netpd.exe is detected as Trojan about netpd HOT 36 OPEN

@TCLNA:

Ok, I had another go and instead of using a .bat file and bat2exe converter, I directly wrote it in c, hoping this would raise less suspicion on malware scanners:

https://www.virustotal.com/gui/file/fcd84e96dd99635a86989cb44efdd4e6f23f0f762d539e3365d8c5150cacf0c7?nocache=1

There are still 11 scanners (out of 68) that flag it as malicious. But I guess that is how it is on Windows. Can you check if it is OK now for you to use?

This is the source code:

#include <stdio.h>
#include <stdlib.h>
#include <direct.h>
#include <string.h>
#include <windows.h>
#include <libgen.h>

int main(int argc, char *argv[])
{
    char exec_path[FILENAME_MAX];
    GetModuleFileName(NULL, exec_path, FILENAME_MAX);
    strcpy(exec_path, "\"");
    strcat(exec_path, dirname(exec_path));
    strcat(exec_path, "\\pd-netpd\\bin\\pd.exe\" -open pd-netpd\\netpd\\main.pd");
    printf("%s\n", exec_path);
    WinExec(exec_path, SW_HIDE);
    return 0;
}

from netpd.

Sorry, forgot to post the link to the bundle using this: https://www.netpd.org/software/netpd-current-windows.zip

from netpd.

Thanks for the pointer. I remove the the windows bundle for the time being until this is resolved.

from netpd.

It seems that the nature of netpd.exe being a batch file converted to an exe file makes it suspicious for some scanners, especially those using heuristics to apply a score. I don't know how these kinds of converters work exactly, but they probably need to perform operations that look suspicious like temporarily extracting files to %AppData%.

I gave it another shot with "Bat To Exe Converter" the result still triggers warning, but at least not that many anymore: https://www.virustotal.com/gui/file/ce04fa7c14c512d428e95db4a6661bf23cbec5322df3d18d8e18b20aed7b0fec/detection

I think that is the best I can come up with at the moment.

Find an updated windows bundle here: https://www.netpd.org/software/netpd-2.3.0-windows.zip

from netpd.

The new bundle does not triggers any warning from Windows Security, thanks ! edit

from netpd.

Glad to hear. Thanks for reporting back.

from netpd.

Well I'm taking it back, dammidt

from netpd.

I think I will just launch main.pd with puredata then lol

from netpd.

OK. Thanks.. What's WD, btw?

from netpd.

Windows Defender, but I meant Windows Security*

from netpd.

That's troubling. I have WIndows Security enabled and still it doesn't complain... Windows 10 Version 20H2. I wonder why that is.

from netpd.

Maybe my settings are more stricter, idk.
Do you bundle and test on the same machine ?

from netpd.

Yes, I do.. maybe i should test on a different machine. However, I don't have access to any other machine.

from netpd.

What are the steps for building the exe ?

from netpd.

Basically it's just a file "netpd.bat" with this content:

start "netpd" pd-netpd\bin\pd.exe -open pd-netpd\netpd\main.pd

converted to netpd.exe with the software "Bat to Exe Converter v3.2". This tools allows to embed a custom icon when creating an exe file.

The goal is to have a clickable file that starts Pd and loads main.pd. The netpd.bat instead of netpd.exe would do as well, but is ugly. If there are better ways to do that, I'm all ears.

from netpd.

I tested some more and changing settings randomly in "Bat to Exe Converter" creates exe files that are tested with different results on VirusTotal each time (not all settings create a binary that actually works, of course). So, I came up with a binary that is not flagged by Microsoft nor Sophos. Those two vendors are the ones I encounter everyday at work, that's why I picked those.

Interestingly, when using the exact same settings in "Bat to Exe Converter", the resulting binary doesn't have the same checksum as the previous compilation. Also, the builds are flagged slightly differently on VirusTotal. So, partially - at least - it's a gamble.

I think this contains an netpd.exe that is not flagged by Windows Security: https://www.netpd.org/software/netpd-2.3.0-windows.zip

from netpd.

On my side, it still warns me about trojans :/

the resulting binary doesn't have the same checksum as the previous compilation

It's very concerning... Is there a reason you might think would do that ?

I think I cannot find the right "Bat to Exe converter" software you're talking about... Is it https://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml ?

from netpd.

It's very concerning... Is there a reason you might think would do that ?

I'm not sure if it is really that concerning. "Predictable builds" is a science of its own. If the build is tagged with a a build timestamp, the checksum will be different. I don't know if that is the case, though.

I think I cannot find the right "Bat to Exe converter" software you're talking about... Is it https://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml ?

Yeah, that is the one. Also, the version matches: 3.2

Good luck!

from netpd.

Interesting, I didn't record it, but Microsoft Security flagged it as three different threats already.

from netpd.

I'm not sure if it is really that concerning. "Predictable builds" is a science of its own. If the build is tagged with a a build timestamp, the checksum will be different. I don't know if that is the case, though.

Yeah this might be it ! A simple check with a hex editor might confirm that I think...

Interesting, I didn't record it, but Microsoft Security flagged it as three different threats already.

Better to catch too much than too little, like they say

from netpd.

Yeah, that is the one. Also, the version matches: 3.2

I'm gonna try it then !

[EDIT] Neverming, I'm not gonna dive into it right now :/

from netpd.

Now, I finally can reproduce the problem on my Windows 10 VM (with "Sophos Endpoint Security and Control" installed). I will investigate further.

from netpd.

I assume thumbs-up and heart emoji mean that things are good now. I close this issue. Feel free to respond if you do not agree.

from netpd.

I didn't tested it yet sorry, the thumbs up was for acknowledging the message but I wanted to test it before sending a comment.

from netpd.

Sure. No problem. Sorry for the misunderstanding. I keep it open until it being fixed is confirmed
.

from netpd.

Just tested it rn

from netpd.

Thankx for the Uwamson x)

from netpd.

I'm wondering if it is not possible to just use the raw powershell bat script to run netpd, or maybe use a sort of windows shortcut file... It may be simpler.

from netpd.

Just tested it rn ![image](https://user-images.githubusercontent.com/32589981/152050002-fdee9579-8276-43c7-85c4-e8a1b389771

May I ask what virus scanner flags it as a virus?

from netpd.

I'm wondering if it is not possible to just use the raw powershell script to run netpd, or maybe use a sort of windows shortcut file... It may be simpler.

I not accustomed to powershell, but yes, might be simpler. Can it have a custom icon? Can it be started by double-clicking it and can the terminal window be hidden?

from netpd.

May I ask what virus scanner flags it as a virus?

Windows Defender.

I not accustomed to powershell, but yes, might be simpler. Can it have a custom icon? Can it be started by double-clicking it and can the terminal window be hidden?

Sorry, I wanted to say "bat" file, not powershell. I don't know for the custom icon nor the terminal, for the double click it seems that it is not enabled by default - source

Can you tell me with what you used to built the c++ prorgram please ?

from netpd.

Can you tell me with what you used to built the c++ prorgram please ?

With gcc. I got it by installing MSYS and MINGW. Then I ran in a MSYS terminal:

gcc netpd.c -o netpd

BTW: it's plain C, not C++

from netpd.

Hi, I was also using bat to exe converter for a special pd distribution with my students, I remember having same antivirus issues before. I am now using an older bat to exe version and nobody had the problem in the last classroom. I am not sure if it is related, but I got back to the old 2.48 version because I discovered some extra useless commands added in the new one.

from netpd.

@60-hz Thanks for pointer about bat to exe converter version. I'll try that out.

from netpd.

@TCLNA

It's such a weird topic. I re-compiled the very small and also quite innocent tool with the same compiler, but on Linux instead of Windows. Also, I added the icon to the binary with resource hacker running under Wine instead of Windows. The resulting binary is flagged now only by two scanners:

https://www.virustotal.com/gui/file/61d54aa7739a8befd39984dda3441cb34c5044d2cfea9eb06d7dd27e2414c083?nocache=1

That's a strange cat and mouse game.. As you can see, Windows Defender is not amongst the scanners that detect it as malicious.

If you're not tired already, you can test it with package from here:
https://www.netpd.org/software/netpd-2.3.1-windows-2022-02-17.zip

from netpd.

Funny side note: Before adding the icon, 3 flagged it as suspicious. After adding the icon to the binary, only two.

from netpd.