Closed 20Emir01 closed 1 month ago
20Emir01
commented
1 month ago for exemple those are the first and the last version available .exe installer reports first https://www.virustotal.com/gui/file/cf1dc77c364fe75793074ad4f823d28d1a2434f44d9de6aeb94ed8322d9e7167/behavior
last
levirrd
commented
1 month ago they are false positives
https://tutorial.sannybuilder.com/setup/
"Some browsers may warn you that the file is not commonly downloaded and may be dangerous. This is a false positive. You can safely ignore this warning. If your local antivirus software prevents you from downloading or running Sanny Builder, consider adding it to the list of exceptions."
20Emir01
commented
1 month ago thanks for reply me, but im not talking about chromium / brave warning, and anyway the warn category of those browser warnings was "dangerous file" not the classic "not commonly downloaded", i'm talking about the sospicius behaviour that is reported by virustotal ( it use vms to run the app and says the actions that has been made or attempted by the app) and i'm asking why there is not a source code release or a version prior to 2021 since the project was born in 2005, please watch the reports or try yourself to download and scan the releases beacause there are so many sospicious actions that are flagged in all the version, and the actions reported are different from version to version, the files opened, created, deleted, processes ended (like svchost.exe for exemple), the registry keys interacted with and the scripts launched are different from each other (I'm not talking about the files/actions strictly linked to the installation and interaction with cleo and the gta folder but those that don't seem related to me) i like this project and i dont want to run it offline on a empty vm for all the time I would like to have clarification on the reason for these behaviors and on the fact that the code is not available in the releases, thanks.
VitalRus95
commented
1 month ago I checked the latest version right now and got different results:
0/59: https://www.virustotal.com/gui/file/ff838170aba51f75d1c5ae0e838640e9e57b538c0925e6bea39404f35b4bdcfd/detection26/65: https://www.virustotal.com/gui/file/95d7baf6bd606080ac28165f7f1160265d09e40841761a690134706fbcbf7c3d/detectionThe difference is strange. Yet I know from my experience that VT tends to have a lot of false positive results. For example, I made a very simple points calculator for my lessons in C# using Windows Forms in Visual Studio and, despite doing nothing with the file system or the Internet, the programme was flagged as a ‘virus’ by several antiviruses including the Google's one that even didn't let me send it via email.
x87
commented
1 month ago why there is not a source code release or a version prior to 2021
Sanny Builder is closed source software and source code was never published. This GitHub repo is only used as an issue tracker and public file hosting.
All Sanny Builder releases can be found here https://public.sannybuilder.com/archive/
20Emir01
commented
1 month ago The difference is strange.
thanks for the answers, yes, it's strange, it's also strange that the hash of the file is different and although the name of the file you scanned contains .exe, it is not marked as exe but as mz (DOS MZ executable which among 'other this thing is very ambiguous) so it was not executed in vm by virusTotal, and consequently the behavior part is missing, that the hash of the file is different from the one I scanned only proves that they are 2 files different. while the zip file you scanned is the same one I downloaded yesterday and the hash matches, in any case trying to redownload the beta13 now I am warned by winDef (on a win11 machine) that the file is positive for Trojan:Win32/Wacatac .B!ml without even having scanned it myself, while virustotal marks it mainly as trojan.yephiler, and the analysis in vm reflects the definition, I don't know exactly what to say, thank you for your interest and I hope that this thing will be clarified
20Emir01
commented
1 month ago The difference is strange.
thanks for the answers, yes, it's strange, and although the name of the file you scanned contains .exe, it is not marked as exe but as mz (DOS MZ executable which among 'other this thing is very ambiguous) so it was not executed in vm by virusTotal, and consequently the behavior part is missing, that the hash of the file is different from the one I scanned only proves that they are 2 files different. while the zip file you scanned is the same one I downloaded yesterday and the hash matches, in any case trying to redownload the beta13 now I am warned by winDef (on a win11 machine) that the file is positive for Trojan:Win32/Wacatac .B!ml without even having scanned it myself, while virustotal marks it mainly as trojan.yephiler, and the analysis in vm reflects the definition, I don't know exactly what to say, thank you for your interest and I hope that this thing will be clarified
20Emir01
commented
1 month ago is closed source software and source code was never published.
thanks for explaining it, I had taken it for granted that it was because on the web they talked about it as an open project, and thanks for providing the link to previous versions. I'm pleased to be able to have a discussion with you, I'm sorry that it was born for this reason, and in any case I want to thank you for the contribution you have brought to the entire community.
it would be nice, in case you were aware of the reasons behind these behaviors of sb if you provide us a reason, many of the suspicious behaviors that virusTotal sees I understand that they fall into the false positives since in order for such software to work certain of those things must be able to do. but what about being able to shut down the machine, or the need to interact with edge and webView2, the need to clear the windows error report (WER14BB.tmp.WERInternalMetadata.xml / WER14CD.tmp.csv / WER14CE.tmp.txt they can be seen in the analysis of exe beta13) or to terminate svchost.exe -k WerSvcGroup, taskhost.exe SYSTEM, taskhost.exe $(Arg0), or the reason why write to C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll and up C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
good evening everyone and sorry for being a pain in the ass, thanks again for the work u've done p.s. sorry for my bad english i've tried my best
x87
commented
1 month ago but what about being able to shut down the machine, or the need to interact with edge and webView2, the need to clear the windows error report (WER14BB.tmp.WERInternalMetadata.xml / WER14CD.tmp.csv / WER14CE.tmp.txt they can be seen in the analysis of exe beta13) or to terminate svchost.exe -k WerSvcGroup, taskhost.exe SYSTEM, taskhost.exe $(Arg0), or the reason why write to C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll and up C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
you can direct this question to Inno Setup developers. Sanny has nothing to do with that.
x87
commented
1 month ago
I notice that the releases are made by leaving a .exe with the installer, a zip with the sb folder already installed and 2 archives called source code which, however, do not contain any source inside, instead I only see 3 text files of which 2 readme and contributing and and they only contain a messy description of SB and in the third there is the license.
why if this is a opensource project the sources are not availables? and why if this project was born in 2005 the first version available is from 2021?
suspicious of this fact, I scanned ALL the versions available in the repository under the link https://github.com/sannybuilder/dev/releases and the version downloadable from their official website with virusTotal and ALL available versions resulted positive for malware/trojan/privilege escalation in the behavior section of virustotal you see unexpected behaviors such as opening a shell during installation, attempts to contact google analytics, and suspicious interactions via shell to edge and edgeWebView, this being the case, I was wondering if anyone else had had my doubts but searching on the internet I didn't find anything, so I open this topic to ask for clarification, as it is a decidedly fundamental project for the community I imagine you are aware of the situation, please let me know your opinion on the matter. have a good day and thank you.