PNut/Spin2 Latest Version (v34z - Lots of DEBUG display stuff)

1171820222334

Comments

  • It was Windows Defender on WIN10 that complained, but it was a few mouse clicks to accept the use.
  • @ Chip
    I just posted v34u at the top of this thread. Documentation is updated, too.

    Avast does a quick scan but all ok.

    Thanks! for the update.

  • This behavior started with v34T. After moving past and saving to a folder, scanning with WD does not flag any problems with version U.
    1125 x 791 - 83K
  • Please try this version (attached).

    It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.

  • Good job Jeff! No complaints on WIN7 Pro and WIN10 Pro from Defender.
  • Jeff MartinJeff Martin Posts: 638
    edited 2020-07-21 - 19:00:27
    Thank you, @Publison!

    The signing process was the usual multi-hour nightmare that occurs when the process has changed in-between my last and present signing. Got it all figured out and our internal docs updated so the next time (soon) is a breeze. I'm especially happy to hear the effort was worth it for users previously affected by Win7/Win10 Defender action.

    Chip's releases will be unsigned until I can step in each time and sign it; just be aware of that and all is well, I hope.

    Funny (?) note: the before and after signed executables trigger a slightly different result in VirusTotal, with an additional detection, McAfee, of a possible infection heuristically (like the others) which it calls a "generic" virus detection. The results are essentially the same; a suspect infection detected by 4 out of 72 anti-virus systems, and no real proof of any real infection. McAfee has a publicized way to submit possible false-positives, but the steps to do so are more than I can justify right now.
  • Thanks for your perseverance and to Parallax as a whole to get this resolved.
  • Ran straight away with no complaints when attempting to copy from the ZIP folder nor on the first run. Thanks, Jeff.
  • You're welcome, Jon. Thanks for trying it and for the feedback.
  • @cgracey
    I've tried now to download the 34u, but as soon as I click on the google download arrov I get this msg:
    Questo file è infettato da un virus
    Solo il proprietario può scaricare i file contenenti virus.
    
    This file is infected
    Only the owner can download files containing viruses
  • dMajo wrote: »
    @cgracey
    I've tried now to download the 34u, but as soon as I click on the google download arrov I get this msg:
    Questo file è infettato da un virus
    Solo il proprietario può scaricare i file contenenti virus.
    
    This file is infected
    Only the owner can download files containing viruses

    Should I check my computer for viruses? As far as I know, that file was produced directly by Delhi.
  • PublisonPublison Posts: 11,687
    edited 2020-07-23 - 12:08:50
    dMajo wrote: »
    @cgracey
    I've tried now to download the 34u, but as soon as I click on the google download arrov I get this msg:
    Questo file è infettato da un virus
    Solo il proprietario può scaricare i file contenenti virus.
    
    This file is infected
    Only the owner can download files containing viruses

    Try the new version 34ua by Jeff Martin 5 or 6 post above.
  • TubularTubular Posts: 4,055
    edited 2020-07-24 - 01:06:10
    Ok what seems to happen is that it works for the first few days without issue, then a few days later it has issue with the same file

    I tried the same installation today and now it has a problem

    Nothing has changed or been reinstalled, just a few days have passed since I last ran it successfully
    2107 x 534 - 44K
  • Is this possibly about a real virus, or is it just a reaction to the unknown, or something else?

    "Unwanted software" feels so 2020.
  • YanomaniYanomani Posts: 1,048
    edited 2020-07-24 - 03:12:45
    Hi Chip

    Before it was tagged as a possible virus, I was able to download the unsigned and zipped version hosted at Google Drive.

    Untill today, early in the morning, W Defender still lets me freely extract , move and run it, without complaining.

    After applying today's updates to W Defender (1.319.2130.0), I've tryed it again, by the last 10 minutes, and now it complained, as shown at the following image:

    Peter_and_the_Wolf.png

    The signed and zipped version posted by Jeff Martin (https://forums.parallax.com/discussion/comment/1501180/#Comment_1501180) can still be downloaded, unziped, moved and executed freely, without complains.

    Jeff's version is about 5/6kB larger than your's, due to the signing proccess, I presume.
    690 x 200 - 15K
  • jmgjmg Posts: 14,480
    Yanomani wrote: »
    The signed and zipped version posted by Jeff Martin (https://forums.parallax.com/discussion/comment/1501180/#Comment_1501180) can still be downloaded, unziped, moved and executed freely, without complains.

    Jeff's version is about 5/6kB larger than your's, due to the signing proccess, I presume.

