pouët.net

Pouet BLOCKED by google

category: general [glöplog]
Signing executables would inflate 4k prods to the point they are not 4k anymore :)

I've seen the efficiency of signing executables in my work: When I released new versions of my game server manager tool earlier, without signing, some players got Kaspersky and Avast to throw a tantrum, when I started signing executables it stopped.
added on the 2020-04-17 14:43:09 by Dbug Dbug
Unless required for, say, professional reasons, please do not provide fixes or work-arounds for problems caused by antivirus software. People need to realize that using snake oil not only does not protect them, but actively harms them.
added on the 2020-04-17 15:20:49 by utz utz
If it were only the specific files that are marked as malicious, I would agree with utz. Sceners know about the AV issue and would just ignore the warning, no harm done.
However, it ain't that easy. When Google initially spotted the intros on my webpage, they flagged the entire download directory as malicious. This doesn't only host demoscene stuff, but also useful application software, so there was a considerable amount of collateral damage. It got even worse a bit later, when they marked my whole domain as malicious. Users couldn't even reach the other services that were hosted there. I had no choice but replace all my demoscene ZIP files with versions where the main EXEs have a (trivial) password to get rid of this.
added on the 2020-04-22 14:45:04 by KeyJ KeyJ
Just my anecdotal experience on this subject, Google can flag a download as a suspect even if there are no AV flags. In this example, Google Search has flagged the download as Malware/Unwanted software while Google's VirusTotal shows that the file is in the clear by the AV engines.

https://www.virustotal.com/gui/url/f1bab8ecd53b63eee10b998b2fb9ad3850cf92ef21e6a4b5d2955678f540e3b4/detection

It shows CRDF by G-Data is the false positive engine which classifies it as Malware. G-Data is I assume Google-Data, while CRDF is the CRDF Labs out of France.

"The goal of CRDF Labs is to make the web better by finding and uncovering websites that do not meet our detection criteria. We actively fight via our systems against any form of cybercrime."

Their criteria are very loose: https://threatcenter.crdf.fr/criteria.html
added on the 2020-04-27 08:37:16 by Ipggi Ipggi
Oh great.
added on the 2020-04-27 10:01:21 by Gargaj Gargaj
70 scanners says the file is ok, 2 says it isn't. Of course the two differing are the one's that are right. Minority rule.
added on the 2020-04-27 10:12:12 by El Topo El Topo
Maybe you are half-joking but it's actually true in some way; if one engine detects a threat, others will "learn" from it and in the future they might also flag the file.

BTW, G-Data is much older than Google, they are not the same company :)
Not sure how relevant it is, I was recently downloading DOS demos and this one was blocked by Chrome because of a virus. I used F-prot on my DOS machine to be sure and indeed reports one file with the Major.1644.A. I wonder which few DOS demos still carry a virus, and if it's easy to clean up or the creator has to replace the file (which might be tedious for the original creator to find their old source code and recompiling it from scratch again) or just keep it as there is no point to care much about old DOS viruses anymore (but google might decided to block because of old DOS viviruses too).
added on the 2020-04-27 10:33:39 by Optimus Optimus
Saga: Yes I realize it's not that simple, sometimes there really is some fishy stuff with a file that only a few scanners detect. But what if a shit scanner is introduced in the chain that starts to block stuff left and right? It can easily create a lot of problems for things less peripheral than the demoscene.
added on the 2020-04-27 10:38:48 by El Topo El Topo
gargaj: Signing does indeed make a difference; it shows that the file wasn't modified since the time of signing, which rules out the scenario Sesse describes.

Dbug: You don't have to embed the signature inside the executable.
added on the 2020-04-27 12:36:10 by kusma kusma
Quote:
gargaj: Signing does indeed make a difference; it shows that the file wasn't modified since the time of signing, which rules out the scenario Sesse describes.

Dbug: You don't have to embed the signature inside the executable.

In theory yes, in practice no: https://www.pouet.net/topic.php?post=497002
Quote:
The compression you apply is seen is obfuscation, and thus will make your executable prone to false positives, DS or not.
added on the 2020-04-27 12:38:23 by Gargaj Gargaj
Signing with EV certificates does seem to make a difference at least with Microsoft's AV engine (it boosts the initial reputation of the file), but this is probably not a viable soluation for most demo makers.
Quote:
Quote:
gargaj: Signing does indeed make a difference; it shows that the file wasn't modified since the time of signing, which rules out the scenario Sesse describes.

Dbug: You don't have to embed the signature inside the executable.

In theory yes, in practice no: https://www.pouet.net/topic.php?post=497002
Quote:
The compression you apply is seen is obfuscation, and thus will make your executable prone to false positives, DS or not.


Gargaj: But it makes it go from "not solvable" to "solvable", which was my (admittedly not very clear) point.
added on the 2020-04-27 16:56:11 by kusma kusma

login