It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.
The signing process was the usual multi-hour nightmare that occurs when the process has changed in-between my last and present signing. Got it all figured out and our internal docs updated so the next time (soon) is a breeze. I'm especially happy to hear the effort was worth it for users previously affected by Win7/Win10 Defender action.
Chip's releases will be unsigned until I can step in each time and sign it; just be aware of that and all is well, I hope.
Funny (?) note: the before and after signed executables trigger a slightly different result in VirusTotal, with an additional detection, McAfee, of a possible infection heuristically (like the others) which it calls a "generic" virus detection. The results are essentially the same; a suspect infection detected by 4 out of 72 anti-virus systems, and no real proof of any real infection. McAfee has a publicized way to submit possible false-positives, but the steps to do so are more than I can justify right now.
Before it was tagged as a possible virus, I was able to download the unsigned and zipped version hosted at Google Drive.
Untill today, early in the morning, W Defender still lets me freely extract , move and run it, without complaining.
After applying today's updates to W Defender (1.319.2130.0), I've tryed it again, by the last 10 minutes, and now it complained, as shown at the following image:
Jeff's version is about 5/6kB larger than your's, due to the signing proccess, I presume.
I wonder if the presence/existence of a signed version, makes detection of an unsigned version, seem more suspicious ?
Has anyone had any issues with the signed and zipped version posted by Jeff Martin ?
I know the following aproach can be seem as moot as any other anti-virus-circunvention trial, so a total waste of time, thus, take it all as the most simple litmus test I can imagine, in order to get a feeling about the way "Heuristic analysis" is being conducted/understood by the anti-virus package-providers (and that waste of time would relly on Chip's shoulders, so, precious time wasted...), but, anyway:
- edit the source code, with minimal changes, such as help messages and other non-behaviour-affecting changes, including normal version upgrade notices, if any (AKA, e. g., 34utv);
- re-compile and assemble/zip the whole new package;
- post it thru the same channells (G Drive);
- wait some minutes, for the microwave to get popcorn cooking finished;
- lets see how it tastes (with a bit of salt).
The well has already been poisoned so to speak. With the exe unpacker and lack of signing, it was false-flagged positive in the various anti-virus databases.
Plus maybe the analysis sees something, like making it possible for a malicious payload in a source code file that overflows a buffer and executes that code.
Now any unsigned PNut updates are going to be flagged as virus variants, exe packer or not.
It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.
Well, my Win Defender had the same issue with this version as the unsigned version. I was able to allow it to run. And yes, I verified that the executable was signed.
I'd guess that there's some bit pattern in the executable that looks like a virus. Not sure what you can do about that, except report it to MS...
The offending bit pattern is probably all of my code. I don't think there's anything I can do to make it look right if its been deemed "bad". What a strange problem to have.
What if we used a packer to change its appearance, making it unrecognizable, and THEN signed it? Would that clear the slate?
I guess they stumble over your handwritten Assembler code. Can you make a DLL out of your Assembler code and call that from PNUT/Delphi?
Run the asm thru VS-Studio then it can get a manifest, then sign the DLL and the exe from Delph.
Nowadays compiler produce metadata contained in their output and AV-Software checks for stuff like that.
@ersmith had the same Problem and thanks to his Patreons was able to afford a own certificate, that solved the problem for him, but as far as I know he works on Linux with GCC? and cross compiles for windows. SO if that will work for Delphi and x68 asm, I am not sure.
It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.
@JonnyMac
My windows 10 pro is still complaining.
@VonSzarvas
I saw your post but have never played with defender.
Also get a google drive error saying infected using the other path.
@pilot0315 Defender... me neither! Interesting you're seeing Google reporting the virus now.
That link includes how to submit the program to Microsoft for review, and ultimately removal from the virus hit list (hopefully).
Maybe being on one virus vendor list means the signature gets adopted by other virus scanners over time? Dunno...! Probably can't hurt to get it removed from Microsoft's database though (or checked by them, in-case there really is a virus).
Chip, you needn't burn too much time on this; @"Jeff Martin" can take care of the process. I'm concerned with repeated attempts we're establishing ourselves on virus/malware lists.
See, malwarebytes' AV engine isn't completely broken, it just says "generically suspicious" instead of digging up the name of some 20 year old obscure virus
Comments
Avast does a quick scan but all ok.
