Beta: SMath Studio 0.99.7803 (13 May 2021) - Сообщения
WroteI have some good news regarding false positive detection! After a long night and morning I've found binary pattern which triggers some AVs to mark executables created by Viewer as malicious...
Knowing it I've added possibility to give AVs a fight! Unfortunately I have to disable compression of internal resources to do it, but I do not think it is so bad.
Please try a new SMath Studio version - it has the following checkbox (uncheck -> file size increased -> AVs are happy -> profit):
Alright, so I decided to break this down and test individual exe files in order to determine which plugin/s is/are causing the false positive. The good news is that I have determined it to be the Table Region and X-Y Plot.
Attached are all the different exe files I created using the latest nightly build following the procedure described above. All of them are fine except the Table Region and X-Y Plot. Right away when saving the zip to my desktop from outlook I get the threat detection notice for Trojan:Win32/Wacatac.B!ml. I get this same notice for both files (Table Region and X-Y Plot). Not sure why I don't get the AgentTesla warning I got for my original exe, but there it is.
Maybe someone with much more knowledge than me can provide some input into the matter.
I will upload the exe that I'm having trouble with as well, just need to clean up some nonpublic info.
Файл не найден.Файл не найден.Файл не найден.Файл не найден.Файл не найден.Файл не найден.
Here is the original exe I was having trouble with. It was compiled on the most recent nightly build with the compression box unchecked. Doesn't rigger the AgentTesla waring as before, but is showing the same Wacatac warning the test files triggered. By guess is that without compression the exe no longer triggers the AgentTesla warning. Not sure this exe offers any new information as compared with the previous test exe files, but nonetheless here it is.
ASCE 7 Wind Profile Comparison Tool_External.zip (1,31 МиБ) скачан 254 раз(а).
*I might add that the same file emailed back to the computer where it was created does not trigger any warnings from windows defender when pulling it out of outlook.
ASCE 7 Wind Profile Comparison Tool_External.zip (1,31 МиБ) скачан 254 раз(а).
*I might add that the same file emailed back to the computer where it was created does not trigger any warnings from windows defender when pulling it out of outlook.
Thank you! All this information really helped me.
Here are the results with XY-Plot:

https://www.virustotal.com/gui/file/8340f37b69476b76cd6fb3079eb18ace6a9f47d2106106ad31acd53c184c649c/detection
This is really great, because it means that problem with MS AV only and this might be because of some difference between built-in plug-ins and third-party ones.
And I found one!
I do not sign third-party plug-ins with code certificate. And this is something I can actually fix.
Please give me several hours and I will enable signing third-party plug-ins and test everything. I really hope it will help!
Thanks again.
Here are the results with XY-Plot:

https://www.virustotal.com/gui/file/8340f37b69476b76cd6fb3079eb18ace6a9f47d2106106ad31acd53c184c649c/detection
This is really great, because it means that problem with MS AV only and this might be because of some difference between built-in plug-ins and third-party ones.
And I found one!
I do not sign third-party plug-ins with code certificate. And this is something I can actually fix.
Please give me several hours and I will enable signing third-party plug-ins and test everything. I really hope it will help!
Thanks again.
1 пользователям понравился этот пост
⠀ 14.05.2021 14:45:00
Thank you Andrey, as always super great work!
One more interesting observation.
I've been working on computer 1 where I was creating the exe files and sending them to computer 2 for testing.
I went ahead and compiled an exe from computer 2 which was receiving my test emails (using the same .sm file I was using on computer 1). Then I sent the zipped exe created on computer 2 from computer 1 via email back to computer 2, and sure enough no viruses warnings.
Maybe this is due to different settings within windows Defender on each machine?
The issue with the false positive seems to be only present when the exe is created on computer 1 and sent to computer 2 (even if it copied from a USB.).
Not sure if this information is useful
One more interesting observation.
I've been working on computer 1 where I was creating the exe files and sending them to computer 2 for testing.
I went ahead and compiled an exe from computer 2 which was receiving my test emails (using the same .sm file I was using on computer 1). Then I sent the zipped exe created on computer 2 from computer 1 via email back to computer 2, and sure enough no viruses warnings.
Maybe this is due to different settings within windows Defender on each machine?
The issue with the false positive seems to be only present when the exe is created on computer 1 and sent to computer 2 (even if it copied from a USB.).
Not sure if this information is useful
WroteHi. Yes, he does it again. One question: assuming that the version for SMath is the same, does both computers have the same plugin versions? Here is where you can check that:
Yes, both have the same version (02.7802.13079)
1 пользователям понравился этот пост
Alvaro Diaz Falconi 14.05.2021 16:04:00
X-Y Plot and Table Regions are updated now. If everything will be fine I will handle all others.
1 пользователям понравился этот пост
⠀ 14.05.2021 22:00:00
Thanks Andrey, I will create a new exe and test things out.
1 пользователям понравился этот пост
Andrey Ivashov 15.05.2021 05:32:00
I think the issue with the false positives on windows AV is solved. First try it still kicked out and virus detection warning, but then tried to copy it from outlook again and nothing came up, AV was silent, so I think we are good now. Thanks to those who are much more capable with SMath than me.
One more thing. Is there any way to get away from the windows defender unknown source warning you get when you first run and SMath exe created on a different computer? Not a show stopper issue, but just one thing less to have to explain to an end user of the exe.
One more thing. Is there any way to get away from the windows defender unknown source warning you get when you first run and SMath exe created on a different computer? Not a show stopper issue, but just one thing less to have to explain to an end user of the exe.
1 пользователям понравился этот пост
Andrey Ivashov 17.05.2021 19:28:00
- Новые сообщения
- Нет новых сообщений