is classified outdated in the
instant it's been stored. I'm considering blocking the whole
Trendmicro range via .htaccess. ...But then what if
Symantec gets the idea? If Trendmicro can be idiotic,
Symantec can surely outdo them. :)
GS
2013-12-21 15:59:21 UTC
Permalink
Well.., not meaning to throw a wrench at you *but* I use Avast and it's
causing the problem! What burns me is that scanning the file returns
'No threats found' both on my machine[s] and TotalVirus.

Wolfgang did present some interesting thoughts...
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Mayayana
2013-12-21 19:53:39 UTC
Permalink
"GS" <***@somewhere.net> wrote in message news:l94dsq$hit$***@dont-email.me...
| Well.., not meaning to throw a wrench at you *but* I use Avast and it's
| causing the problem! What burns me is that scanning the file returns
| 'No threats found' both on my machine[s] and TotalVirus.
|

I wonder if that could be similar to my case. I
didn't get any virus alert. It just blocked me going
online. In fact, as I recall, I think I even set my
EXE as an exemption. But the various "shields"
don't seem to be in sync with the AV part of the
program.
GS
2013-12-21 21:06:27 UTC
Permalink
Post by Mayayana
Post by GS
Well.., not meaning to throw a wrench at you *but* I use Avast and
it's causing the problem! What burns me is that scanning the file
returns 'No threats found' both on my machine[s] and TotalVirus.
I wonder if that could be similar to my case. I
didn't get any virus alert. It just blocked me going
online. In fact, as I recall, I think I even set my
EXE as an exemption. But the various "shields"
don't seem to be in sync with the AV part of the
program.
I'm inclined to agree! I submitted the file to Avast and so I'm waiting
on a reply from them.
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
GS
2013-12-21 21:40:28 UTC
Permalink
I just saw an option labeled DeepScreen in the a/v section of
Avast>Settings. I checked this and removed the location from Exclusions
and it had no effect (still get blocked)!
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Abhishek
2013-12-21 17:28:38 UTC
Permalink
another workaround is to digitally sign the file. but sumitting to AV
companies do work, once they know its a false positive they will update
their signature and in the next update your app wont be flaged as malware.
it usually takes few days.


"Abhishek" <***@hotmail.com> wrote in message news:l93vpf$4dr$***@dont-email.me...
| It is a false positive, and quite common, you need to report it to the AV
| company to get it resolved. you can also scan you exe using virustotal.com
|
| Possible Reaons for false positive -
| * compressing the exe using a exe complressor
| * downloading files from internet and opening them without user consent
| * using some kind of trial schemes
| * working with memory directly
|
| you need to find out the code which is causing the problem, rewrite it or
| remove it. that is the only way forward.
|
| --
| Abhishek P
| http://vb6zone.blogspot.com
|
|
|
| "GS" <***@somewhere.net> wrote in message news:l90a9j$n0l$***@dont-email.me...
|| What does other installed apps have that prevents antivirus software
|| from blocking them? I have a problem with being blocked regardless of
|| where the app is located. Is there a standard 'flag' that needs
|| setting, at design time, or registration action required on install?
||
|| --
|| Garry
||
|| Free usenet access at http://www.eternal-september.org
|| Classic VB Users Regroup!
|| comp.lang.basic.visual.misc
|| microsoft.public.vb.general.discussion
||
||
||
|| ---
|| This email is free from viruses and malware because avast! Antivirus
| protection is active.
|| http://www.avast.com
||
|
|
GS
2013-12-21 18:43:51 UTC
Permalink
Post by Abhishek
another workaround is to digitally sign the file. but sumitting to AV
companies do work, once they know its a false positive they will update
their signature and in the next update your app wont be flaged as malware.
it usually takes few days.
That's only good for the current compile, and so NOT a long-term fix
because updates get a new signature!
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Deanna Earley
2013-12-23 09:08:58 UTC
Permalink
Post by GS
Post by Abhishek
another workaround is to digitally sign the file. but sumitting to AV
companies do work, once they know its a false positive they will update
their signature and in the next update your app wont be flaged as malware.
it usually takes few days.
That's only good for the current compile, and so NOT a long-term fix
because updates get a new signature!
I presumed they meant code signing. The certificate/signature will be
the same, the hash however will be different.
They can then whitelist (if they're nice) the code signing certificate
itself.
--
Deanna Earley (***@icode.co.uk)
iCatcher Development Team
http://www.icode.co.uk/icatcher/

iCode Systems

(Replies direct to my email address will be ignored. Please reply to the
group.)
Tony Toews
2013-12-23 10:04:51 UTC
Permalink
On Mon, 23 Dec 2013 09:08:58 +0000, Deanna Earley
Post by Deanna Earley
I presumed they meant code signing. The certificate/signature will be
the same, the hash however will be different.
They can then whitelist (if they're nice) the code signing certificate
itself.
Until a new cert issued. <sigh>

Tony
Deanna Earley
2013-12-23 10:24:41 UTC
Permalink
Post by Tony Toews
On Mon, 23 Dec 2013 09:08:58 +0000, Deanna Earley
Post by Deanna Earley
I presumed they meant code signing. The certificate/signature will be
the same, the hash however will be different.
They can then whitelist (if they're nice) the code signing certificate
itself.
Until a new cert issued. <sigh>
We would you keep getting new certificates?
We don't plan on buying a new certificate all the time.
The one we have is good enough, and will be valid until it is revoked.
--
Deanna Earley (***@icode.co.uk)
iCatcher Development Team
http://www.icode.co.uk/icatcher/

iCode Systems

(Replies direct to my email address will be ignored. Please reply to the
group.)
GS
2013-12-23 16:42:58 UTC
Permalink
Post by Deanna Earley
We would you keep getting new certificates?
We don't plan on buying a new certificate all the time.
The one we have is good enough, and will be valid until it is
revoked.
Thanks, Deanna!

I was not aware that a cert is used since the a/v vendor mentions a
hash sum. Could this be due to the fact I don't have a cert?

Where/who did you get yours from?
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
ralph
2013-12-23 17:25:58 UTC
Permalink
Post by GS
Post by Deanna Earley
We would you keep getting new certificates?
We don't plan on buying a new certificate all the time.
The one we have is good enough, and will be valid until it is
revoked.
Thanks, Deanna!
I was not aware that a cert is used since the a/v vendor mentions a
hash sum. Could this be due to the fact I don't have a cert?
Where/who did you get yours from?
Digitally signing software products is something one really needs to
do a lot research before purchase, if they are a small ISV.

You can actually "digitally sign" your own software for free. The
other products basically recognize your signature universally. But
even then there can be issues. For example, you might buy a product,
but while 'certified', that certificate isn't necessary 'recognized'
by Microsoft.

Prices have stabilized over the years among the main players, but the
range is still extreme - $90 to $1400 - average around $300??

Probably start a fight here, but unless $300 a year is no big deal,
then I suggest a beginning ISV to digitally sign on their own.
(Remember create one and keep one, for your company, forever.)
Customer had to have a certain amount of trust or they would never
have installed your software in the first place. The 'message'
bascially changes from *no signature* to *unknown signature*, "Do you
want to trust this company".

-ralph
GS
2013-12-23 17:48:13 UTC
Permalink
Post by ralph
Post by GS
Post by Deanna Earley
We would you keep getting new certificates?
We don't plan on buying a new certificate all the time.
The one we have is good enough, and will be valid until it is revoked.
Thanks, Deanna!
I was not aware that a cert is used since the a/v vendor mentions a
hash sum. Could this be due to the fact I don't have a cert?
Where/who did you get yours from?
Digitally signing software products is something one really needs to
do a lot research before purchase, if they are a small ISV.
You can actually "digitally sign" your own software for free. The
other products basically recognize your signature universally. But
even then there can be issues. For example, you might buy a product,
but while 'certified', that certificate isn't necessary 'recognized'
by Microsoft.
Prices have stabilized over the years among the main players, but the
range is still extreme - $90 to $1400 - average around $300??
Probably start a fight here, but unless $300 a year is no big deal,
then I suggest a beginning ISV to digitally sign on their own.
(Remember create one and keep one, for your company, forever.)
Customer had to have a certain amount of trust or they would never
have installed your software in the first place. The 'message'
bascially changes from *no signature* to *unknown signature*, "Do you
want to trust this company".
-ralph
Thanks, Ralph! That's very helpful. I self-cert my VBA projects but
those need to be renewed periodically because they expire. I'm in favor
of doing same for my VB6 projects and so will appreciate any tips
toward that...
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Tony Toews
2013-12-23 19:08:34 UTC
Permalink
Post by ralph
Digitally signing software products is something one really needs to
do a lot research before purchase, if they are a small ISV.
Why?
Post by ralph
You can actually "digitally sign" your own software for free.
Trouble is the clients IT department would likely have to install your
cert for you. And they wouldn't want to do that. A lot easier to
buy it.

