Page 1 of 1

question about virus in microsoft executables general

Posted: 21 Feb 2024 10:09
by drspro2
at certain points microsoft defender treats executables generated by VP5 as containing a virus

that could be a false positive ,

and my question:

is it theoretically possible that the virus is already nested in the VP5 compiler
so that it generates new Exe files with the virus inside it propagated?

Re: question about virus in microsoft executables general

Posted: 21 Feb 2024 13:13
by Thomas Linder Puls
I guess any such things are theoretically possible. But I also think it is highly unlikely that it should be virus that targets a compiler with the aim to let it embed viruses in final programs.

I do not think vip5 was digitally signed.

But today all our programs, dll's and installers have a digital signature. If our signature is present in the file properties then the program/dll/installer has not been updated after we signed it.

You should notice that Windows does not check the validity of digital signatures on program load, and that anti-virus programs don't seem to care about digital signatures.

But they are validated when you look at the file properties. And when running programs in administrator mode the signature is validated and you will be prompted with a blue or gray dialog with the PDC company name, rather than the yellow one that is used for unsigned programs.

Re: question about virus in microsoft executables general

Posted: 22 Feb 2024 8:07
by drspro2
so if you are able to generate a new VP exe file with the VP compiler you can be relatively sure that if you validate the newly genrerated exe-file with a checksum and you make sure that the exe file is not changed, that you do have an exe-file without a virus inside it

Re: question about virus in microsoft executables general

Posted: 22 Feb 2024 16:28
by Thomas Linder Puls
Yes, relatively (given that the checksum is sufficiently "complex" and is not also tampered with).

Using digital signing a checksum is calculated, then the checksum is signed using a public/private key system (certificate). The first thing ensures that you program is not changed, because then it would no longer fit the checksum, the second thing ensures that the checksum itself is also "untampered". The last thing uses a much stronger cryptographic algorithm than the first (so it is much harder to fake a new checksum than modify the program). Furthermore the last thing ensures the identity of the signer (through the used certificate).

But there are many viruses, and some attack exe files in general. If the file is infected in the gab between the compilation/linkage and the "checksum" calculation then it may still be infected and appear uninfected.

In general I don't think you can ever be certain, perhaps your checksum program is the one that infects the file and then calculates a matching checksum.

If you can figure out a bullet proof system then I think you would get a Turing award (or something like that). And if such a system existed we would all use it and then there would no longer be a need for virus detection.

Re: question about virus in microsoft executables general

Posted: 5 Mar 2024 9:16
by drspro2
If i scan my directory with visual-prolog exes, microsoft defender detects no viruses, when i let NSIS generate an installer
microsoft defender detects a virus in the resulting NSIS installer exe,

i know it is impossible to give any advice in this case, i post this , i attach the screen capture of the virus detected
virus_detected.jpg (38.38 KiB) Viewed 13781 times