Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Symantec Endpoint Protection absolutely hates ThinBundle

  1. #1
    Junior Member
    Join Date
    Aug 2019
    Location
    New York City
    Posts
    2
    Rep Power
    0

    Symantec Endpoint Protection absolutely hates ThinBundle

    Hi, I'm a brand new ThinBasic user, ver 1.10.7.0.

    My tech group gave me the ok to use the ThinBasic and I created my first utility program using the ThinAir editor.

    When I tried to ThinBundle it, Symantec Endpoint Protection blocked creation of the executable.

    It reported a Heuristic Virus(Heur.AdvML.B) and Virus(Trojan.Gen) and deleted ThinBasic_Bundle_UIC.exe

    I checked the Symantec support site and can't find any references to any of the ThinBasic suite of programs.


    I would very much like to continue using this product but I need to be able to reassure my system administrator before they descend on my workstation and wipe it clean.
    I also need to know how to create safe executables for distribution.

    Any thoughts/suggestions ?

  2. #2
    thinBasic author ErosOlmi's Avatar
    Join Date
    Sep 2004
    Location
    Milan - Italy
    Age
    54
    Posts
    8,636
    Blog Entries
    2
    Rep Power
    10
    Ciao ab11374,

    at office I use Trend Micro Office Scan Enterprise and I too time to time have similar issue.
    Because I'm the developer of thinBasic ... my company trust me
    and we have put into white list the path where thinBasic install itself and all distributed thinBasic executable.

    What I can say is that I can guarantee that there are no any virus or any spyware or any user data stole or any threats inside thinBasic install as far as you download thinBasic from a thinBasic web site (thinbasic.com, thinbasic.biz, thinbasic.net, thinbasic.it, ...). I know it is not much, it is just my word but at the moment I cannot give you any other reassurances.

    Maybe Petr Schreiber, my partner in developing thinBasic, can give you additional safety: he works for a well known AV global company.

    That said, AV software do their job: they read signature of known virus, or they try to understand application behaves (heuristic) to see if they can be a kind of virus.
    In future thinBasic versions we are already thinking on how to improve bundling process in order to reduce possibility AV software intercepts thinBasic as a threats.

    Let me know if I can do anything to help you.

    Ciao
    Eros
    www.thinbasic.com | www.thinbasic.com/community/ | psch.thinbasic.com
    Win10Pro 64bit - 8GB Ram - Intel i7 M620 2.67GHz - NVIDIA Quadro FX1800M 1GB

  3. #3
    Super Moderator Petr Schreiber's Avatar
    Join Date
    Aug 2005
    Location
    Brno - Czech Republic
    Posts
    7,089
    Blog Entries
    5
    Rep Power
    725
    Hi ab11374,

    I am really sorry you experience the difficulties, but please let me give you some background you can share with your IT department, if you want.

    I work at Avast, which is a big player in the AV world and I have an insight from the other side, which I would like to share.

    The things which make it difficult for us, as thinBASIC developers, to make the tool trusted by AV vendors are the following:
    - thinBASIC has its community, but it still not a tool used at massive scale, this makes it suspicous
    - thinBASIC is an interpreter and bundler, which means its behaviour is highly suspicious - it creates EXEs, modifies them, and manipulates DLLs in "suspicious" way for a common application
    - thinBASIC is bundled by UPX, which is perfectly legal tool to reduce EXE size, sadly, UPX is very popular in the "bad guys" community as well, as it obfuscates the EXE a bit
    - thinBASIC is a tool, which does not behave predictably - based on script, it does all kinds of different things
    - thinBASIC modules and IDE have interfaces to communicate via network (to provide netwok functionality or simply to check for new version on demand in thinAir menu), this makes it again - suspicious

    All in all - no wonder AV software considers thinBASIC highly suspicious.

    There is a big push on AV programs to make the evaluation good-bad fast, to not "slow down PC", to not "bother the user". The strategy most tools use then is "better be pesimistic than threaten the user".
    This is why thinBASIC is often triggered as suspicious, with threats often containing Win32 in name. Yes, it is even triggered by Avast.

    The thing changes, once you submit the file for deeper analysis. Avast antivirus offers this option, and once you submit it, you get a reply in tens of minutes or sometimes even hours, that the file is... clean.
    This is because instead of "fast and pesimistic check" a deep, time consuming check is performed.

    What we already do, as thinBASIC authors, to reduce these "trust" incidents?
    - we have our build server equipped with AV, which checks the final build before it goes out
    - we submit module DLLs and IDE to Avast - not for whitelisting, but for analysis, to make us sure
    - in case of incident like yours, Eros tries hard to change the signatures of the EXE by some wild magic
    - we opensource many parts of thinBASIC to show everyone, there is nothing bad - it takes time, as the code is a bit... complex... after 15 years of development with no opensourcing originally in mind
    - Eros invests a lot of time and money to keep the website secure

    What we
    can't, as thinBASIC authors do, to reduce these "trust" incidents:
    - sign the interpreter and bundler with trusted digital signature -> why? It would allow malware authors misuse this to execute dangerous scripts with certified tool
    - sign the bundled EXEs -> why? Again the same reason - people can create anything with thinBASIC, and we cannot guarantee it is correct

    What could we, as thinBASIC authors do, to reduce these "trust" incidents?
    - we could sign the thinBASIC installers, but only with community contribution: digicert certificate costs $500 a year, which is quite a lot for a project we do for free in our free time
    - we could enhance the build process to collect MD5 signatures in isolated environment, to give some way to check you are using unmodified (un-infected) version of the build
    - opensource more and more parts of thinBASIC, to show, there is nothing to be afraid of

