Welcome Guest! To enable all features please Login. New Registrations are disabled.

Notification

Icon
Error

Login


2 Pages<12
Options
Go to last post Go to first unread
Offline wb.c  
#21 Posted : 14 May 2021 19:30:10(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
Originally Posted by: Andrey Ivashov Go to Quoted Post
I have some good news regarding false positive detection! After a long night and morning I've found binary pattern which triggers some AVs to mark executables created by Viewer as malicious...
Knowing it I've added possibility to give AVs a fight! Unfortunately I have to disable compression of internal resources to do it, but I do not think it is so bad.
Please try a new SMath Studio version - it has the following checkbox (uncheck -> file size increased -> AVs are happy -> profit):


Alright, so I decided to break this down and test individual exe files in order to determine which plugin/s is/are causing the false positive. The good news is that I have determined it to be the Table Region and X-Y Plot.

Attached are all the different exe files I created using the latest nightly build following the procedure described above. All of them are fine except the Table Region and X-Y Plot. Right away when saving the zip to my desktop from outlook I get the threat detection notice for Trojan:Win32/Wacatac.B!ml. I get this same notice for both files (Table Region and X-Y Plot). Not sure why I don't get the AgentTesla warning I got for my original exe, but there it is.

Maybe someone with much more knowledge than me can provide some input into the matter.

I will upload the exe that I'm having trouble with as well, just need to clean up some nonpublic info.

EXE_Test.zip (578kb) downloaded 1 time(s). EXE_Test_Checkbox.zip (558kb) downloaded 1 time(s). EXE_Test_Combobox.zip (587kb) downloaded 1 time(s). EXE_Test_Tableregion.zip (608kb) downloaded 2 time(s). EXE_Test_X-YPlot.zip (630kb) downloaded 3 time(s). EXE_Test_Writerregion.zip (1,154kb) downloaded 2 time(s).
Offline wb.c  
#22 Posted : 14 May 2021 20:01:22(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
Here is the original exe I was having trouble with. It was compiled on the most recent nightly build with the compression box unchecked. Doesn't rigger the AgentTesla waring as before, but is showing the same Wacatac warning the test files triggered. By guess is that without compression the exe no longer triggers the AgentTesla warning. Not sure this exe offers any new information as compared with the previous test exe files, but nonetheless here it is.

ASCE 7 Wind Profile Comparison Tool_External.zip (1,351kb) downloaded 4 time(s).

*I might add that the same file emailed back to the computer where it was created does not trigger any warnings from windows defender when pulling it out of outlook.

Edited by user 14 May 2021 20:19:11(UTC)  | Reason: Additional comment

Offline Andrey Ivashov  
#23 Posted : 14 May 2021 20:43:29(UTC)
Andrey Ivashov


Rank: Administration

Groups: Developers, Registered, Knovel Developers, Administrators, Advanced Member
Joined: 11/07/2008(UTC)
Posts: 1,616
Man
Russian Federation

Was thanked: 1978 time(s) in 666 post(s)
Thank you! All this information really helped me.

Here are the results with XY-Plot:
virustotal_viewer_2_XYPlot.jpg
https://www.virustotal.c...acd53c184c649c/detection

This is really great, because it means that problem with MS AV only and this might be because of some difference between built-in plug-ins and third-party ones.
And I found one!

I do not sign third-party plug-ins with code certificate. And this is something I can actually fix.

Please give me several hours and I will enable signing third-party plug-ins and test everything. I really hope it will help!

Thanks again.
thanks 1 user thanked Andrey Ivashov for this useful post.
on 14/05/2021(UTC)
Offline wb.c  
#24 Posted : 14 May 2021 21:03:29(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
Thank you Andrey, as always super great work!

One more interesting observation.

I've been working on computer 1 where I was creating the exe files and sending them to computer 2 for testing.
I went ahead and compiled an exe from computer 2 which was receiving my test emails (using the same .sm file I was using on computer 1). Then I sent the zipped exe created on computer 2 from computer 1 via email back to computer 2, and sure enough no viruses warnings.

Maybe this is due to different settings within windows Defender on each machine?
The issue with the false positive seems to be only present when the exe is created on computer 1 and sent to computer 2 (even if it copied from a USB.).

Not sure if this information is useful
Offline Razonar  
#25 Posted : 14 May 2021 21:15:31(UTC)
Razonar


Rank: Advanced Member

Groups: Registered
Joined: 28/08/2014(UTC)
Posts: 1,356
Uruguay

Was thanked: 815 time(s) in 516 post(s)
Originally Posted by: wb.c Go to Quoted Post
Thank you Andrey, as always super great work!

One more interesting observation.
...


Hi. Yes, he does it again. One question: assuming that the version for SMath is the same, does both computers have the same plugin versions? Here is where you can check that:

Clipboard01.jpg

Best regards.
Alvaro.
Offline wb.c  
#26 Posted : 14 May 2021 21:53:25(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
Originally Posted by: Razonar Go to Quoted Post
Hi. Yes, he does it again. One question: assuming that the version for SMath is the same, does both computers have the same plugin versions? Here is where you can check that:


Yes, both have the same version (02.7802.13079)

thanks 1 user thanked wb.c for this useful post.
on 14/05/2021(UTC)
Offline Andrey Ivashov  
#27 Posted : 15 May 2021 03:49:38(UTC)
Andrey Ivashov


Rank: Administration

Groups: Developers, Registered, Knovel Developers, Administrators, Advanced Member
Joined: 11/07/2008(UTC)
Posts: 1,616
Man
Russian Federation

Was thanked: 1978 time(s) in 666 post(s)
X-Y Plot and Table Regions are updated now. If everything will be fine I will handle all others.
thanks 1 user thanked Andrey Ivashov for this useful post.
on 15/05/2021(UTC)
Offline wb.c  
#28 Posted : 15 May 2021 03:59:23(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
Thanks Andrey, I will create a new exe and test things out.
thanks 1 user thanked wb.c for this useful post.
on 15/05/2021(UTC)
Offline wb.c  
#29 Posted : 18 May 2021 01:00:50(UTC)
wb.c


Rank: Advanced Member

Groups: Registered
Joined: 02/04/2018(UTC)
Posts: 132
United States

Was thanked: 22 time(s) in 19 post(s)
I think the issue with the false positives on windows AV is solved. First try it still kicked out and virus detection warning, but then tried to copy it from outlook again and nothing came up, AV was silent, so I think we are good now. Thanks to those who are much more capable with SMath than me.

One more thing. Is there any way to get away from the windows defender unknown source warning you get when you first run and SMath exe created on a different computer? Not a show stopper issue, but just one thing less to have to explain to an end user of the exe.
thanks 1 user thanked wb.c for this useful post.
on 18/05/2021(UTC)
Users browsing this topic
2 Pages<12
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.