Tony
ralph
2013-12-23 19:54:09 UTC
Permalink
On Mon, 23 Dec 2013 12:08:34 -0700, Tony Toews
Post by Tony Toews
Post by ralph
Digitally signing software products is something one really needs to
do a lot research before purchase, if they are a small ISV.
Why?
Because there are too many Gotchas, and too many prices.
Post by Tony Toews
Post by ralph
You can actually "digitally sign" your own software for free.
Trouble is the clients IT department would likely have to install your
cert for you. And they wouldn't want to do that. A lot easier to
buy it.
Exactly.

And for that "easier" you pay $$$ a year.
A cost of doing business in the Information Age, if you can 'cost' it,
fine, but make sure of vendor and whether it is really worth it , or
it is just money down the drain.

-ralph
Tony Toews
2013-12-23 19:06:55 UTC
Permalink
Post by GS
Where/who did you get yours from?
Cheapest code signing I found was
http://codesigning.ksoftware.net/

My first few were for my trade name business and the latest one was in
my name.

To create the VB6 exe I use the following in a CMD file

"C:\Program Files (x86)\Microsoft Visual Studio 6\VB98\vb6.exe" /make
startmdb
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool"
sign /t http://timestamp.comodoca.com/authenticode /v startmdb.exe

I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the above
signtool line.

Tony
GS
2013-12-23 20:15:14 UTC
Permalink
Post by Tony Toews
Post by GS
Where/who did you get yours from?
Cheapest code signing I found was
http://codesigning.ksoftware.net/
My first few were for my trade name business and the latest one was
in my name.
To create the VB6 exe I use the following in a CMD file
"C:\Program Files (x86)\Microsoft Visual Studio 6\VB98\vb6.exe" /make
startmdb
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool"
sign /t http://timestamp.comodoca.com/authenticode /v startmdb.exe
I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the
above signtool line.
Tony
Thanks, Tony! I got lots of hits on google. As I mentioned in my reply
to Ralph, I'm inclined to go the self-cert route as I do with my VBA
projects. I just don't do enough commercial work to justify a repeat
cost for this.<g>
--
Garry

Free usenet access at http://www.eternal-september.org
Classic VB Users Regroup!
comp.lang.basic.visual.misc
microsoft.public.vb.general.discussion



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Deanna Earley
2014-01-02 14:49:30 UTC
Permalink
Post by Tony Toews
To create the VB6 exe I use the following in a CMD file
"C:\Program Files (x86)\Microsoft Visual Studio 6\VB98\vb6.exe" /make
startmdb
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool"
sign /t http://timestamp.comodoca.com/authenticode /v startmdb.exe
I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the above
signtool line.
I do the same but specify a certificate store file:
signtool.exe" sign /f "pathtocert.pfx" /p ubersecurepassword /t
http://timestamp.comodoca.com/authenticode /v pathtoapp.exe
--
Deanna Earley (***@icode.co.uk)
iCatcher Development Team
http://www.icode.co.uk/icatcher/

