Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
On 13/02/2021 16:52, Ched via fpc-pascal wrote: Hello, For one software I compile with fpc, Avast always complained. But only when compiled for debugging. That exe was sent to the false positive departement, and it toke about _one mounth_ to have a corrected version of the AV. Afterwhat, he never complained even with reworked source code. I've seen a few false positives on debug info. To be fair, the AV can't really tell its not code. It could be used like a resource, later to be loaded from the file and then somehow be executed. So if debuginfo happens to look like malicious code ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
Hello, For one software I compile with fpc, Avast always complained. But only when compiled for debugging. That exe was sent to the false positive departement, and it toke about _one mounth_ to have a corrected version of the AV. Afterwhat, he never complained even with reworked source code. Cheers, Ched Le 13.02.21 à 12:02, Marco van de Voort via fpc-pascal a écrit : Op 2021-02-12 om 22:48 schreef James Richters via fpc-pascal: The problem I have had is when programs I compile generate a false virus detection.. sure on my own computer I can just disable that directory from the virus scanner but it becomes a problem when I release it to my customers and their virus scanners quarantine it. I have no idea how to register a legitimate program as not having a virus. I've had this issue before but managed to track down the section of code that caused it... after a completely exhaustive search. Some tips: - don't use debug builds. - sign the binary, even if just selfsigned. Provide as much context to the OS (icon and the rest in that screen). Minimalistic binaries seem to be more suspect. - use a well known installer package, and insist on using installers. Copied exes are also more suspect. - unfortunately, some wellknown Delphi libraries like Indy and Zeos sometimes trigger also. There is no real failsafe solution. It is all hedging and hoping. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
On 13/02/2021 03:55, Travis Siegel via fpc-pascal wrote: that if you have any timing routines in your code, it tends to get flagged by virus scanners. No clue why, but I've run afoul of that issue more than once. I read somewhere that some viruses have a build in wait, to evade sandbox detection. AV companies let unknown exe run in a sandbox, and wait if they behave bad. Viruses evade that by being dormant for a while. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
Op 2021-02-12 om 22:48 schreef James Richters via fpc-pascal: The problem I have had is when programs I compile generate a false virus detection.. sure on my own computer I can just disable that directory from the virus scanner but it becomes a problem when I release it to my customers and their virus scanners quarantine it. I have no idea how to register a legitimate program as not having a virus. I've had this issue before but managed to track down the section of code that caused it... after a completely exhaustive search. Some tips: - don't use debug builds. - sign the binary, even if just selfsigned. Provide as much context to the OS (icon and the rest in that screen). Minimalistic binaries seem to be more suspect. - use a well known installer package, and insist on using installers. Copied exes are also more suspect. - unfortunately, some wellknown Delphi libraries like Indy and Zeos sometimes trigger also. There is no real failsafe solution. It is all hedging and hoping. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
> I've also noticed that if you have any timing routines in your code, it tends > to get flagged by virus scanners. No clue why, but I've run afoul of that > issue more than once. > Debugger detection? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
How it's done in FPC I don't know, but in other language tools I use, it requires a resource file with spefic information in it. I can never remember all the details, so I have to keep a template resource file around with the required information in it, and change it for each program work on. In general I don't bother with the resource file during testing, but when I release a full version, I apply the resource file to the executable, and that usually takes care of the issue. I've also noticed that if you have any timing routines in your code, it tends to get flagged by virus scanners. No clue why, but I've run afoul of that issue more than once. On 2/12/2021 4:49 PM, James Richters via fpc-pascal wrote: How does one sign an executable? *From:*fpc-pascal *On Behalf Of *Dmitry Boyarintsev via fpc-pascal *Sent:* Friday, February 12, 2021 4:28 PM *To:* FPC-Pascal users discussions *Cc:* Dmitry Boyarintsev *Subject:* Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program Are signed executables subject to anti-virus inspection? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
On 12/02/2021 22:48, James Richters via fpc-pascal wrote: I have no idea how to register a legitimate program as not having a virus. I've had this issue before but managed to track down the section of code that caused it... after a completely exhaustive search. Anti virus providers normally have page where you can submit false positives. For windows defender it seems to be here. (unlike most other AV companies, you need to sign in) https://www.microsoft.com/en-us/wdsi/filesubmission Of course that needs the exe to be detected (well I don't know if AV companies accept submissions that are not detected). If you release today, your exe can still be detected as avirus in a few month. Once it is detected, you can submit it. That may not solve the issue for self build fp.exe . If the AV whitelists the exact exe, it will fail the next time you build, because fpc includes a timestamp (afaik) ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
