netpd.exe is detected as Trojan

[TCLNA]

Hi, I tried to install netpd from the website and Windows Security is telling me netpd.exe contains a trojan.

This is what VirusTotal founds https://www.virustotal.com/gui/file/0a82883131c395272dfe6e24083b512834b262186abc26179b4d072b9d3dd297/detection

[reduzent]

Thanks for the pointer. I remove the the windows bundle for the time being until this is resolved.

[reduzent]

It seems that the nature of netpd.exe being a batch file converted to an exe file makes it suspicious for some scanners, especially those using heuristics to apply a score. I don't know how these kinds of converters work exactly, but they probably need to perform operations that look suspicious like temporarily extracting files to %AppData%.

I gave it another shot with "Bat To Exe Converter" the result still triggers warning, but at least not that many anymore: https://www.virustotal.com/gui/file/ce04fa7c14c512d428e95db4a6661bf23cbec5322df3d18d8e18b20aed7b0fec/detection

I think that is the best I can come up with at the moment.

Find an updated windows bundle here: https://www.netpd.org/software/netpd-2.3.0-windows.zip

[TCLNA]

The new bundle does not triggers any warning from Windows Security, thanks ! edit

[reduzent]

Glad to hear. Thanks for reporting back.

[TCLNA]

Well I'm taking it back, dammidt

[TCLNA]

I think I will just launch main.pd with puredata then lol

[reduzent]

OK. Thanks.. What's WD, btw?

[TCLNA]

Windows Defender, but I meant Windows Security*

[reduzent]

That's troubling. I have WIndows Security enabled and still it doesn't complain... Windows 10 Version 20H2. I wonder why that is.

[TCLNA]

Maybe my settings are more stricter, idk. Do you bundle and test on the same machine ?

[reduzent]

Yes, I do.. maybe i should test on a different machine. However, I don't have access to any other machine.

[TCLNA]

What are the steps for building the exe ?

[reduzent]

Basically it's just a file "netpd.bat" with this content:

start "netpd" pd-netpd\bin\pd.exe -open pd-netpd\netpd\main.pd

converted to netpd.exe with the software "Bat to Exe Converter v3.2". This tools allows to embed a custom icon when creating an exe file.

The goal is to have a clickable file that starts Pd and loads main.pd. The netpd.bat instead of netpd.exe would do as well, but is ugly. If there are better ways to do that, I'm all ears.

[reduzent]

I tested some more and changing settings randomly in "Bat to Exe Converter" creates exe files that are tested with different results on VirusTotal each time (not all settings create a binary that actually works, of course). So, I came up with a binary that is not flagged by Microsoft nor Sophos. Those two vendors are the ones I encounter everyday at work, that's why I picked those.

Interestingly, when using the exact same settings in "Bat to Exe Converter", the resulting binary doesn't have the same checksum as the previous compilation. Also, the builds are flagged slightly differently on VirusTotal. So, partially - at least - it's a gamble.

I think this contains an netpd.exe that is not flagged by Windows Security: https://www.netpd.org/software/netpd-2.3.0-windows.zip

[TCLNA]

On my side, it still warns me about trojans :/

the resulting binary doesn't have the same checksum as the previous compilation

It's very concerning... Is there a reason you might think would do that ?

I think I cannot find the right "Bat to Exe converter" software you're talking about... Is it https://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml ?

[reduzent]

It's very concerning... Is there a reason you might think would do that ?

I'm not sure if it is really that concerning. "Predictable builds" is a science of its own. If the build is tagged with a a build timestamp, the checksum will be different. I don't know if that is the case, though.

I think I cannot find the right "Bat to Exe converter" software you're talking about... Is it https://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml ?

Yeah, that is the one. Also, the version matches: 3.2

Good luck!

[reduzent]

Interesting, I didn't record it, but Microsoft Security flagged it as three different threats already.

[TCLNA]

I'm not sure if it is really that concerning. "Predictable builds" is a science of its own. If the build is tagged with a a build timestamp, the checksum will be different. I don't know if that is the case, though.

Yeah this might be it ! A simple check with a hex editor might confirm that I think...

Interesting, I didn't record it, but Microsoft Security flagged it as three different threats already.

Better to catch too much than too little, like they say

[TCLNA]

Yeah, that is the one. Also, the version matches: 3.2

I'm gonna try it then !

[EDIT] Neverming, I'm not gonna dive into it right now :/

[reduzent]

Now, I finally can reproduce the problem on my Windows 10 VM (with "Sophos Endpoint Security and Control" installed). I will investigate further.

[reduzent]

@TCLNA:

Ok, I had another go and instead of using a .bat file and bat2exe converter, I directly wrote it in c, hoping this would raise less suspicion on malware scanners:

https://www.virustotal.com/gui/file/fcd84e96dd99635a86989cb44efdd4e6f23f0f762d539e3365d8c5150cacf0c7?nocache=1

There are still 11 scanners (out of 68) that flag it as malicious. But I guess that is how it is on Windows. Can you check if it is OK now for you to use?

This is the source code:

#include <stdio.h>
#include <stdlib.h>
#include <direct.h>
#include <string.h>
#include <windows.h>
#include <libgen.h>

int main(int argc, char *argv[])
{
    char exec_path[FILENAME_MAX];
    GetModuleFileName(NULL, exec_path, FILENAME_MAX);
    strcpy(exec_path, "\"");
    strcat(exec_path, dirname(exec_path));
    strcat(exec_path, "\\pd-netpd\\bin\\pd.exe\" -open pd-netpd\\netpd\\main.pd");
    printf("%s\n", exec_path);
    WinExec(exec_path, SW_HIDE);
    return 0;
}

[reduzent]

Sorry, forgot to post the link to the bundle using this: https://www.netpd.org/software/netpd-current-windows.zip

[reduzent]

I assume thumbs-up and heart emoji mean that things are good now. I close this issue. Feel free to respond if you do not agree.

[TCLNA]

I didn't tested it yet sorry, the thumbs up was for acknowledging the message but I wanted to test it before sending a comment.

[reduzent]

Sure. No problem. Sorry for the misunderstanding. I keep it open until it being fixed is confirmed .

[TCLNA]

Just tested it rn

[TCLNA]

Thankx for the Uwamson x)

[TCLNA]

I'm wondering if it is not possible to just use the raw powershell bat script to run netpd, or maybe use a sort of windows shortcut file... It may be simpler.

[reduzent]

Just tested it rn ![image](https://user-images.githubusercontent.com/32589981/152050002-fdee9579-8276-43c7-85c4-e8a1b389771

May I ask what virus scanner flags it as a virus?

[reduzent]

I'm wondering if it is not possible to just use the raw powershell script to run netpd, or maybe use a sort of windows shortcut file... It may be simpler.

I not accustomed to powershell, but yes, might be simpler. Can it have a custom icon? Can it be started by double-clicking it and can the terminal window be hidden?

[TCLNA]

May I ask what virus scanner flags it as a virus?

Windows Defender.

I not accustomed to powershell, but yes, might be simpler. Can it have a custom icon? Can it be started by double-clicking it and can the terminal window be hidden?

Sorry, I wanted to say "bat" file, not powershell. I don't know for the custom icon nor the terminal, for the double click it seems that it is not enabled by default - source

Can you tell me with what you used to built the c++ prorgram please ?

[reduzent]

Can you tell me with what you used to built the c++ prorgram please ?

With gcc. I got it by installing MSYS and MINGW. Then I ran in a MSYS terminal:

gcc netpd.c -o netpd

BTW: it's plain C, not C++

[60-hz]

Hi, I was also using bat to exe converter for a special pd distribution with my students, I remember having same antivirus issues before. I am now using an older bat to exe version and nobody had the problem in the last classroom. I am not sure if it is related, but I got back to the old 2.48 version because I discovered some extra useless commands added in the new one.

[reduzent]

@60-hz Thanks for pointer about bat to exe converter version. I'll try that out.

[reduzent]

@TCLNA

It's such a weird topic. I re-compiled the very small and also quite innocent tool with the same compiler, but on Linux instead of Windows. Also, I added the icon to the binary with resource hacker running under Wine instead of Windows. The resulting binary is flagged now only by two scanners:

https://www.virustotal.com/gui/file/61d54aa7739a8befd39984dda3441cb34c5044d2cfea9eb06d7dd27e2414c083?nocache=1

That's a strange cat and mouse game.. As you can see, Windows Defender is not amongst the scanners that detect it as malicious.

If you're not tired already, you can test it with package from here: https://www.netpd.org/software/netpd-2.3.1-windows-2022-02-17.zip

[reduzent]

Funny side note: Before adding the icon, 3 flagged it as suspicious. After adding the icon to the binary, only two.