Recent

Author Topic: [Solved] Empty project tested with VirusTotal  (Read 2102 times)

DragoRosso

  • New Member
  • *
  • Posts: 31
[Solved] Empty project tested with VirusTotal
« on: November 13, 2023, 10:05:51 am »
I tested an empty project (created with Lazarus 2.2.6 and FPC 3.2.2 x64 stable release on Windows 11 23H2) with VirusTotal.
In the report I detected two anomalies:

1) One that network activity was reported, but in my opinion these were due to the VirusTotal test environments (Docker?). It is known that Windows uses the network when a program is first launched (for example for the evaluation of SmartScreen). This is therefore not relevant.

2) The program launches additional processes with the "-install" options and similar... (image attached).
Is there a reason for these actions?

The program was compiled with the default Lazarus options.
Bye

« Last Edit: November 13, 2023, 11:40:25 am by DragoRosso »

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11997
  • FPC developer.
Re: Empty project tested with VirusTotal
« Reply #1 on: November 13, 2023, 10:52:40 am »
I think that virustotal simply launches the process multiple times with those options to see if there is some UAE function to install.

DragoRosso

  • New Member
  • *
  • Posts: 31
Re: Empty project tested with VirusTotal
« Reply #2 on: November 13, 2023, 11:12:54 am »
Interesting, I hadn't thought of that. For example, for an empty Delphi project this does not happen.
Thanks in the meantime.

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10686
  • Debugger - SynEdit - and more
    • wiki
Re: [Solved] Empty project tested with VirusTotal
« Reply #3 on: November 13, 2023, 12:43:20 pm »
You don't say what kind of project? Empty GUI project (App with Form?)

I tried that, and no processes were created.

There was some IP traffic
Code: Text  [Select][+][-]
  1. 192.229.211.108:80 (TCP) // google says belongs to Edgecast Inc (content/storage/cache)
  2. 20.99.133.109:443 (TCP) // google says belongs to Microsoft
  3. 20.99.185.48:443 (TCP)
  4. 20.99.186.246:443 (TCP)
  5. 23.216.147.64:443 (TCP) // google says belongs to virustotal

Testing random other apps brings up those IP too.


There should be nothing in FPC or the LCL that would launch a "-install" process.


https://www.virustotal.com/gui/file/84d2a449912fa91a09d3547f701c539313accac32eb3003a1a975500c0544329/behavior
The "conhost" in processes is because I compiled the exe with console -WC

DragoRosso

  • New Member
  • *
  • Posts: 31
Re: [Solved] Empty project tested with VirusTotal
« Reply #4 on: November 13, 2023, 01:58:24 pm »
The project is GUI with nothing other than its own FORM.

There was some IP traffic
Code: Text  [Select][+][-]
  1. 192.229.211.108:80 (TCP) // google says belongs to Edgecast Inc (content/storage/cache)
  2. 20.99.133.109:443 (TCP) // google says belongs to Microsoft
  3. 20.99.185.48:443 (TCP)
  4. 20.99.186.246:443 (TCP)
  5. 23.216.147.64:443 (TCP) // google says belongs to virustotal

The IP are similar, but like I told, I'm pretty sure that these communications are triggered by Windows and not by the program (this also happens for an empty Delphi application).

My doubts were about the switch "-install" and the others, but like @marcov says should be the TotalVirus logic's the try those.

Bye

DragoRosso

  • New Member
  • *
  • Posts: 31
Re: [Solved] Empty project tested with VirusTotal
« Reply #5 on: November 13, 2023, 02:17:02 pm »
I have only another doubt ... look at attached image ... the info in the black frame says that THE PROGRAMS DOES THOSE ACTIONS ... may be true or not ...

Really strange, also because for a Delphi APP (always empty GUI) VT doesn't do this...


EDIT: ATTACH EMPTY PROJECT TOO
« Last Edit: November 13, 2023, 02:41:19 pm by DragoRosso »

 

TinyPortal © 2005-2018