    What can you do to make your bundled application trusted?
    -
    you can submit it for testing to as many AV vendors as you can BEFORE you release it
    - you can pay for that digicert, but I realize it is a bit of overkill

    We live in dangerous times, malware advanced to phase it uses AI - better to be oversensitive, than sorry


    Petr
    Last edited by Petr Schreiber; 08-08-2019 at 18:52.
    Learn 3D graphics with ThinBASIC, learn TBGL!
    Windows 10 64bit - Intel Core i5-3350P @ 3.1GHz - 16 GB RAM - NVIDIA GeForce GTX 1050 Ti 4GB

  4. #4
    Junior Member
    Join Date
    Aug 2019
    Location
    New York City
    Posts
    2
    Rep Power
    0
    Thank you, gentlemen, for the reassurances and the insight. I will keep an eye out for any enhancements to ThinBasic that will address these issues.

    I may also try and dedicate a stand-alone PC to create and scan executables until my technical staff is comfortable enough to white-list this function.


    Talk to you later !

  5. #5

    Question

    Quote Originally Posted by Petr Schreiber View Post
    we could sign the thinBASIC installers, but only with community contribution: digicert certificate costs $500 a year, which is quite a lot for a project we do for free in our free time
    Hi Petr,

    is this low-cost code signing worth something here ?

    https://account.ascertia.com/onlineCA/default
    Last edited by DirectuX; 10-08-2019 at 11:27. Reason: copy-paste error
    ThinBasic 1.11.6.0 ALPHA - Windows 8.1 x64

  6. #6
    Super Moderator Petr Schreiber's Avatar
    Join Date
    Aug 2005
    Location
    Brno - Czech Republic
    Posts
    7,089
    Blog Entries
    5
    Rep Power
    725
    Hi,

    I will have a look, thank you!


    Petr
    Learn 3D graphics with ThinBASIC, learn TBGL!
    Windows 10 64bit - Intel Core i5-3350P @ 3.1GHz - 16 GB RAM - NVIDIA GeForce GTX 1050 Ti 4GB

  7. #7
    thinBasic MVPs
    Join Date
    Sep 2006
    Posts
    3,289
    Blog Entries
    2
    Rep Power
    343
    This bundling and extracting at runtime is not a stand alone feature of TB. Python and other tools do that too. Yet these are fine.
    The problem i see here is the usage of upx. Also some oxygen stuff keeps triggering my av at times.
    If certificates help in that regard, then it should be an option. Is the usage of upx needed?

  8. #8
    thinBasic author ErosOlmi's Avatar
    Join Date
    Sep 2004
    Location
    Milan - Italy
    Age
    54
    Posts
    8,636
    Blog Entries
    2
    Rep Power
    10
    Quote Originally Posted by DirectuX View Post
    Hi Petr,

    is this low-cost code signing worth something here ?

    https://account.ascertia.com/onlineCA/default
    Ascentia root self signed certificate seems not distributed with the windows operating system like other root certificates.
    That's why it costs so little.

    If I buy an ascentia certificate I need to convince users to download and install ascentia root certificate in order to trust to my certificate.
    www.thinbasic.com | www.thinbasic.com/community/ | psch.thinbasic.com
    Win10Pro 64bit - 8GB Ram - Intel i7 M620 2.67GHz - NVIDIA Quadro FX1800M 1GB

  9. #9
    thinBasic author ErosOlmi's Avatar
    Join Date
    Sep 2004
    Location
    Milan - Italy
    Age
    54
    Posts
    8,636
    Blog Entries
    2
    Rep Power
    10
    Quote Originally Posted by Michael Hartlef View Post
    This bundling and extracting at runtime is not a stand alone feature of TB. Python and other tools do that too. Yet these are fine.
    The problem i see here is the usage of upx. Also some oxygen stuff keeps triggering my av at times.
    If certificates help in that regard, then it should be an option. Is the usage of upx needed?
    If I will buy a certificate, it will be used only to sign some of thinBasic tools like thiAir and thinBundle.
    I cannot sign bundled exe because they are not thinBasic executables but user executables.
    Every user shoul then sign that exe with their own certificate.

    Anyway the problem seems only related to thinBundle and the phase where it creates a bundled exe.
    Once the bundled exe is created, it seems not to be so suspicious.

    Will see but I have other ways to reduce false positive.
    One will be usage of FreeBasic to create bundled exe.
    www.thinbasic.com | www.thinbasic.com/community/ | psch.thinbasic.com
    Win10Pro 64bit - 8GB Ram - Intel i7 M620 2.67GHz - NVIDIA Quadro FX1800M 1GB

  10. #10
    Quote Originally Posted by ErosOlmi View Post
    If I buy an ascentia certificate I need to convince users to download and install ascentia root certificate in order to trust to my certificate.
    So that's of no interest as it's similar to self signing method (which I read being costless).
    ThinBasic 1.11.6.0 ALPHA - Windows 8.1 x64

Page 1 of 2 12 LastLast

Similar Threads

  1. Software Protection...
    By Kuron in forum Development
    Replies: 17
    Last Post: 25-10-2017, 00:36
  2. Linus Torvalds hates C++
    By ErosOlmi in forum Other languages
    Replies: 18
    Last Post: 19-08-2010, 04:29
  3. Replies: 10
    Last Post: 21-03-2008, 10:54
  4. thinBundle: here it is
    By ErosOlmi in forum thinBundle
    Replies: 2
    Last Post: 21-02-2007, 01:40
  5. thinBundle !?!?
    By ErosOlmi in forum thinBundle
    Replies: 3
    Last Post: 11-02-2007, 12:35

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •