Virus Alerts

Usage of the framework, compiler and tools
Mav
Posts: 5
Joined: Tue Jul 18, 2017 11:30 pm

Virus Alerts

Post by Mav »

Hello, I love Blackbox and have been using it for a while. I'd like to thank everyone involved in keeping this alive here.

However, when checking the Blackbox install with https://www.virustotal.com, which scans with over 60 different scanner products, numerous severe alerts are given.

Unfortunately, some of these alerts even persist when compiling your own .exe with Blackbox, depending on how many modules you import.

I suppose that those alerts are a mismatch. They are mostly given by fringe Scanners I never heard about. Maybe someone in the world used Blackbox to write malware, and the code patterns used to identify it may be too general.

Personally, these alerts make not much sense to me, given the nature of this project, but I would like you to look into the issue.
And given these alerts are false, do you think there is any way to have these Scanner companies reconsider their matching strategy in such a way that it exempts Blackbox?

I'd like more clarity on the issue before I further distribute my own software, to protect my audience, but also protect my reputation.
Mav
Posts: 5
Joined: Tue Jul 18, 2017 11:30 pm

Re: Virus Alerts

Post by Mav »

Update.

From what I could gather, all alerts are generic/heuristic in nature. That means, it's no concrete detections, but only suspected, based on very general patterns.

Even what seemed to be the most specific sounding, "Trojan WisdomEyes", is supposed to be a generic term for what is considered a suspicious behavior pattern.

I guess that, for example, the way Blackbox handles its forms of injections, contributes to these alerts. So I'm not sure these sorts of alerts can ever be fully avoided, given the nature of Blackbox, and the more and more controlled environments today.
Josef Templ
Posts: 262
Joined: Tue Sep 17, 2013 6:50 am

Re: Virus Alerts

Post by Josef Templ »

The Blackbox framework center is in contact with McAfee to trace down the false trojan alerts on McAfee tools.
It will probably not be possible to contact all anti-malware tool vendors but we hope that
we can get some insights by a detailed analysis of the behavior of at least one such product.

- Josef
Mav
Posts: 5
Joined: Tue Jul 18, 2017 11:30 pm

Re: Virus Alerts

Post by Mav »

It might also be interesting to look at the detection ratio from version to version of Blackbox.

I did some sporadic tests.

The 1.7 standard edition has about 12 hits.

The 1.7.1-a1.805 build has 6 hits.

1.7.1-a1.900 has 13 hits.

But suddenly from just one version to the other, on build 901 it explodes to 31 hits.

In addition, making a series of .exe compiles and determining which module imports rise detections might also help locating the problems. A lot of work though.
Mav
Posts: 5
Joined: Tue Jul 18, 2017 11:30 pm

Re: Virus Alerts

Post by Mav »

Update.

I was able to test some very old versions of Blackbox.

1.5 has only 1 detect.

1.6 rc6 has 2 detects

1.6 final has 2 detects.

In my experiments with linking modules to .exe files, one thing I could reliably observe was that including the Kernel causes the Trojan WisdomEyes detect by the Baidu scanner.
This one detect is the most common among all versions. It is the one detect from version 1.5. Not including the Kernel, because the program does not need to allocate objects, removes this detect.
But even so, two or three other smaller generic detects can still pop up, depending on the code.

Unfortunately I was not able to make too much more sense from my own code experiments. I was trying to comment out code from my own modules to see what segment could cause what detect.
However, the results are confusing. I am not sure it is a practical means of finding out what's going on. I saw the weirdest detect behaviors from including the most harmless code snippets.
I somewhat believe that it is the overall picture of the file that counts. Or that there is a specific problem with how the compiler works. But I don't really know at all, and I am worried to give false hints.

Anyway, this is all I could find out. Keep up the good work, you guys have done well maintaining Blackbox here, much appreciated.
Josef Templ
Posts: 262
Joined: Tue Sep 17, 2013 6:50 am

Re: Virus Alerts

Post by Josef Templ »

There are strong indications that replacing the low-resolution applogo.ico resource file in 1.6 (just 2KB)
with a high-resolution version in 1.7 (about 58KB) causes a lot of additional VirusTotal warnings.
This is ridiculous, of course, because it is an icon data file embedded in the exe as a resource.
It cannot host a virus or trojan, as far as I see. It is just bitmap data.
But many anti-malware tools seem to simply look for specific byte sequences in the exe file without
looking at the structure of the exec file.

However, this does not explain all the additional warnings in newer releases.

So far, we have no indications that any real infection has been found.
They all seem to be false positives.

- Josef
Josef Templ
Posts: 262
Joined: Tue Sep 17, 2013 6:50 am

Re: Virus Alerts

Post by Josef Templ »

We have added an experimental feature in the build process of the center version.
It now produces additional text files that contain an SHA-256 hash code for the generated zip and exe files.
Inside the distribution it also contains an sha256 file for the BlackBox.exe file.
The files are named like the respective source files but with the file name appendix "_sha256.txt".
Thus, for BlackBox.exe there exists an additional file named BlackBox.exe_sha256.txt,
for blackbox-1.7.zip there is a file named blackbox-1.7.zip_sh256.txt, etc.

This allows for checking the file integrity at least manually.

In the stable folder, we have also added _sha256.txt files for version 1.7 (zip and unsigned exe).
See http://blackboxframework.org/stable/.

- Josef
User avatar
Ivan Denisov
Posts: 362
Joined: Tue Sep 17, 2013 12:21 am
Location: Krasnoyarsk, Russia

Re: Virus Alerts

Post by Ivan Denisov »

I ask everyone to use this form. Please, let's report false positive for BlackBox.
https://www.avast.com/false-positive-file-form.php
Zinn
Posts: 123
Joined: Mon Nov 24, 2014 10:47 am
Location: Frankfurt am Main
Contact:

Re: Virus Alerts

Post by Zinn »

Ivan Denisov wrote:I ask everyone to use this form. Please, let's report false positive for BlackBox.
https://www.avast.com/false-positive-file-form.php
Dear Ivan,
there are more than one web forms where we have to write.
Here you find a lot of websites and e-mail address for reporting FALSE positive:
http://www.techsupportalert.com/content ... endors.htm
I already wrote many e-mails and fill out many web forms.
-Helmut
User avatar
Robert
Posts: 177
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus Alerts

Post by Robert »

When Windows Defender (on Windows 10) deletes (quarantines) my copy of BlackBox.exe I usually forget precisely how to restore it, so last time I took notes; see below:
1 - Right click the Windows icon at the left of the bottom tool bar.
2 - Click the popup menu item "Settings".
3 - Click the "update & security" icon.
4 - Click the "Windows Defender" option in the left menu area.
5 - Click the grey button "Open Windows Defender Security Center".
6 - Click the "Virus & threat protection" icon.
7 - Click the blue text "Scan history".
8 - Click the "V" drop-down under "Quarantined threats". Probably called "Severe".
9 - Click the blue "See details" text.
10 - Check the "Affected item" is BlackBox.exe, or maybe a link to it. Click the "OK" button.
11 - Click the grey "Restore" button.
12 - Click the grey "Do you want to allow this app to make changes …" "Yes" button.
13 - Close down the window "Windows Defender SEcurity Cwnter".
14 - Close down the window "Settings".
15 - Check the file is back.
16 - If a desktop shortcut to BlackBox.exe has been restored it may need to be repositioned to its previous location.
17 - A desktop shortcut may have "lost" is BlackBox icon appearance. This is recovered by shutting down and restarting Windows.
Simple eh?

To prevent the restored file from being subsequently deleted again (after a few hours , days, or even weeks) it should be added to the Windows Defender "White list", which is also a rather tedious process.
Last edited by Robert on Thu Sep 14, 2017 8:42 am, edited 1 time in total.
Post Reply