PNut exe detected as virus
System
Posts: 42
in Propeller 2
This discussion was created from comments split from: PNut/Spin2 Latest Version (v34t - DEBUGGER added).
Comments
Yup, still a problem. That's why I stick with Win7 Pro.
Running Windows 10 Pro 1909 build 18363.959
P.S. Sorry, only brazilian portuguese text, but should be readable to everyone...
P.S.II - Grave = Severe
Using WIN7 and Firefox
The requested URL cannot be provided
Object URL:
https://doc-14-as-docs.googleusercontent.com/docs/securesc/04gr444nglmu6pd2if529vucab3cb7b6/n998q50b996aqea95kphk8bc70m9vqf7/1594854675000/07561185458969821581/09540506426060137428Z/10QwmwlZQOTLFy0MVyNNgzc71d2-ej8xr?e=download&nonce=u4hebku0kb67u&user=09540506426060137428Z&hash=sug2kveilku8ef5h0891elaoqbdoe3ag
Reason: the object is infected by HEUR:Trojan.Win32.Crypt.gen
Message generated on: 7/15/2020 7:11:53 PM
This happened before and I figure out a work around, but don't remember it now...
Here's the window you need to get to, but this is AFTER it was allowed...
Signing the executable generally keeps the crazy heuristics at bay - PropTool is signed, so you already have a certificate laying around somewhere
Yes, costs money
@ersmith eventually did this for FastSpin
Parallax can self-sign an CA certificate and distribute (make downloadable) it to its clients/customers/users so that they can import it into trusted CA authorities in windows certificate store. Then any further certificate used for whatever reason (eg software signing) and signed by this 'root CA parallax certificate' will be recognized by the OS.
Any skilled organization sooner or later internally do this if not for other things at least to sing excel macros and avoid MS Office complaining on files from network shares as disabling the office control becomes dangerous for outside malware macros.
Any admin of the PC can import the certificate.
In organizations, schools, ... it can be deployed via MS AD GPOs.
I am pretty sure linux have also something similar. Anyway it doesn't matter since Parallax is offering only Windows tools
Unfortunately SSL certificates don't work for code signing.
Darn, I thought they provided general certs too. Must have read too quickly.
Another way I've seen work is to sideload, that is, get onto your computer not by the internet, but some other way...
Maybe download on a Mac or something and then copy to a cloud file service, for example...
Or, USB stick.
I think anything downloaded from the internet gets higher scrutiny...
I ran dependency walker on pnut and it shows some errors...
Never mind...
Sorry, was using outdated tool...
Maybe that doesn't mean anything...
Sorry, this is probably a meaningless side-track...
But, looks like depends.exe doesn't work on Win10. Found a MS note to use this instead:
https://github.com/lucasg/Dependencies
This doesn't show any errors...
Did v34s not have this problem?
John Abshier
I did find a work-around for my PC: I copied the files to the destination folder (after bypassing the warning when attempting to copy), and and then ran PNut before asking WD to scan. I got the normal "Are you sure you want to run this program ?" warning. After running, everything seems fine.
I will experiment with DEBUG to provide feedback, but I do look forward to the integration into Propeller Tool as I find that a far more comfortable editing environment.
It's quite common for at least one of the published antivirus systems to detect a potential problem with new software. I think this is because many now employ heuristic "fingerprint"-type techniques to try to catch malicious software early based on the known profiles of previous, hopefully verified, infections. Quite often, the lack of a download history for a given app is enough to trigger warnings of "suspicious" software in some systems, such as Norton. That makes life tough for end-users and developers. Digitally-signing may improve the situation, but isn't a guarantee it will prevent false-positives... I'm very curious about it in this case. We usually don't digitally sign executables while in active development. I haven't been digitally signing the alpha releases of Propeller Tool and haven't heard of people experiencing any problems yet.
Regardless, we may try digitally signing PNut as an experiment for this case.
Chip and I discussed it and I'm pretty sure this is all due to the exe compressor, which I've seen cause false detections before. I usually check exe's I produce with VirusTotal and, honestly, I don't worry about it if the number of detections is low (around 2 to 4 out of 70+ AV systems) because they are typically heuristically-triggered (indicated by their system) and often from mostly-unknown AV engines. When something triggers many, or more well-known AV engines, then it's more cause for concern in my experience. OS-level triggers (built-in AV systems) are also, of course, a big concern because they are seriously inhibiting and scaring users. I don't know how many times I've been in contact with Symantec about a false-positive detection with seemingly no way to get them to prove it or fix their engine. Haven't had to do that much in recent months. In my experience, using exe compressors, doing certain things like adding in TCP/UDP-IP libraries, creating a stub resource that I attached to the end of the built exe, etc. are all things that falsely trigger some AV systems. Very frustrating.
I could start my own protest movement against unfair software profiling.
By the way, the compressed version of PNut_v34f.exe through PNut_v34t.exe triggers 11 to 13 detections across the current set of 72 AV systems that VirusTotal uses. The uncompressed version of v34t triggers only 2 out of 72, and only heuristically. I'm still seriously thinking this is all false-positive results.
<soapbox>This grief is all brought to us by greed, ill will, and an unending supply of smart people using their skills for high-tech malice rather than for the betterment of humanity.</soapbox>
@JonnyMac
I had issues with windows 10 pro not liking Pnut.
Try this:
1 Right click on Pnut icon and select properties.
2. Compatibility
3. Run the compatibility troubleshooter
This made windows 10 accept Pnut.