Recent

Author Topic: Virtus alerts on a fresh Windows binary  (Read 1388 times)

Okoba

  • Hero Member
  • *****
  • Posts: 533
Virtus alerts on a fresh Windows binary
« on: February 17, 2024, 07:31:27 pm »
Hello,

I have a problem that any build I get from any simple program with Latest Lazarus and FPC returns a false alert from Windows Defender or https://www.virustotal.com/.
It mostly says Program:Win32/Wacapew.C!ml

What I tried:
Get a fresh latest (today) version of Windows 11.
Install on a new VM.
No Git or any other program installed, nothing.
Get Lazarus and FPC source with a ZIP from GitLab.
Get latest win32 binary from here, https://sourceforge.net/projects/freepascal/files/Win32/3.2.2/. Checked it with virustotal, it is clean: https://www.virustotal.com/gui/file/7ec78b1790ecac7685f440b17f9e03865bc09846b7c068a9270c4d37704b5ac8

Compiled FPC and Lazarus from the source and made a simple program with a WriteLn and compiled with Release mode.
Submit to virustotal, and alert!

Either this is a false alert or not. I can not be sure.
After these test I tried and get the install of Lazarus Stable and installed that too, same virustotal errors again.

Can anyone share any info they have?
And can you create a simple project and submit to virustotal and say what you get? Preferbly with Trunk version of Lazarus, on Windows 10 or 11 and on Release mode with a simple WriteLn.
Quote
program project1;

begin
  WriteLn('test');
  ReadLn;
end.
                       

Thaddy

  • Hero Member
  • *****
  • Posts: 14615
  • Sensorship about opinions does not belong here.
Re: Virtus alerts on a fresh Windows binary
« Reply #1 on: February 17, 2024, 08:13:17 pm »
You should submit it to Microsoft, not to Virus Total.
Microsoft usually fix it in less than a week if you write a properly informative report about a false positive. Usually days, not weeks.
bitrate is always calculated like this:sample rate * bitdepth * number of channels.

Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #2 on: February 17, 2024, 08:19:21 pm »
And what happens then? I guess it takes a long time so other computers get an update? Until then I can not share my programs?

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 9990
  • Debugger - SynEdit - and more
    • wiki
Re: Virtus alerts on a fresh Windows binary
« Reply #3 on: February 17, 2024, 08:20:44 pm »
Compiled FPC and Lazarus from the source and made a simple program with a WriteLn and compiled with Release mode.
Submit to virustotal, and alert!

How many of the scanners alerted? And what kind of alert?

Very small exe, or exe with debug info have been known to every now and then trigger false alerts. (Including, sometimes confirmed false when send to the AV company for double checking).

Usually those false alerts are "heuristic" based (they have some part of the word "heuristic" in the name.
And usually they are from 3 to 5 of the around 70 engines that virustotal runs.

If there is a virus alert (false or otherwise) it usually always is by more than one engine. The manufacturers usually share some of their signatures and data.


The files you downloaded from the link you gave, they have been there for a few years, and been used by lots of people.
And virustotal knows that exact unchanged file since 2021-05-16

So I don't suspect them to be an issue with that download, or there would have been more noise.


Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #4 on: February 17, 2024, 08:48:12 pm »
I had the issue with my real project, and to be sure I tested it with a small test project I wrote on the first post. Errors are the same and they are:
Microsoft
Program:Win32/Wacapew.C!ml

DeepInstinct
MALICIOUS

Cynet
Malicious (score: 100)

All files are tested on Release mode with no debug info.

And Yes I was noting that this machine didnt touch any exe except the clean fpc old installs.

Thaddy

  • Hero Member
  • *****
  • Posts: 14615
  • Sensorship about opinions does not belong here.
Re: Virtus alerts on a fresh Windows binary
« Reply #5 on: February 17, 2024, 09:23:35 pm »
Can you send me sourcecode of the false positive, so I can analyse it?
(It was part of my job when I still worked, I am CEH certified)
I have tried to reproduce this, but even with educated guessing I can not replicate the issue.
Usually it is the startup code again, though.
And yes, MS fixes real quick if that is the case again.

More in general: if an organisation does not have their software up to date it is their fault.
I never worry about that.
« Last Edit: February 17, 2024, 09:27:30 pm by Thaddy »
bitrate is always calculated like this:sample rate * bitdepth * number of channels.

Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #6 on: February 17, 2024, 09:28:04 pm »
This is a sample!
Code: Pascal  [Select][+][-]
  1. program project1;
  2.  
  3. begin
  4.   WriteLn('test');
  5.   ReadLn;
  6. end.
  7.              
Built with Trunk version in a clean Windows 10 and 11.

Thaddy

  • Hero Member
  • *****
  • Posts: 14615
  • Sensorship about opinions does not belong here.
Re: Virtus alerts on a fresh Windows binary
« Reply #7 on: February 17, 2024, 09:31:46 pm »
Nothing happens here, transferred the fresh binary to another Windows11/64 and nothing happens there. Strange. Note on both laptops, two meter apart, Windows Defender is fully up-to-date. Transfer was physical, USB stick and not SSH.
« Last Edit: February 17, 2024, 09:34:07 pm by Thaddy »
bitrate is always calculated like this:sample rate * bitdepth * number of channels.

d7_2_laz

  • Hero Member
  • *****
  • Posts: 512
Re: Virtus alerts on a fresh Windows binary
« Reply #8 on: February 17, 2024, 09:35:37 pm »
I’d like to share my own experiences here. Approx. 4 months ago, one of my long existing progs (release mode, no debug infos) were reported by Windows Defender as infected. I had had changed the prog sometimes, but not in relevant parts.

First I restored the prog from a safe copy– and tried with older versions too. No change; still an alert and the prog got removed.

(What I had not tested: how it behaves when running from another site.)

Then I tested via VirusTotal. Only one of the various engines here reported a virus, the others not. That appears to be normal.
For to be able to continue to use the prog, I excluded it from the Defender checks.

Then I submitted to Microsoft, hoping for some consequence.
I never got response – but after 8 days (had checked daily) I noticed that the virus alert was gone. No more problems since then. This happened only once.


« Last Edit: February 17, 2024, 10:24:29 pm by d7_2_laz »
Lazarus 3.2  FPC 3.2.2 Win10 64bit

Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #9 on: February 17, 2024, 09:41:11 pm »
@Thaddy what virtustotal says?
@d7_2_laz thank you. Do you know how much it took it until other machines didn't warn users?
I tried submitting to Microsoft and they did fix it just now and asked me to clear the Defender cache, but it only works on my machine. If I move the exe to others, their machine warns and delete the exe.

d7_2_laz

  • Hero Member
  • *****
  • Posts: 512
Re: Virtus alerts on a fresh Windows binary
« Reply #10 on: February 17, 2024, 09:54:30 pm »
@Okoba, sorry, don’t know, i hadn’t distributed this prog outside. But if I should guess I‘d guess that on your pc the Defender signature update had been installed and on others not. So, Windows update >> “Search for updates” should at least be executed for to go sure.
« Last Edit: February 17, 2024, 10:25:11 pm by d7_2_laz »
Lazarus 3.2  FPC 3.2.2 Win10 64bit

Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #11 on: February 17, 2024, 10:00:41 pm »
Thank you. I tried, but nothing. Maybe there is a cycle I don not know.

d7_2_laz

  • Hero Member
  • *****
  • Posts: 512
Re: Virtus alerts on a fresh Windows binary
« Reply #12 on: February 17, 2024, 10:32:25 pm »
As far as I remember the updates are not propagated to all pc’s at the same time, but slice per slice / region. So maybe it’s simply not yet visible. Theoretically. But should not apply if the pc’s are within the same town or region.
If this is not the case atnd the different pc's related are within the same town / region, what i would do is (at least as check) to repeat the support request from/for the point of view of the affected pc .... and see what happens.
Lazarus 3.2  FPC 3.2.2 Win10 64bit

Thaddy

  • Hero Member
  • *****
  • Posts: 14615
  • Sensorship about opinions does not belong here.
Re: Virtus alerts on a fresh Windows binary
« Reply #13 on: February 17, 2024, 10:33:19 pm »
@Thaddy what virtustotal says?
You know that answer: virustotal is not a reliable source to find threats. If you use that nowadays, (not in the past) you are an amateur. Windows defender is miles ahead of any other scanner for Windows. Many people do not know that - or believe that-, but the pro's do know.

I know virus total collects data from different scanners, but the scanners of old are done. Hence virustotal can - and will! - give a wrong impression.
« Last Edit: February 17, 2024, 10:36:36 pm by Thaddy »
bitrate is always calculated like this:sample rate * bitdepth * number of channels.

Okoba

  • Hero Member
  • *****
  • Posts: 533
Re: Virtus alerts on a fresh Windows binary
« Reply #14 on: February 17, 2024, 10:37:17 pm »
I am an amateur :)
I used it as a convenient way to see what it says about Microsoft Defender. As I am sure you know, it also checks with Microsoft and the alert I said it gives me (Win32/Wacapew.C!ml), is from Microsoft .

 

TinyPortal © 2005-2018