Thanks! for the update.
It's exactly the same as the v34u download Chip provided in the first post of this thread, but we've digitally signed the PNut_v34u.exe in this one. I'd like to know if your download, extract, first-run experience is any smoother with a signed version.
The signing process was the usual multi-hour nightmare that occurs when the process has changed in-between my last and present signing. Got it all figured out and our internal docs updated so the next time (soon) is a breeze. I'm especially happy to hear the effort was worth it for users previously affected by Win7/Win10 Defender action.
Chip's releases will be unsigned until I can step in each time and sign it; just be aware of that and all is well, I hope.
Funny (?) note: the before and after signed executables trigger a slightly different result in VirusTotal, with an additional detection, McAfee, of a possible infection heuristically (like the others) which it calls a "generic" virus detection. The results are essentially the same; a suspect infection detected by 4 out of 72 anti-virus systems, and no real proof of any real infection. McAfee has a publicized way to submit possible false-positives, but the steps to do so are more than I can justify right now.
I've tried now to download the 34u, but as soon as I click on the google download arrov I get this msg: This file is infected
Only the owner can download files containing viruses
Should I check my computer for viruses? As far as I know, that file was produced directly by Delhi.
Try the new version 34ua by Jeff Martin 5 or 6 post above.
I tried the same installation today and now it has a problem
Nothing has changed or been reinstalled, just a few days have passed since I last ran it successfully
"Unwanted software" feels so 2020.
Before it was tagged as a possible virus, I was able to download the unsigned and zipped version hosted at Google Drive.
Untill today, early in the morning, W Defender still lets me freely extract , move and run it, without complaining.
After applying today's updates to W Defender (1.319.2130.0), I've tryed it again, by the last 10 minutes, and now it complained, as shown at the following image:
The signed and zipped version posted by Jeff Martin (https://forums.parallax.com/discussion/comment/1501180/#Comment_1501180) can still be downloaded, unziped, moved and executed freely, without complains.
Jeff's version is about 5/6kB larger than your's, due to the signing proccess, I presume.
I wonder if the presence/existence of a signed version, makes detection of an unsigned version, seem more suspicious ?
Has anyone had any issues with the signed and zipped version posted by Jeff Martin ?
- edit the source code, with minimal changes, such as help messages and other non-behaviour-affecting changes, including normal version upgrade notices, if any (AKA, e. g., 34utv);
- re-compile and assemble/zip the whole new package;
- post it thru the same channells (G Drive);
- wait some minutes, for the microwave to get popcorn cooking finished;
- lets see how it tastes (with a bit of salt).
Plus maybe the analysis sees something, like making it possible for a malicious payload in a source code file that overflows a buffer and executes that code.
Now any unsigned PNut updates are going to be flagged as virus variants, exe packer or not.
I'd guess that there's some bit pattern in the executable that looks like a virus. Not sure what you can do about that, except report it to MS...
What if we used a packer to change its appearance, making it unrecognizable, and THEN signed it? Would that clear the slate?
Run the asm thru VS-Studio then it can get a manifest, then sign the DLL and the exe from Delph.
Nowadays compiler produce metadata contained in their output and AV-Software checks for stuff like that.
@ersmith had the same Problem and thanks to his Patreons was able to afford a own certificate, that solved the problem for him, but as far as I know he works on Linux with GCC? and cross compiles for windows. SO if that will work for Delphi and x68 asm, I am not sure.
Mike
Windows 10 pro will not let me download this file. It either times out the page or tells me to talk to you guys about a problem
@JonnyMac
My windows 10 pro is still complaining.
@VonSzarvas
I saw your post but have never played with defender.
Also get a google drive error saying infected using the other path.
https://drive.google.com/uc?id=1MyXSy7JaGlssCpHsVhzozdJxaDeoICC5&export=download
That link includes how to submit the program to Microsoft for review, and ultimately removal from the virus hit list (hopefully).
Maybe being on one virus vendor list means the signature gets adopted by other virus scanners over time? Dunno...! Probably can't hurt to get it removed from Microsoft's database though (or checked by them, in-case there really is a virus).
@"Jeff Martin" Maybe something for the list?
John Abshier
Ken
I wonder why it didn't flag my current working version?