Avast blocked PhotoDemon-nightly download

[hansnolte]

Hi tannerhelland,

today Avast kill my PhotoDemon.

When I tried to download a new PhotoDemon_nightly.zip-Version, Avast has blocked the download.

Would be nice if you can check this.

Many Greetings hansnolte

[tannerhelland]

Hi hansnolte,

Thanks for letting me know about this. I hate virus scanner issues with nightly builds, because some virus companies are so dumb - when I contact them, they simply whitelist the current nightly build by the hash of its contents. Of course this is pointless, as tomorrow, the nightly build will change. :/

I've just uploaded a new nightly build file, and according to VirusTotal, Avast doesn't mind it (https://www.virustotal.com/en/file/b70ea7ab86f037a8c6101dae3d207ba7eea92e853c9d5a6846bcae6dbf760f81/analysis/1423497289/). Can you try the nightly build again and tell me if you still have a problem? Thanks:

http://photodemon.org/downloads/nightly/PhotoDemon_nightly.zip

[hansnolte]

Hi tannerhelland,

again blocked.

[tannerhelland]

Thanks Hans. If Avast provides an option to submit a file for further analysis (or report it as a false positive), please go ahead and submit it.

In the meantime, I will send them an email. It might be a few weeks before they actually fix it, but we can at least get things started...

[hansnolte]

Easier said than done. The damn thing delete the file immediately.

I instal during the next days another scanner.

Many thanks for your help

[tannerhelland]

Ugh, sorry for all the trouble. I am very close to finishing automatic update capabilities for PhotoDemon, which hopefully reduces trouble with things like this. (The program will soon silently patch its own files, so you don't manually have to download updates all the time.)

I hope these new automatic update features are not what's triggering the antivirus warnings. I'm using standard libraries to handle everything, so nothing different from what thousands of other programs do...

In the meantime, I have modified the nightly build script to also upload a copy of the program in 7-zip format:

http://photodemon.org/downloads/nightly/PhotoDemon_nightly.7z

It's in the same location as the .zip file, just with .7z extension. This might allow downloads more easily (but of course I can't help Avast deleting the files once they are extracted).

Good luck finding another scanner, and sorry again for the trouble.

[hansnolte]

Hi tannerhelland,

no way!

I have disabled the Archive-Scanner so that I could download the file. But at the extract Avast has struck again.

No change to send it to the Labs.

I see on your virustotal-Link that 3 Scanner has detect something, maybe the starter is the problem.

[tannerhelland]

Yes, those same 3 scanners always trigger on nightly builds.

Bkav is a small scanner based out of Vietnam. They do not have a link to submit false positives (that I can find, but I don't speak Vietnamese...).

DrWeb is a Russian scanner. I have submitted PD to them many times, but they just whitelist that single file. So I would need to email them every day for nightly builds. I gave up doing this and just submit stable builds now.

Symantec doesn't actually flag it as a virus. They flag it with "WS.Reputation.1", which means that they have not encountered it many times, so it might be a new, unknown virus. From their website:

"WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories."

Nightly builds always get that designation because there are not many appearances of them in Symantec's system (as they change every night!).

Anyway, I have been monitoring VirusTotal to make sure my automatic update work does not cause problems, and so far everything is okay. Only those three software continue to have problems, and they have had problems for many months now. So I don't know what I can do differently, since those same scanners also flag many other open-source projects.

These things are a big headache for small developers like myself. :/

[hansnolte]

Perhaps another Avast user has more luck and can send PhotoDemon to the laboratory. Or solve the problem by itself at the next virus definition update.

Also, I wanted to test anyway 360 Total Security from Qihoo

[hansnolte]

Hi tannerhelland,

thats strange.

I can download and run the stable Version without problems. http://photodemon.org/downloads/PhotoDemon_6.4.zip

Have you packed the nightly with UPX or similar?

[tannerhelland]

Nope, I don't do any special packing. PhotoDemon.exe appears exactly how it comes out of the compiler. None of the 3rd-party plugins are specially packed, either.

I might have emailed Avast about the 6.4 build when it was released (it's hard to remember, since I do so many of these emails), so it's possible that they just whitelisted it. I can do the same thing when 6.6 is ready.

[hansnolte]

Thank you for your effort Hans

[tannerhelland]

Thanks for the good suggestion. If you have any other ideas, I am happy to try them. Meanwhile, I keep waiting for a "magical" code change that makes the warnings go away....

[jpbro]

I've had similar "false positive" problems with my program and its automatic update system. Coincidentally, the A* anti-virus programs seem to be the worst offenders (all of the false positive reports I've received have been from users using AVG, Avira, or Avast - this is probably just a function of marketshare for free-AV, but just thought it was an amusing aside).

