Page 1 of 1

anti virus programs

Posted: 8 Dec 2018 20:59
by drspro2
dear Forum,

It is becoming very difficult to distribute Vip applications to windows-systems on customers machines. I have until now encountered several antivirus programs which throw away all the executables, and some of them even throw away all de vip-dlls. When in contact with the client it is very difficult to find in all the different antivirus programs where they leave the removed files, and then to restore them if you have the rights for that. In most cases the system manager of those machines has disabled those options.

And also it is very difficult to say to the end user that the antivirus program probably has incorrectly detected a positive.

One option is to notify the antivirus company and ask to white list the programs, but if you release a new version that process may have to be undertaken again. In many cases the customer will trust the antivirus program and not the prolog program.

Another issue is that I still have the problem that on some windows systems the vip Web-browser program is killed without any reason It is almost impossible to find out why it is killed, and also if this can be solved.

Re: anti virus programs

Posted: 9 Dec 2018 20:29
by Thomas Linder Puls
We have from time to time also experienced problems with antivirus programs. Clearly, the detections are false positives, coming from some heuristic "guessing" rather than a real detection of some malicious behavior.

Unfortunately, it is very hard to do anything about it. There exists numerous of antivirus programs, any of them may judge that your program is a virus or contains a virus. You can contact the relevant antivirus vendor, and go through a white listing procedure and that will most likely after some time result in your program being white listed. But if you update a single byte in your program you may need to go through the entire procedure again.

Some time ago we pre-white-listed our runtime DLL's with Norton Antivirus by Symantec (which is a major player and which have on several occasions "caught" our DLL's). But now Symantec has removed that possibility: Symantec no longer offers software vendors a proactive whitelisting partnership. Now you cannot act proactively you can only try to fix problems that have occurred.

Furthermore, that is just one antivirus vendor.

It seems unbalanced: you are a legit person/company doing legit things, but you are up against a "multi headed creature" that can do whatever it likes.

I don't know if Visual Prolog programs experience more problems than other programs or not. Maybe backtracking looks suspicious to these programs, who knows? For obvious reasons the antivirus vendors does not reveal anything about how/what/... they do. Maybe they use some kind of trained AI algorithms, which does something they don't even know what is (i.e. in details); which they cannot fully control, but only influence (pure speculation -- I have no factual knowledge about their could-this-be-a-new-virus-algorithms).

The other issue will have to be discussed in another mail thread, so you will have to start another thread if you want to discuss that.

Re: anti virus programs

Posted: 10 Dec 2018 13:21
by Paul Cerkez
Just a quick side note to this discussion.

a few years back, an application I wrote worked fine and was approved to be on the network computers. It was used fairly extensively and was on the network for about 6 years. Then, with no warning, it was automatically stripped from all the computers. A week after it happened, I received a notification that it was a potential malware product. Because I was the author, They also sent me a 'drop' stating the area that was flagged.

After a lot of digging, it turned out the new AV 'detector' did not like the "external" database being in memory. I modified that section and went back for approval. Now it didn't like the 'internal' database in memory and reported "buffer" issues. (if I remember correctly one 'error' they reported was "potential buffer overflow") The application made extensive use of the internal database. I would have had to rewrite the entire program.

Because of other things happening, the customer decided to just drop the effort. It was replaced by another product (using Java and C++) that is still trying to solve the issues I solved over 20 years ago using VIP.

The funny(?) thing is the application still runs cleanly if you can get it onto the computer. The only problem is it gets 'striped' every time the AV does a full scan. (It is a green application and makes no changes to the registry so it can be run from an external, plugged in hard drive. The user just needs to remember to disconnect the drive when done.)

(I have it running on a WIN 10 machine with no problems at all).

DrsPro and Thomas, Good luck finding a solution to all this, it will help a lot of out.

Re: anti virus programs

Posted: 11 Dec 2018 13:26
by drspro2
dear Thomas and Paul,

thankyou for the feedback, good to know that we are not alone on this issue.