iCode Systems

(Replies direct to my email address will be ignored. Please reply to the
group.)
ObiWan
2014-01-02 15:03:49 UTC
Permalink
Post by Tony Toews
I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the above
signtool line.
Late at the party but... Tony, given that others may have the same
trouble; what about a small tool (maybe written in VB6 :D) allowing to
sign an exe; the tool may just save settings into some "ini" file or
the like and spawn "signtool" when needed; heck, it may even add an
entry to the explorer context menu to sign files ;-) !!
Deanna Earley
2014-01-02 15:06:27 UTC
Permalink
Post by ObiWan
Post by Tony Toews
I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the above
signtool line.
Late at the party but... Tony, given that others may have the same
trouble; what about a small tool (maybe written in VB6 :D) allowing to
sign an exe; the tool may just save settings into some "ini" file or
the like and spawn "signtool" when needed; heck, it may even add an
entry to the explorer context menu to sign files ;-) !!
I call mine a batch file :)
Easily editable and infinitely customisable!
--
Deanna Earley (***@icode.co.uk)
iCatcher Development Team
http://www.icode.co.uk/icatcher/

iCode Systems

(Replies direct to my email address will be ignored. Please reply to the
group.)
ObiWan
2014-01-02 15:17:54 UTC
Permalink
Post by Deanna Earley
Post by ObiWan
Post by Tony Toews
I'm having trouble locating my notes on signtool. But it took me
hours of digging to come up with the appropriate utility and the
above signtool line.
Late at the party but... Tony, given that others may have the same
trouble; what about a small tool (maybe written in VB6 :D) allowing
to sign an exe; the tool may just save settings into some "ini"
file or the like and spawn "signtool" when needed; heck, it may
even add an entry to the explorer context menu to sign files ;-) !!
I call mine a batch file :)
Easily editable and infinitely customisable!
well, that's a solution, sure :D ! But then, for the lazy ones or the
clueless ones, a small exe (optionally opensourced :D) may be a nice
thing... with a browse button to find the app, dropdowns lists for the
options... and then more, including a context-menu "sign this exe" :D
Tony Toews
2014-01-05 06:23:17 UTC
Permalink
Post by ObiWan
well, that's a solution, sure :D ! But then, for the lazy ones or the
clueless ones, a small exe (optionally opensourced :D) may be a nice
thing... with a browse button to find the app, dropdowns lists for the
options... and then more, including a context-menu "sign this exe" :D
Go for it.

As Deanna states a CMD file works for me. As it is customizable my
CMD also deletes the exe first before running the make just to ensure
that I don't have some kind of compile failure and run an old version
of an exe.

(But then I ran a DOS based Fidonet BBS so batch files are rather easy
for me.)

Tony
ObiWan
2014-01-05 16:09:32 UTC
Permalink
Post by Tony Toews
Post by ObiWan
well, that's a solution, sure :D ! But then, for the lazy ones or the
clueless ones, a small exe (optionally opensourced :D) may be a nice
thing... with a browse button to find the app, dropdowns lists for
the options... and then more, including a context-menu "sign this
exe" :D
Go for it.
well...

http://www.ntwind.com/tutorials/code-signing-from-explorer-context-menu.html

:)
Post by Tony Toews
(But then I ran a DOS based Fidonet BBS so batch files are rather easy
for me.)
Oh, no problems with batch files here (although lately I prefer using
"vbs" for the same tasks - lightweight but more powerful :D) the idea
was just to put together some simple, small app to help signing exes
Tony Toews
2013-12-23 18:58:26 UTC
Permalink
On Mon, 23 Dec 2013 10:24:41 +0000, Deanna Earley
Post by Deanna Earley
Post by Tony Toews
Post by Deanna Earley
I presumed they meant code signing. The certificate/signature will be
the same, the hash however will be different.
They can then whitelist (if they're nice) the code signing certificate
itself.
Until a new cert issued. <sigh>
We would you keep getting new certificates?
We don't plan on buying a new certificate all the time.
The one we have is good enough, and will be valid until it is revoked.
Annually or every three years depending on how much you pay.

Tony
Tony Toews
2013-12-23 19:09:50 UTC
Permalink
On Mon, 23 Dec 2013 11:58:26 -0700, Tony Toews
Post by Tony Toews
Annually or every three years depending on how much you pay.
I'm wrong. Five years.

Tony
Loading...