I think the main issue is with the "heuristic" detection of the AV software (which virustotal doesn't check against) vs. automatic updates. If the AV software detects somethiing being downloaded automatically and copied/installed to protected locations, then there's a good chance it will stop it. I say "good" chance, but sometimes it seems like a random chance.

I did get some decent feedback from one of the AV vendors, which was to digitally sign my binaries - and I mean all of them. I now even sign my third-party libraries, because I once had one of them destroyed by AV. Basically, if it's a binary in my package, I sign it.

This hasn't been a magic bullet, but it has helped noticeably (My guess is that the vendor can whitelist specific signatures - though they might have to re-whitelist it every year as you renew).

Sadly, getting a code signing certificate has a non-zero cost, but it's definitely something I'd be willing to contribute some $ towards. Maybe hansnolte would too? ;)

BTW - I buy my code signing certificates from ksoftware.net because they are the cheapest I've found, they work, and in the rare instances where I've needed support, they've been responsive.

[tannerhelland]

Great tips, Jason. Thank you very much for sharing your expertise. If I can't solve the problem in the next few weeks, I may have to go down the cert route, and ksoftware does have great prices - thanks again for the tip. (And I agree, the A* scanners are constantly problematic, ha)

What's strange is that the download code isn't new. Old versions of the program still downloaded an XML update file; the only difference now is that PD patches its own files instead of forcing the user to go fetch a download. So the real change is just some generic file move/replace functions, which are foundational in just about every program ever written... very strange.

When I add binary updates later this week, I hope it doesn't cause issues with other scanners. The hard thing is that Avast is flagging the PD .zip file before it even runs, so even making the update behavior conditional (which is already implemented) doesn't help. Argh.

When I last contacted one of the companies (can't remember which off the top of my head) about false positives, they said their program was actually flagging FreeImage.dll inside the .zip. PD's copy is manually patched to solve some annoying missing features, which makes me wonder if maybe the file not matching its most common hash is part of the problem. I could try dropping in the original FreeImage copy to see if that makes the warnings go away.

@hansnolte, I'll try and upload a special .zip later this evening, one without 3rd-party plugins included, to see if that fixes the problem.

[jpbro]

Glad to be of a little help :) I think there's a bit of voodoo (and more than a little security through obscurity) with the AV software out there, at least in regard to the heuristic detection features. It wouldn't shock my if they flag copying/moving of DLL/EXE/OCX files a non-Explorer process as "suspicious" and then block it. All I know for sure is that I've had users installations of my software hosed by AV after my automatic update process ran, but if the user installed manually, then everything copied/installed an worked perfectly.

@hansnolte - As a fellow small developer, you might want to try developing under a VM with no network bridge, and no antivirus - that way you can have a stable development base, with no interference from the outside, or from random forces like AV software. It's what I do, and it's been working quite smoothly for me.

[hansnolte]

@jpbro - thanks for the tip! But most of the time I use Photo Demon to edit HDR images (for 3D rendering) so I need the complete Ram and all the processing power

[tannerhelland]

@hansnolte - Okay, I've uploaded a .zip file with just the latest PhotoDemon.exe:

http://photodemon.org/downloads/PhotoDemon_exe_only.zip

If Avast blocks that, we know its PhotoDemon itself that is the problem, and not a 3rd-party library. But if Avast allows it, then I have some options for solving the problem, besides just waiting for Avast to get their act together. (Sorry to give you even more files to download. I really appreciate your help.)

@jbpro - The weird part about Avast flaring up now is that the program is only patching XML files at present. I'm close to having patching of the .exe and support .dlls ready, but that's not even implemented yet...

But like you say, there's definitely some black magic involved in figuring out why a virus scanner dislikes something. 6-7 years ago, I remember AVG going through a phase where it rejected all projects with references to msvbvm60.dll outright, simply because their heuristics engine had once detected a virus in VB, and that DLL reference was the signature it decided to use. Ugh. Fortunately the problem was solved within a few days, but it was still a headache. (Of course, that wasn't nearly as bad as some of their more famous errors...)

[hansnolte]

Avast has blocked!!!

[tannerhelland]

Thanks, Hans. Now we know the problem file, at least...

[hansnolte]

It works again! Avast doesn't blocked any more.

Many Greetings Hans

[tannerhelland]

How funny - I just finished coding automatic updates of the program's binary files (exe, dll, etc), and now Avast decides that the program is okay. :)

I'm very happy it's working again. Thanks for all your help, @hansnolte and @jpbro.