OT or not OT, I don't know.

Antivirus, malware scanners and Google are driving me crazy.

I'm having problems because Google is showing a warning page when the people
try to download my products from my site (this is an attacker site, in big
red letters and black background, very scary) .

The files have been there for long, and there is no malware on them. They
are packed with UPX, and I saw that scanning them from
http://virusscan.jotti.org/ the sophos antivirus in their euristics analisys
says that it is possible a virus [Sus/Behav-1021 (probable variant)].

Well, I thought , I'll unpack them from UPX. I did, now I sent the files
again to http://virusscan.jotti.org/ only to see that now Sophos report them
as clean, but "Norman Virus Control" reports them as the virus
"W32/Bancos.JMA" and the "Panda Antivirus" as the virus "Bck/Irc.Comiz".

This is really crazy, and now Google join the circus blocking my files
telling the people that I'm an attacker!

Anyone with a similar experience, or any advice about how to handle this?

Eduardo wrote:
Show quoteHide quoteHi Eduardo,

I've had zipped .exe files stripped from my email by a client's virus
checker. However, as I knew the code I'd recently added, I was able to
change it and then recompile. It was enough to get rid of the false
positive.

HTH

Show quote Hide quote These files have been there for years. I know I could try to recompile,
change to another installer, etc.
That's a lot of work, and it's unfair because it's only because of the
foolishness and irresponsibility of these stupid people.

These exes are components with many sample projects, all packed into one
single exe file. I have to study again everythig, it's crazy to have to do
this only because they are so irresponsible.

I had the same problem when I was using constant for registry access.

Example:
Private const cHKeyUser = "HKEY_CURRENT_USER"

I tested the individual files that are packed in the installer and all AV
report them as clean. The problem seems to be the UPX packer (
http://upx.sourceforge.net ) and also the installer that I used: "SFX Maker"
from David Cornish.
But I don't believe there is anything wrong with the installer packages that
it generates or with the program itself (I can't be 100.00000 % sure, but I
packed them several years ago and my files have been being downloaded from
my site for years and being installed with no problem at all).

The AV's don't want to miss any virus so every file is an infection! That's
great.
Let's end the delinquency, so let's shoot to everyone.

Are You Safer Now?
Virus detectors can detect more than just bugs -- Karl encounters one such
system set off by his code, and shares how he worked around it.
January 2008 · by Karl E. Peterson

http://visualstudiomagazine.com/columns/article.aspx?editorialsid=2473

Thanks, I remember I had read this article in the past, I'll take another
look.

Eduardo wrote:
I'm afraid it's unlikely to help here.  That was, like another post, a case where
I'd recently added one "trouble" string to the app, and that set off the alarm
bells.  Really, it was more of a *RANT* than anything.  That an AV program could be
*so dumb* as to trigger on something like that, was just beyond my comprehension.
And people actually think they're safer with that crap "protecting" them.  Sorry, ya
got me going again.  Good luck, man!

Show quote Hide quote Hi Karl,

Yes, it wasn't going to help but one can realize that is not too uncommon to
have this sort of problems.

The worst thing in these problems is that Google don't tell you exactly what
they think it's wrong. They only point a file that they consider wrong and
send you an address ( http://stopbadware.org/ ) where they explain what to
look in your site, and it's supposed that you have to figure out for
yourself what id wrong in your site or with your file.

In my case I think it was a false positive from an AV (but they don't say
what AV or AV's they use), and what I did is:

1) Scan the file with:
http://virusscan.jotti.org/
http://www.virustotal.com/
http://scanner.novirusthanks.com/

See what AVs found false positives on my files, contact the AV companies
about the issue (I contacted two, but I couldn't contact eSafe because I
didn't find how). Sophos amended it in one day.

2) I made a new package of the files, in the same way because I didn't find
another tool like SFX Maker by David Cornish (it must be some, but I didn't
find anyone quickly)

3) I added a message box that is displayed at first, prior the self
contained exe starts to install anything, saying what is about to be
installed and that some temporary files will be created and deleted at the
end (In the site http://stopbadware.org/ they talk about being crear about
what is to be installed and bla bla bla).

4) I submitted the site for a review at from
https://www.google.com/webmasters/

They whitelisted the site now.

I'm happy because it seems to be solved, but I still think it's unfair.
There wasn't anything wrong in my files.

Eduardo wrote:
Hey, that *is* good news!  Pretty quick turnaround, too, given my experience.

I agree.  I've been bitten twice now.  I hate AV.  Always have.