    I wonder if the presence/existence of a signed version, makes detection of an unsigned version, seem more suspicious ?
    Has anyone had any issues with the signed and zipped version posted by Jeff Martin ?

  • I know the following aproach can be seem as moot as any other anti-virus-circunvention trial, so a total waste of time, thus, take it all as the most simple litmus test I can imagine, in order to get a feeling about the way "Heuristic analysis" is being conducted/understood by the anti-virus package-providers (and that waste of time would relly on Chip's shoulders, so, precious time wasted...), but, anyway:

    - edit the source code, with minimal changes, such as help messages and other non-behaviour-affecting changes, including normal version upgrade notices, if any (AKA, e. g., 34utv);
    - re-compile and assemble/zip the whole new package;
    - post it thru the same channells (G Drive);
    - wait some minutes, for the microwave to get popcorn cooking finished;
    - lets see how it tastes (with a bit of salt).


  • The well has already been poisoned so to speak. With the exe unpacker and lack of signing, it was false-flagged positive in the various anti-virus databases.

    Plus maybe the analysis sees something, like making it possible for a malicious payload in a source code file that overflows a buffer and executes that code.

    Now any unsigned PNut updates are going to be flagged as virus variants, exe packer or not.
  • Please try this version (attached).

    It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.
    Well, my Win Defender had the same issue with this version as the unsigned version. I was able to allow it to run. And yes, I verified that the executable was signed.

    I'd guess that there's some bit pattern in the executable that looks like a virus. Not sure what you can do about that, except report it to MS...
  • The offending bit pattern is probably all of my code. I don't think there's anything I can do to make it look right if its been deemed "bad". What a strange problem to have.

    What if we used a packer to change its appearance, making it unrecognizable, and THEN signed it? Would that clear the slate?
  • msrobotsmsrobots Posts: 3,237
    edited 2020-07-25 - 22:59:07
    I guess they stumble over your handwritten Assembler code. Can you make a DLL out of your Assembler code and call that from PNUT/Delphi?

    Run the asm thru VS-Studio then it can get a manifest, then sign the DLL and the exe from Delph.

    Nowadays compiler produce metadata contained in their output and AV-Software checks for stuff like that.

    @ersmith had the same Problem and thanks to his Patreons was able to afford a own certificate, that solved the problem for him, but as far as I know he works on Linux with GCC? and cross compiles for windows. SO if that will work for Delphi and x68 asm, I am not sure.

    Mike
  • @Jeff Martin
    Windows 10 pro will not let me download this file. It either times out the page or tells me to talk to you guys about a problem
    668 x 598 - 88K
  • pilot0315pilot0315 Posts: 652
    edited 2020-07-26 - 16:34:21
    Please try this version (attached).

    It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.

    @JonnyMac

    My windows 10 pro is still complaining.
    @VonSzarvas

    I saw your post but have never played with defender.
    Also get a google drive error saying infected using the other path.

    https://drive.google.com/uc?id=1MyXSy7JaGlssCpHsVhzozdJxaDeoICC5&export=download
    733 x 655 - 56K
    501 x 237 - 5K
  • VonSzarvasVonSzarvas Posts: 2,046
    edited 2020-07-26 - 17:00:14
    @pilot0315 Defender... me neither! Interesting you're seeing Google reporting the virus now.

    That link includes how to submit the program to Microsoft for review, and ultimately removal from the virus hit list (hopefully).

    Maybe being on one virus vendor list means the signature gets adopted by other virus scanners over time? Dunno...! Probably can't hurt to get it removed from Microsoft's database though (or checked by them, in-case there really is a virus).

    @Jeff Martin Maybe something for the list?

  • Malware Bytes reports 34ua as malware.

    John Abshier
  • I will run Malware Bytes tonight on my computer and see what it says.
  • Ken GraceyKen Gracey Posts: 6,865
    edited 2020-07-27 - 05:33:52
    Chip, you needn't burn too much time on this; @Jeff Martin can take care of the process. I'm concerned with repeated attempts we're establishing ourselves on virus/malware lists.

    Ken
  • cgraceycgracey Posts: 13,053
    edited 2020-07-27 - 07:58:19
    I ran Malwarebytes and got this, which I annotated:

    Virus.png

    I wonder why it didn't flag my current working version?

    1306 x 625 - 31K
  • See, malwarebytes' AV engine isn't completely broken, it just says "generically suspicious" instead of digging up the name of some 20 year old obscure virus
Sign In or Register to comment.