False positive Virus detection issues?
Community Forums/General Help/False positive Virus detection issues?
| ||
| Are there any news about False positive Virus detections, with Blitz3D and or Molebox Pro? I remember there was something, but that's long time ago. Currently some scanners seem to detect DR/Click.VBiframe.cmz. Has anybody else similar problems? One significant point is also: Avast, that I am using, does know DR/Click.VBiframe.cmz (seen on published reports of other avast users), but it didn't detect it on my system or in the file using virustotal.com. On virustotal.com 10 out of 43 scanners found something bad, whereof 6 named DR/Click.VBiframe.cmz explicitely. edit: about 9 weeks ago there was only one out of 41 scanners with a warning, so I thought it was false alarm. What do you think? |
| ||
| I am aware of both Trojan-Clicker.Win32.VBiframe.cip!A2 and Trojan-Clicker.Win32.VBiframe!IK Both will flag up a Blitz3D exe. I can confirm that Trojan-Clicker.Win32.VBiframe!IK can be produced by a standard exe creation of Blitz3D code - ie without using any 3rd party apps or libs in the exe. As far as I know, anti-virus/malware engines that use the Ikarus Anti-Virus engine will trigger the alert - possibly other AV engines too, but not all of them. In honesty, I have not properly investigated this. I may investigate further at the weekend. |
| ||
| One past issue was the .b3d extension, purley because of it's name. It could trigger 'BDE Projector' and I found that it was a false positive on Brilliant Digital's 'b3d Projector'. I'm just scanning some massive Blitz hard drives with an Ikarus Anti-Virus solution to see what comes up as .VBiframe. As far as I know, it does not trigger every Blitz3D exe and I am kind of curious as to why this is. |
| ||
| Thanks Puki. I am currently reading more google findings about this. It seems especially Molebox is often mistaken as the mentioned trojan. Maybe Blitz3D too. As far as I recall there ain't no B3D, but only some 3DS in the Install package. Well, Kapersky, McAfee, sure these are big names. At the other side there are Avast, AVG, BitDefender, Comodo, F-Prot, F-Secure, Microsoft, Symantec, big names too and they didn't find anything bad. No wait, that's not true, Symantec found the file has a bad reputation :) their new reputation heuristics system... PS: Wasn't Pharaohs Curse Gold a Blitz3D release? It is reported as a host of "vbiframe" too eg. here: http://www.downloadroute.com/Pharaohs-Curse-Gold-Ancient-Software/antivirus_report.html Maybe I am wrong and Pharaohs Curse is only a remake of an old, original game? |
| ||
| Here's a sample. Somebody wrote in a forum that all of his Blitz creation became useless because they were all recoginzed as viri by AVG. Then some time later there was this answer: Hi, I can confirm that the Trojan horse Clicker.AHPH was a false alarm removed in virus database update released 2010-03-31 23:25:44 CET. Please update your AVG and check the issue. Thanks. ***************AVG Team And indeed, my file was not marked by AVG's scanner. |
| ||
| At least some of the older Molebox versions have been flagged as a virus by certain scanners in the past -- don't remember the specifics, unfortunately. The problem is that molebox wraps the original executable and replaces the executable portion with its own code -- so if a virus/trojan writer moleboxes a trojan, the parts that are marked executable will look identical to your own moleboxed exe. If the virusscanner company doesn't add some extra smarts to recognize molebox for what it is, then it will mean that it will likely flag *any* moleboxed exe as this virus/trojan... And unfortunately that has happened quite a few times in the past. You can run into the same issue with other .exe packers like UPX. :-/ |
| ||
| The problem is that molebox wraps the original executable and replaces the executable portion with its own code -- so if a virus/trojan writer moleboxes a trojan, the parts that are marked executable will look identical to your own moleboxed exe. This should not be an issue now that MoleBox uses: Unique packaging template for every registered user. Upon activation, MoleBox downloads your own custom packaging template which makes your packed applications unique. This allows avoiding false positive antivirus alerts. |
| ||
| GaryV- Nevertheless the executable part (TEXT "Segment") of the moleboxed EXE will always be the same Molebox Unpacker and Executor. And when a scanner takes a signature of a viral file, I guess it will be taken from that segment, and not from the packed Data the may be individual. Then again I have to say that many of the scanners that have been detecting the malware as described, are capable of detecting UPX and Molebox. In the scan-reports details they usually write this (eg. "UPX-Packed" or "Molebox-Packed"). This may however be some sort of inconsequence: while they detect it as Molebox, they also detect a known signature from a virus definition file, but the virus signature detection has a higher priority, or the packing detection is ignored when the file is rated. Funny, one scanner says the file is "suspect". I don't know about you ,but I think the entire operating system is suspect. DLL-Injection etc... can it be coincedence? I guess not. However, that's an other story. |
| ||
| Most AV companies (including Grisoft who I Have contacted myself in this manner) allow for sending of contestable results or queries regarding detections which they can analyse and then update their libraries. A program called "RegSeeker" used to flag up as possible malware by AVG, but after I sent them the exe and querid the result, they confirmed it was a false positive and updated the library. An AVG update or two later, no more problem, the "RegSeeker" exe file was not detected by AVG. |
| ||
| Plain BlitzPlus exes are triggering false positives... http://www.blitzmax.com/Community/posts.php?topic=91838 |
| ||
| jfk: You are misreading what I quoted. Please note it says "Unique packaging template" not "Unique packing template". That is part of what has been changed, every version of MoleBox is now unique and protected programs will not share a "signature" with programs protected by somebody else. You should try it (naturally, the unique packaging template is only available to registered users). We use it (and the SDK) at work for deployments. It is not really fair to throw MoleBox in with EXE packers or EXE compressors since it is neither. MoleBox is a sandboxed virtualization system much like ThinApp. I think some here are thinking about the deprecated version: MoleBox 9x, which did suffer from the problems described. |
| ||
| Smart Packer Pro ( http://www.smartpacker.nl/smartpackerpro.html ) seems to work similar to Molebox but is only half the price. I tested the trialversion of spp and had no false positives! |
| ||
| Hi there, Smart Packer Pro is now added to Blitz ToolBox/File Utilities. If you have questions and/or remarks about our products just let me know. Michael Last edited 2010 |
| ||
| Well, some of my games released on BFG has been marked as false-positives too by some AV soft (don't know which one). I'm talking about GabCab and Spooky Runes. The games have been made in BMX. |
| ||
| Just a sidenote: when you are using MoleBox Pro, as I do, then generate a unique Encryption Key, because as far as I see, when you are using the default Key, it gets the virus signature, as mentioned. It may however also be a dirty trick of haters and/or competitors, or for political or other reasons, to report somebodies Product as being infected. Usually tey're the same people who send your Host Provider mails, telling them to delete the site for some reason. |
| ||
| Hello jfk, I have some questions about Molebox please : 1) Why do you use Molebox Pro to pack your games ? Others packers like thoses on this website are not good enough ? (my goal is to protect the textures, the meshes, the sounds, the musics because some of the media is copyrighted and the owner wants me to protect it from the user) 2)When you pack your games with Molebox, do you have to include the "Molebox code" inside your "Blitz3d code" or does it pack the files and the Blitz3d exe without any other setup ? Thanks, |
| ||
| Hi Remi, Here is some information about Smart Packer Pro why you could consider to use it. Smart Packer Pro encrypts files and runs the main exe/other files within a virtual filesystem. There is no need for mention Smart Packer Pro in your app and you can easily customize the app icon. If you need more information just let me know! Last edited 2010 Last edited 2010 |
| ||
| Remi - I use it because I used to buy it some time ago, it was working well in the past. Protection of everything, including the EXE from reading Ascii parts with notepad, patching, etc., at least to some degree. 2) yes, that's why it's cool, no further setup required. Very few Blitz3D commands won't work, eg. FileType with Folders. Smart Packer Pro might be an alternative, I didn't test it yet. |
| ||
| Ok thanks for your answers, i will try Molebox and Smartpacker pro. |
| ||
| There is a 35% discount for Smartpacker Pro until x-mas... Look at http://www.devmaster.net/ |
| ||
| I own MoleBox Pro and .exe's are indeed identified as viruses: Downloader.Generic9.BPPM After reading this thread i installed and tried Smart Packer Pro but to no avail :/ The resulting .exe is said to be infected with: Clicker.AOKM My antivirus program is AVG. To bad it seems like none of these packers (which provide a very neat functionality) are usable, as long as major antivirus programs flag them. |
| ||
| It's almost impossible to guarantee that some anti-virus apps will not detect packed executable as a problem exe. Of course, we work with anti-virus companies but their algorithms are not always reliable so sometimes their products detect absolutely safe executables as possible viruses. All we can do is ask the anti-virus companies to check and remove the false positive mark. By the way, I have sent you an e-mail. We will contact AVG :) |
| ||
| By the way, I have sent you an e-mail. We will contact AVG :) It's a small world as usual :) All we can do is ask the anti-virus companies to check and remove the false positive mark. I assume that the conceptual problem is that (speaking in my own layman's terms) almost all the packers generate a VM/runtime-part of the .exe that is responsible for starting up the application and providing a virtual environment for the often encrypted "payload" of the encapsulated program: I.e: Full resulting exe = [[Generic .Exe-packer runtime] + [Payload containing the original .exe, dll's and data files (often encrypted)]] Since utilities like these .exe-packers are actually known to (and used by) the trojan-writers (I got into some of their public discussion-areas while googling for an solution) as good tools for concealing their crap, the AV companies, when they encounter a trojan use their generic "signature generator" on the offending .exe and add it to their signature-DB. As an result all (or a significant part) of the good/legitimate apps that have been created by honest developers and distributed by the means of that .exe-packer version are identified as infected. I sadly see no good solution for this because: a) Even if the AV-companies learn their apps to accept and recognize that the generic part of these .exe's are harmless in them selves, they need to learn the app to identify some signature from the payload. b) If (a) is the way they go for, all an presumable virus-creator must do to conceal a virus that was identified and stopped yesterday, is to generate a new crypto-key for their "packed-.exe-virus" and then they can ship it as new and it is not identified as a virus anymore. Kinda frustrating tbh. |
| ||
| It really depends which antivirus company is involved. For example Kaspersky and others don't have any problems with Smart Packer Pro. Also not only this sort of applications are marked as virus, other (standard) applications have this problem. |
| ||
| Not sure about Smart Packer Pro, but in Molebox you can set a seed for the encryption algorithm. As I already stated, make sure not to use the factory default seed, this was used by some malware. Instead think about if encryption is really needed. Packing with unencrypted ZIP algorithm will allow the AV app to easily check the content of the packed exe. It seems the AV companies try their best to remove false positives from the lists and to use signature technology that does handle the problem correctly. I'd suggest to check your files at totalvirus.com . All big AV apps will test your file. If there are 33% or more positives, think about to find another solution. But you will most likely never have 0%, BTW. |
| ||
| In Smart Packer every build has a random generated encryption key (seed). Also there are three levels of encryption so each packed executable is different. |
   |