Recent

Author Topic: Preventing Trojans?  (Read 1915 times)

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Preventing Trojans?
« on: September 30, 2021, 12:30:08 am »
Can anyone shed light on what might have happened please?

1. I compiled my project to get windows exe.
2. zipped it.
3. ftp to my server.
4. Downloaded to make sure I posted correct download link.

I do this countless times, never had problem until a few hours ago when this happened..

@ Step4 Windows Defender reports that a Trojan is in the file I was downloading (my own freshly compiled ,zipped, uploaded file).

So I kept repeating the steps to see what was going on and I kept getting the error.

The previous day I had installed some software (it seemed to pass my virus scan). The company is a reputable U.K manufacturing company.

So I ran windows un-installer from the control panel to remove the most recent installed program.

I can now run all 4 steps without problems.

So it looks to me like the problem, either a real virus - or a false positive? is being caused by their software, - I phoned them to let them know, waiting for call back..

I don't want to panic the authors, but it looks to me like the problem is at their end, would you agree?

Also, I had turned onGuard exeProtect CRC component off during this compile, zip, upload, download cycle - I wish I had left it enabled to see if it would have caught it sooner..

Thanks,
Mike



Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 7522
  • Debugger - SynEdit - and more
    • wiki
Re: Preventing Trojans?
« Reply #1 on: September 30, 2021, 12:45:13 am »
Well, my understanding is that Windows treats files from the internet as more suspicious than files already on your PC.
So it is one possibility that the exact same file can cause an alert, but only when downloaded.

Get Microsofts fciv.exe to calculate checksums. Compare before and after the download.

Also upload to virustotal or similar, and compare the checksum you get there.
And lastly, if possible have virustotal download the exe from your ftp.


Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Preventing Trojans?
« Reply #2 on: September 30, 2021, 02:04:22 am »
Thanks, I tried a few recent and old exe uploaded to VirusTotal

For anyone reading in future, drag and drop your exe onto this URL:
https://www.virustotal.com/gui/home/upload

BTW I get (false?) positive result from "Cylance", and found topic in Reddit complained about them:
https://www.reddit.com/r/antivirus/comments/6r09o0/cylance_false_positives/

Even a new Lazarus application compiled and tested gives error, can anyone confirm this happens to them please?

Blade

  • Full Member
  • ***
  • Posts: 152
Re: Preventing Trojans?
« Reply #3 on: September 30, 2021, 04:58:51 am »
Can anyone shed light on what might have happened please?

It appears that Microsoft is pulling some shenanigans with their Microsoft Edge and Windows Defender products.  It looks like some corporate maneuvers going on, where Microsoft is trying to push people to their Microsoft Store.  Often, if you attempt to download something outside of their store, even if well known open-source projects, you can get warnings from the Edge browser (SmartScreen) or Defender.

The only thing that can be done is to report the false-positives to Microsoft. 

With Windows Defender, you can send a report to Microsoft directly.  They will do an analysis and give you the results within 24 hours.

https://www.microsoft.com/en-us/wdsi/filesubmission/
(Submit a file for malware analysis)

With Microsoft Edge, it's a little bit trickier.  When it stops the download from being saved to the hard drive and indicates red, there is an option to give feedback on if you believe the download is safe.  But, it doesn't always show up, and sometime it just allows you to save the file to you hard drive with no other options.  Thus, it is probably a good idea to then submit the file to Microsoft's website for malware analysis so that you can confirm it is safe and remove the false-positive indications.

Microsoft Edge is using SmartScreen, which is linked to Windows Defender, but has additional functionality.  A person has the option to turn it off, but that will kind of only help you, not other people who want to download your file.  Microsoft states that to help with the reputation of your file (to prevent SmartScreen interference), it should be digitally signed.

Here is quasi helpful advice that Microsoft gives on the subject.

https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx
(Microsoft Defender SmartScreen Frequently Asked Questions)


Blade

  • Full Member
  • ***
  • Posts: 152
Re: Preventing Trojans?
« Reply #4 on: September 30, 2021, 05:08:26 am »
Thanks, I tried a few recent and old exe uploaded to VirusTotal

For anyone reading in future, drag and drop your exe onto this URL:
https://www.virustotal.com/gui/home/upload

You can contact VirusTotal directly to complain and give feedback about various Anti-Virus vendors giving bad information or false-positives.  This might also help to get shady Anti-Virus companies removed from VirusTotal's list.  For subject, you can select about false-positives.

https://www.virustotal.com/gui/contact-us
(Contact VirusTotal)



Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Preventing Trojans?
« Reply #5 on: September 30, 2021, 11:24:11 am »
Good idea, I can send email to VirusTotal informing them that false positive occurs for a simple blank Lazarus project, and refer them to this topic, but I need a larger sample size than just myself, and I can't power up any more windows PCs on my network until I'm satisfied my network is clean.

Can other Lazarus users please compile an empty project and confirm?

Menu->Project->New Project->Application

and drag the file from your temp directory to

https://www.virustotal.com/gui/home/upload

I get virus company "Cylance" giving issue, all other virus companies are fine.

I think this is bad for VirusTotal because I no longer want to give a link to their site (why should I send my users somewhere to get false positives about my software).

Thanks,
Mike

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 9701
  • FPC developer.
Re: Preventing Trojans?
« Reply #6 on: September 30, 2021, 11:47:10 am »
Can anyone shed light on what might have happened please?

It appears that Microsoft is pulling some shenanigans with their Microsoft Edge and Windows Defender products.  It looks like some corporate maneuvers going on, where Microsoft is trying to push people to their Microsoft Store.  Often, if you attempt to download something outside of their store, even if well known open-source projects, you can get warnings from the Edge browser (SmartScreen) or Defender.

fyi,

The marking of download files dates back to XPsp2, iow before store and smartscreen. I often worked around by using pscp from my servers www root as much as possible, rather than actually downloading it via the webserver :-)

The FPC command "chmls unblock <file>" might be able to remove that download signature of EXEs too. (in case you need it as part of an automated process for e.g. bootstrapping.


avra

  • Hero Member
  • *****
  • Posts: 2262
    • Additional info
Re: Preventing Trojans?
« Reply #7 on: September 30, 2021, 12:26:41 pm »
Good idea, I can send email to VirusTotal informing them that false positive occurs for a simple blank Lazarus project, and refer them to this topic
...
I think this is bad for VirusTotal because I no longer want to give a link to their site (why should I send my users somewhere to get false positives about my software).
VirusTotal just collects scan results of many different antivirus applications and displays them in one place. You should direct your report to the Cylance.

Anyway, it is common that some weak antivirus software reports false positives, especially when you are developer and create fresh executables which have not yet been checked by antivirus and os vendors. When in scan report you see 50 negatives and 3 positives it is 99% safe to think that everything is ok. Decision is yours.
ct2laz - Conversion between Lazarus and CodeTyphon
bithelpers - Bit manipulation for standard types
pasettimino - Siemens S7 PLC lib

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Preventing Trojans?
« Reply #8 on: September 30, 2021, 12:48:56 pm »
OK I'll send to Cylance too, but see link in my previous post, I doubt I'll get far with them
https://www.reddit.com/r/antivirus/comments/6r09o0/cylance_false_positives/

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Preventing Trojans?
« Reply #9 on: October 01, 2021, 09:34:23 am »
Get Microsofts fciv.exe to calculate checksums. Compare before and after the download.

Thanks, BTW it seemed that fciv.exe is no longer available for download, but CertUtil is part of windows 10.

For anyone reading this in future, my usage was:

C:\Users\user1>certutil.exe -hashfile "V:\win10\_check_for_virus_.zip" SHA256
SHA256 hash of V:\win10\_check_for_virus_.zip:
28fba67029ad5d25d1988b2785fd340a1405f5753b9feb6d931929bb81bab4d7
CertUtil: -hashfile command completed successfully.


 

TinyPortal © 2005-2018