Oxygen Basic alpha

[JRS]

I submitted eo2.exe co2.exe and cco2.exe and got this response from Dr Kaspersky:

I just updated my Kaspersky AV files (1.3 MB update) and the same e-mail worm false positive is still there. Maybe tomorrows update will bring some relief.

@James - Thanks, I'll give it a try.

[JRS]

I downloaded Alpha07 and just updated my AV files again and it looks like Kaspersky Lab updated their patterns and the files you submitted are no longer showing up as having a e-mail worm. There are still 2 files (applications) that are showing false positives. Does this mean that new code I compile won't create a patten that Kaspersky will not like?

Side Note: I have to click on the mirror link and select from there to get a zip that doesn't say it's bad. The SourceForge default is bad.

[cevpegge]

Well I fear this is going to be a persisten problem. I will try removing pathnames from the compilers as James has done and maybe offer a config file option instead. Hopefully this will make Oxygen programs look less viral.

Charles

[cevpegge]

I'm working on a new prolog for Oxygen compiled files. Down to 1 false positive on Antivir. I will also try moving all embedded string literals from the code section into their own data section. The idea is that the code section contains nothing else but machine code.

The forthcoming Google Chrome OS requires this for Native code web applications so that the entire binary can be statically analysed and security checked. This goes much deeper than the usual Antivirus.

Keeping data and code separate excludes the possibility of self-modifying code, a trick often used in Malware to disguise its true functionality.

Charles

[JRS]

That sucks when all you're trying to do is compile a Basic program. I'm sure glad you're at the helm and have the perseverance to meet the challenge.

Thanks for everything you do!

 

[ahadev]

Hi all,

I've got good news from AVIRA. A moderator has replied my mail 3 days ago:
'I will adjust the rule so with Basic Oxygen generated programs will no longer be falsely reported by this rule. The adjustment will be in the next update of AEHEUR.DLL.'

I will test this evening (hopefully).

Regards,
Andreas

[cevpegge]

I've made quite a few changes to the Oxygen program structure with the latest release (Alpha008), removing all embedded data from the code section and placing it in an initialised data section. Automatic path searching behaviour (looking for Oxygen.dll) has also been removed and replaced with an optional Oxygen.cfg file. These changes satisfy all of the antivirus systems at virustotal.com except for Avira which has consistently reported "TR/Crypt.XPACK.Gen2" all all Oxygen compiled files. I hope the latest Avira rule change will still work in favour of the new Oxygen layout.

Thank you Andreas.

Charles

[JRS]

I just scanned Alpha08 with Kaspersky and you're out of the woods.

[cevpegge]

Excellent news! Thanks John. I have endeavoured to avoid any coding strategies that might be interpreted as potentially viral. The real test is whether O2 executables will work with Google Chrome OS which disassembles the entire application and performs a safety analysis. It also checks for any possibility that the code could self-modify at run time or execute its own data.  This rules out JIT compiling but we will be able to build EXEs without oxygen dependency for this platform.

Charles

[ahadev]

Good news, indeed. Thanks, Charles!

The question is: Should I wait (for a beta version) before I contact AVIRA again?

[cevpegge]

I would send them another sample (Alpha008) Andreas. I can't say at this stage whether further changes are needed but the prolog should be stable for a few months at least.

And the prolog will be completely different for 64bit of course.

Charles

[ahadev]

OK, Alpha008 is under test from the AVIRA team (again). 

[ahadev]

AVIRA is still testing compiled programs but the compiler files are already corrected as false alarm in todays update. For compiled programs I hope to have it corrected on Thursday or Friday.

[cevpegge]

Andreas,

In the new version (Alpha010a), the new compile tools should not trigger any false positives. I compiled EXO2 and GXO2 with FreeBasic and they passed all the VirusTotal.com tests. I hope this is a stable solution so we make some progress.

Charles

[ahadev]

Charles, the false alarm for the compiler files is already gone, but the AVIRA-alarm for O2(Alpha011)-compiled programs is still there. This will be (hopefully) solved by AVIRA next weekend.

Andreas