Indeed for example older DLL files which havent been changed for years suddenly become suspicious in the opinion of certain AV vendors.

Some recent AV programs become more and more strict. And one extra thing is that the system manager locks the entire system by default in the sense that almost nothing is allowed anymore, and they themselves cannot be reached, they will contact you in a day or two days if at all.

Some AV programs dont know what to block or allow and for extra safety they block the program if it tries to make a http connection, or they block every connection that is not https.

Is it true that everybody may call himself a windows AV vendor?.

I always had this reasoning that the vendor of the OS and the vendor of the development tools should be 2 separate parties to keep things fair and neutral, and is this same reasoning valid for OS vendors in relation to ( third party ) AV vendors?

Only recently microsoft himself provides an AV tool (MS Defender )

I heard someone say that microsoft is planning to create a central Software store in windows 11, (same idea as app store) so that all new software has to be provided through this store, and can be judged and scanned before it is accepted there. Would that be a better solution ?

Then there would be less need for anti virus programs?


thankyou.

Re: anti virus programs

Posted: 22 Dec 2018 16:12
by Jan de Lint
Perhaps I missed it, but did you guys deploy your apps in an installer like Inno Setup?
That might help.
]an

Re: anti virus programs

Posted: 23 Dec 2018 21:31
by Thomas Linder Puls
I don't think that the installation method makes any difference; it is the program and or DLL itself that is "pacified".

Re: anti virus programs

Posted: 24 Dec 2018 11:06
by Jan de Lint
For instance: an installer helps create one or more entries in the windows registry at install time under your control, which in turn are recognized by the anti virus program. It also provides the possibility to 'sign' the installable. (I never used the latter). Also the fact that an uninstaller is available helps to create trust.
Last but not least I noticed that the virus checker can distinguish between programs that were installed from the internet from the ones that were installed via a different route. Don't ask me how.
If you are desperate enough you should try anything.
]an

Re: anti virus programs

Posted: 25 Dec 2018 23:19
by Thomas Linder Puls
Our exe's and dll's and the installer itself are all signed with a verisign-trusted digitial signature. But that is absolutely no guarantee against the aniti-virus programs.

On the other hand, the signature is your guarantee that the installer/exe/dll is the one we have made.

Re: anti virus programs

Posted: 27 Dec 2018 14:34
by Jan de Lint
Now that you mention it, yes my VP installation always goes smooth. One tip though, if you provide a generic download of a certain VP version (which requires f.i. a registration code at install time), your installable will be even better accepted than your current downloads which are personalized. At least that is my experience.
But using an installer is anyhow more reliable than just copying/unzipping files to the target machine.
]an

Re: anti virus programs

Posted: 2 Jan 2019 12:58
by Paul Cerkez
Jan,
sorry for the delay in responding. Been off line.

I have used both installers and simply copying from one device to another. As I mentioned, no registry modifications.

The installers (2 different products) worked cleanly. Loved using them.

The AV products simply did not like the application itself (for the reasons I mentioned).

P.

Re: anti virus programs

Posted: 4 Jan 2019 7:14
by drspro2
an install tool can help,

Currently I use NSIS install tool, is that similar to Inno setup ?

Re: anti virus programs

Posted: 4 Jan 2019 9:20
by Thomas Linder Puls
It seems that there are two different experiences:
  • is our experience that installers and signatures does not help. And I also believe that Paul expresses.
  • others have experienced that installers may help.

Re: anti virus programs

Posted: 5 Jan 2019 21:10
by Jan de Lint
I'm sure the large Inno Setup users community can be of some assistance, but basically you are on your own :oops: .
Over the years, Inno Setup worked for me, and I let it create registry entries for the program, e.g. uninstall. I did not sign the program, however the download site had a domain certificate (and https).
After I started keeping the download URL constant and stable over time the (rare) false antivirus alarms went away.
]an