  You mentioned before that you tried AV-testing the
files after un-UPXing them. What about a Google test
without UPX? If you ship in a ZIP SFX then you're not
gaining anything with UPX.

  Also, I assume you're sure that Google is still a problem.
Their system went haywire for awhile recently and started
labeling everything dangerous.

   As a last resort I guess you could try buying some
Google ads. :)
   I suspect the day's coming when Microsoft's
exploitation of the public will seem bumbling and almost
benign next to Google's.

Show quote Hide quote Now I realized that the "SFX Maker" used UPX as the last step, I didn't use
UPX myself over the package generated by "SFX Maker" (I didn't remember
because it was long time ago, and because I did use UPX on other files).


I didn't know that. Do you have a link to this news?


Does it work like maffia? (If you pay me your business are protected)


I'm quite sure that Google will follow MS path. It's a matter of time.
But there is an advantage, at least as the things are set up nowadays: it's
easier for the people to switch to another search engine than to another OS.

  I can't find a link now. I knew about it because I ran into
it myself, probably a couple of weeks ago. A Google search
turned up *all* dangerous sites. I was surprised by how
pushy they were. Not only did the search results contain a
warning, but clicking them took me to an intermediate page
that warned me again. As I recall it didn't even provide a link
to click through. It was more like, "If you want to live
dangerously you're on your own". Later that day I saw a
story on Slashdot about how Google had malfunctioned for
a period of time.

   To me it seems very similar. One can switch to another
OS, but it's a very big change. One can switch to another
search engine, but there's not much left to choose from.
In my experience the others just don't come close to
Google's efficiency. On my own site nearly all searchers are
coming from Google. A few come from Yahoo. People coming
from MS search are rare. In fact, they're so rare that I think
I actually get more from dogpile. But all of those other engines
tend to just drop people at the front door, while Google sends
them to the right page. I haven't tried Yahoo for a long time,
but they're the only one I could imagine having even a chance
at being a competitor to Google.

  So Google has the monopoly. And they bought Doubleclick.
So now the company is really Google/Doubleclick. And they're
spreading like an alien weed in a sciFi movie, with ads on nearly
every page and the ability to track almost everyone, almost
everywhere.

  I have a brother who uses isp.com for dial-up and they just
dumped him into gmail recently. They can't be bothered to host t
heir own mail server anymore. Instead they made a deal to sub it
out to Google. So now my brother gets all of his email involuntarily
added to Google/Doubleclick's datamining database.

  And the NYT had an article this week about Google's phone
service. Apparently they want to get people using a single phone
# to replace all of their phones; then Google/Doubleclick can
use speech-to-text functionality to add phone conversations
to their advertising database. (They're also going to use STT
to enable receiving phone calls as text messages. One wonders
what's going on with the teenage wired set, that while they carry
cellphones everywhere they need to have their phone calls arrive
as text messages. :)

  I saw an interesting link yesterday:
http://www.adbusters.org/blogs/blackspot_blog/unclick_google.html

   It's about a campaign to protest Google/Doubleclick's
extensive spying by installing Firefox with a plugin to auto-click
on all Google/Doubleclick ads and thereby mess up their system. :)

  It seems a sign of the times -- an indicator of the public
passivity when it comes to Google/Doubleclick -- that
AdBusters is encouraging people to "protest" in a way that
requires a fairly high technical aptitude while accepting
Google's stunning degree of intrusion as a given. Yet by
blocking cookies from Google/Doubleclick, blocking the domains
of DoubleClick in a Hosts file, and blocking IFRAMES (not any
more difficult than using the Firefox extension) one can
dispense with all Google/Doubleclick ads and stop the
majority of tracking. (Most sites hosting Google/Doubleclick
ads also use script for tracking, so blocking script might be
necessary, too, to really get Google/Doubleclick off of one's
back.)

Now, but some other are improving quicky (like Yahoo).
I was talking about some future time.


They come from Google now, but if the people start to be upset with Google
and there are other options, we'll see what happen.


[cut]

Yeah, they want to be everywhere and may be to rule the world.
Every time I like them less. May be the rule is that all big companies are
evil.

I see that the problem is not new at all:

http://www.theinquirer.net/inquirer/news/408/1035408/google-warns-javafx-blog-as-potential-malware-source

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007822

Copying array elements
Option buttons become black - no text shown
Convert statements from VB 2008 to 2003?
Where to store database login information in VB6
converting from basic to vb6
Should I distribute Winsock?
Procedure limit for Form?
Is one color brighter than the other one?
Visual Basic Express 2008 Custom Error Message
Dynamic function calls