Recent

Author Topic: A blank Win64 program is detected accessing several IPs. Is this normal?  (Read 1971 times)

gasensor

  • Jr. Member
  • **
  • Posts: 78
A blank Win64 program. There is no feature at all. There is only one default blank form. (console application Same performance)

However, this app has been detected to access several of the following IPs.

I'm confused.

I am Linux Cross to Win64.

IP List:
Quote
TCP 20.99.133.109:443
TCP 23.216.81.152:80 (www.microsoft.com [info form virustotal.com] )
TCP 131.253.33.203:80
UDP 192.168.0.74:137


This information is from : https://www.virustotal.com

FPC 3.2.2
Lazarus 2.2.6
OS: LinuxMX23.3 X86


P.S.
This also explains why my website keeps being scanned by IPs from United States Seattle.
« Last Edit: July 18, 2024, 12:19:17 am by gasensor »

MarkMLl

  • Hero Member
  • *****
  • Posts: 8015
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Mr.Madguy

  • Hero Member
  • *****
  • Posts: 859
I guess, Virustotal dectects all network activity on virtual machine, including completely unrelated to application being examined.
Is it healthy for project not to have regular stable releases?
Just for fun: Code::Blocks, GCC 13 and DOS - is it possible?

Thaddy

  • Hero Member
  • *****
  • Posts: 16158
  • Censorship about opinions does not belong here.
A blank project does not contain any networking code.(unless sockets is used anywhere, which isn't the case).
If that is not the case it is a REAL infection. And many other executables on your computer may be affected.
(although code compiled with the fpc compiler on windows often gives false positives, because some virus "expert" fails to add an exception in their heuristics)
just complain and keep complaining in that case. Not here, but at the so called virus experts websites.
I have the time to complain, and I do that all the time...
btw virus total is a bit... well... history. You are really better off with just MS defender,
It is a market that has lost its purpose after MS defender matured. That is for private computing of course, not public entities.
« Last Edit: July 17, 2024, 08:42:51 pm by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

CCRDude

  • Hero Member
  • *****
  • Posts: 612
The duplicate post mentions an important thing: injected code.

Any process could "use" network activity, if injected code does. In that linked post, it seems to be a WMI tool designed to monitor performance, so it might even be legit. And that such a tool communicates with Microsoft seems to be expected.

That's the downside of behaviour analysis compared to static analysis.

gasensor

  • Jr. Member
  • **
  • Posts: 78
This also explains why my website keeps being scanned by IPs from United States Seattle.

Could it be that Microsoft invested in Lazarus/Freepascal?

I'll retest later in a clean environment.

« Last Edit: July 18, 2024, 12:24:22 am by gasensor »

MarkMLl

  • Hero Member
  • *****
  • Posts: 8015
I'll retest later in a clean environment.

One possible twist is that due to... well, just about /anything/ every program on your system results in e.g. some attempts at a name resolution lookup but most are explicitly whitelisted by the self-styled "malware detector".

While my main desktop systems are wired, one of those acts as a gateway for all WiFi traffic and I can easily hook into that to see what's /actually/ going on (Wireshark plus a few other things).

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Mr.Madguy

  • Hero Member
  • *****
  • Posts: 859
Again. If you would analyze Virustotal sandbox logs, you would notice, that it uses some sort of Windows virtual machine and that system activity is also logged. So, just don't confuse system activity with your application's activity.
Is it healthy for project not to have regular stable releases?
Just for fun: Code::Blocks, GCC 13 and DOS - is it possible?

Thaddy

  • Hero Member
  • *****
  • Posts: 16158
  • Censorship about opinions does not belong here.
Quote
(myself)A blank project does not contain any networking code.
Period.
Another thing is that on Windows, the mistaken trust in things like VirusTotal are completely unfounded. You should not use that anymore, on a client side, just use defender. The rest outputs rubbish.

Once there was a need for it, but for at least 5 years it is just a hoax.
« Last Edit: July 18, 2024, 11:22:24 am by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

gasensor

  • Jr. Member
  • **
  • Posts: 78
Quote
(myself)A blank project does not contain any networking code.
Period.
Another thing is that on Windows, the mistaken trust in things like VirusTotal are completely unfounded. You should not use that anymore, on a client side, just use defender. The rest outputs rubbish.

Once there was a need for it, but for at least 5 years it is just a hoax.

The environment on the Win platform is too harsh and there are too many viruses. In order to avoid being blocked, you can only be very careful.

For a software, reputation matters.

Thaddy

  • Hero Member
  • *****
  • Posts: 16158
  • Censorship about opinions does not belong here.
For a software, reputation matters.
Yes, indeed. It is just how you interpret reputation and with current knowledge for client side software, the reputation of virustotal is not great. I was a big fan of Avast and some others, but current knowledge says "past sell-by date".
Especially virustotal - because it uses multiple engines - causes more problems than it solves. It is almost guaranteed to cause false positives and you don't want that.
I am not alone in this, but feel free to ignore my advice.
(and you will run into unnecessary problems)
I have a headache to many, just to try and get Microsoft to keep their heuristics up-to-date. Because it is the heuristics is what causes most problems with FPC compiled software. And MS listens and is quick with updates.
Did it occur to you that defender does no longer marks a fpc compiled software as dangerous by default? That is called perseverance.(they changed the start-up code signature, most of the rest did not do that.)
Although, there is still a remark about unknown issuer, this is less relevant and happens all the time..
Using virustotal today is a self-fulfilling prophecy.
« Last Edit: July 18, 2024, 04:36:37 pm by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10552
  • Debugger - SynEdit - and more
    • wiki
Its often not the tool (i.e., nothing fundamentally wrong with virustotal), but the interpretation of its output.
And in that light, it is totally fine to ask about it.

Also, having people checking the tools they use, rather than blindly trusting is a good thing (or we would all be using a compromised compression lib now). And it improves reputation on the long run, because if lots of people keep an eye on it, and then decide to use it, that vouches for its trustworthiness.

Thaddy

  • Hero Member
  • *****
  • Posts: 16158
  • Censorship about opinions does not belong here.
I broadly agree with you, but...
Self-fulfilling prophesy.
Reputation related to the amount of demonstrable false positives...is not a good way to determine reputation.
And that is the case at hand.

Reputation in adapting the fingerprint of a compiler IS something that gives a company reputation. And, whatever you think about MS, they did just that.

I stick to my orginal answer: if there is demonstrable network traffic caused by your application and without intend, there is something else that interferes, usually not to the good.
« Last Edit: July 18, 2024, 04:47:39 pm by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10552
  • Debugger - SynEdit - and more
    • wiki
I stick to my orginal answer: if there is demonstrable network traffic caused by your application and without intend, there is something else that interferes, usually not to the good.

Well, yes, the something else in this case is called "Windows". And I wont argue about your judgment of it. ;)

Mr.Madguy

  • Hero Member
  • *****
  • Posts: 859
Yeah, it's implementation problem, that Virustotal registers whole VM's activity, including OS activity, instead of registering application's activity only, because system activity can include various confusing transactions, such as connectivity checks, NTP queries, update checks, Smart Screen queries, etc., that are completely unrelated to application being examined. There are some other suspicious activities, such as rundll attempts, that can be treated by users as performed by application, while they're performed by Virustotal itself. So, Virustotal sandbox shouldn't be treated as precise tool to determine if application is clean or not.
Is it healthy for project not to have regular stable releases?
Just for fun: Code::Blocks, GCC 13 and DOS - is it possible?

 

TinyPortal © 2005-2018