How does one sign an executable? From: fpc-pascal On Behalf Of Dmitry Boyarintsev via fpc-pascal Sent: Friday, February 12, 2021 4:28 PM To: FPC-Pascal users discussions Cc: Dmitry Boyarintsev Subject: Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program Are signed executables subject to anti-virus inspection? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
The problem I have had is when programs I compile generate a false virus detection.. sure on my own computer I can just disable that directory from the virus scanner but it becomes a problem when I release it to my customers and their virus scanners quarantine it. I have no idea how to register a legitimate program as not having a virus. I've had this issue before but managed to track down the section of code that caused it... after a completely exhaustive search. James -Original Message- From: fpc-pascal On Behalf Of Graeme Geldenhuys via fpc-pascal Sent: Friday, February 12, 2021 1:16 PM To: fpc-pascal@lists.freepascal.org Cc: Graeme Geldenhuys Subject: Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program On 12/02/2021 4:17 pm, Bart via fpc-pascal wrote: > I exclude the folders where fpc/lazarus reside from scanning. > Also the folders where I develop my programs. > If you don't you're bound to get strange bugs and thing like this. Yes, that's a very good idea. We do the same at work for our Java, iOS and Android projects. Those projects generate 1000's of files while compiling etc. We know they don't contain viruses, so why let the virus scanner scan then. On Android machines it made a massive difference for compile speed too. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
Are signed executables subject to anti-virus inspection? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
On 12/02/2021 4:17 pm, Bart via fpc-pascal wrote: > I exclude the folders where fpc/lazarus reside from scanning. > Also the folders where I develop my programs. > If you don't you're bound to get strange bugs and thing like this. Yes, that's a very good idea. We do the same at work for our Java, iOS and Android projects. Those projects generate 1000's of files while compiling etc. We know they don't contain viruses, so why let the virus scanner scan then. On Android machines it made a massive difference for compile speed too. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
On Fri, Feb 12, 2021 at 9:10 AM Alexander Bunakov via fpc-pascal wrote: > As of trunk r48648, Windows Defender deletes fp.exe after compilation > because it considers it an infected file. It claims that fp.exe is > infected with Trojan:Win32/Fuerboos.E!cl and quarantines the file. I exclude the folders where fpc/lazarus reside from scanning. Also the folders where I develop my programs. If you don't you're bound to get strange bugs and thing like this. -- Bart ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
Not only Windows Defender: After a compiler run sometimes BitDefender moans (seldom) that the binary is some malware. Adding (or deleting) some code, another compiler run and the phantom is gone. The Anti-Virus programs use a heuristic because of the immense ammount of malware and virus. It is no pattern matching anymore like in the "old days". So the number of false positive alarm increases. Example: After using 7 years the YajHFC (Yet another Java HylaFAX client) on our Windows clients Bitdefender suddenly moant that it is malware: False positive. Winni Am 12.02.21 um 09:33 schrieb Alexander Grotewohl via fpc-pascal: Unfortunately from what I've read just using certain Windows APIs is enough to get an executable flagged. Probably nothing to be too concerned about. -- Alexander Grotewohl https://dcclost.com <https://dcclost.com> *From:* fpc-pascal on behalf of Alexander Bunakov via fpc-pascal *Sent:* Thursday, February 11, 2021 3:22:40 AM *To:* fpc-pascal@lists.freepascal.org *Cc:* Alexander Bunakov *Subject:* [fpc-pascal] Windows Defender considers fp.exe a malicious program Hello all, As of trunk r48648, Windows Defender deletes fp.exe after compilation because it considers it an infected file. It claims that fp.exe is infected with Trojan:Win32/Fuerboos.E!cl and quarantines the file. Anyone else is experiencing this? Any idea why is this happening? -- Regards, Alexander ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal <https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal> ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] Windows Defender considers fp.exe a malicious program
Unfortunately from what I've read just using certain Windows APIs is enough to get an executable flagged. Probably nothing to be too concerned about. -- Alexander Grotewohl https://dcclost.com From: fpc-pascal on behalf of Alexander Bunakov via fpc-pascal Sent: Thursday, February 11, 2021 3:22:40 AM To: fpc-pascal@lists.freepascal.org Cc: Alexander Bunakov Subject: [fpc-pascal] Windows Defender considers fp.exe a malicious program Hello all, As of trunk r48648, Windows Defender deletes fp.exe after compilation because it considers it an infected file. It claims that fp.exe is infected with Trojan:Win32/Fuerboos.E!cl and quarantines the file. Anyone else is experiencing this? Any idea why is this happening? -- Regards, Alexander ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
[fpc-pascal] Windows Defender considers fp.exe a malicious program
Hello all, As of trunk r48648, Windows Defender deletes fp.exe after compilation because it considers it an infected file. It claims that fp.exe is infected with Trojan:Win32/Fuerboos.E!cl and quarantines the file. Anyone else is experiencing this? Any idea why is this happening? -- Regards, Alexander ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal