False-Positive Hell (need your help)

[NewsArchive]

All,

I need your help! The false-positive rate on one of our compiler files
(0000.LIB) exploded. Of course, this file is virus- and malware free.
There seems to be a specific combination of bytes in the .lib which triggers
it.

The file is located in your SetupBuilder 2019.2 \Bin32 folder. I have
attached it (as ZIP).

If possible, please submit it as a false-positive whenever you have a
chance.

Thank you for your help.

Of course, I have already contacted all the major protection software
vendors.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
Voice: +1.954.537.3701 | Fax: +1.954.537.3702

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

[NewsArchive]

Friedrich,

> I need your help! The false-positive rate on one of our compiler files
> (0000.LIB) exploded. Of course, this file is virus- and malware free.

How do I know this is the REAL Friedrich Linder?!<g>

> If possible, please submit it as a false-positive whenever you have a
> chance.

Any help on how to do that would be appreciated?

Ad-Aware
ALYac
Arcabit
BitDefender
Cybereason
Emsisoft
eScan
GData
Jiangmin
MAX
McAfee
McAfee-GW-Edition
Palo Alto Networks
Qihoo-360

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

[NewsArchive]

Lee,

>
> How do I know this is the REAL Friedrich Linder?!<g>
>

Well, you have my word on it <vbg> ;-)

>> If possible, please submit it as a false-positive whenever you have a
>> chance.
>
> Any help on how to do that would be appreciated?
>
> Ad-Aware
> ALYac
> Arcabit
> BitDefender
> Cybereason
> Emsisoft
> eScan
> GData
> Jiangmin
> MAX
> McAfee
> McAfee-GW-Edition
> Palo Alto Networks
> Qihoo-360

Some vendors make it nearly impossible to report a false-positive. They
even ask you to download and run an application to report it. WTH? THIS IS
RIDICULOUS! And then the program looks like the attached one.

To make it even worse, it's so hard to find the false-positive reporting
links (if available) and e-mail addresses (if available).

Here are some cool guys:
www.360totalsecurity.com/en/suspicion/
http://support.mwti.net/support/inde...Tickets/Submit
https://su.gdatasoftware.com/us/sample-submission/

To make it even worse, whatever SetupBuilder "stub" loader (0000.LIB) I
compile, even a simple "hello world" gets flagged. There seems to be a
specific combination of bytes in the Microsoft VC++ compiler that triggers
it.

This is a nightmare! Already spent 12 hours on this and false-positive rate
exploded from 5 to 16.

Friedrich

[NewsArchive]

Friedrich,

> > How do I know this is the REAL Friedrich Linder?!<g>
>
> Well, you have my word on it <vbg> ;-)

Ok, if that's all you got!<g>

> This is a nightmare! Already spent 12 hours on this and false-positive rate
> exploded from 5 to 16.

It would nice if the virustotal.com list had the failed brand names
setup as links to access the individual submission forms.



Hey, are we having fun yet?!

--
Lee

[NewsArchive]

Lee,

>> Well, you have my word on it <vbg> ;-)
>
> Ok, if that's all you got!<g>

<ROFL>

> It would nice if the virustotal.com list had the failed brand names
> setup as links to access the individual submission forms.

Absolutely!!!

>
> Hey, are we having fun yet?!
>

I found out what triggers it... wait a moment. This gets better and
better -- now I know that protection software products are worth every
penny...NOT.

Friedrich

[NewsArchive]

Okay, here we go <g>. This is my analysis. All these brilliant systems
flagged the SetupBuilder 0000.LIB stub loader because of "Gen:Variant.Kazy"

https://community.f-secure.com/t5/F-...How/td-p/29738

See the attached screenshots. 12 engines (three vendors already fixed their
bug) detected the virus in the TEXT STRING <g>.

I changed the text to "Hello Lee. We are having fun" and the virus is gone
<vbg>. This is magic ;-)

Now I have to find the exact word or combination of bytes in my original
text string that triggers the virus flag. Oh boy :-(

Friedrich

[NewsArchive]

Friedrich,

> I changed the text to "Hello Lee. We are having fun" and the virus is gone
> <vbg>. This is magic ;-)

Try adding "THIS FILE IS VIRUS FREE" and see what THAT does?!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

[NewsArchive]

Lee,

> Try adding "THIS FILE IS VIRUS FREE" and see what THAT does?!<g>

That's a killer idea <vbg>.

Okay, it's definitely in the following specific string. I have to remove
word for word and re-compile and re-test.

"%s problem and needs to close. Please contact the vendor of this product
with the error code below for support.\n\nThe most likely cause for this
error is having too high of a security level on your PC. Please disable your
virus and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"

I bet $1.00 on "virus" and another $1.00 on "anti-spyware" <vbg>

Friedrich

[NewsArchive]

Okay, I changed the text string from:

"%s problem and needs to close. Please contact the vendor of this product
with the error code below for support.\n\nThe most likely cause for this
error is having too high of a security level on your PC. Please disable your
virus and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"

to:

"%s problem and needs to close.\n\nThe most likely cause for this error is
having too high of a security level on your PC. Please disable your virus
and/or anti-spyware protection as well as your firewall during this
installation.\n\nError Code#: 000%i:000%i%s\n"

and the "Gen-Variant-Kazy" false-positive is gone <g>

In other words, all these super duper high tech protection software products
dislike the sentence "Please contact the vendor of this product with the
error code below for support."

This is scary. Really scary.

Friedrich

[NewsArchive]

Friedrich,

> This is scary. Really scary.

To say the least!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS