Results 1 to 14 of 14

Thread: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

  1. #1

    Thread Starter
    Addicted Member
    Join Date
    Mar 2009
    Posts
    244

    Exclamation FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    Just to let you people know of a problem with Trend Micro (Worry-Free Business Security Services) at the moment.

    If you're using the VB6 function Kill multiple times (at least on .mdb (acces databases) files) within a few moments, Trend Micro will put your application into quarantine, even if you do it from within vb6.exe it will put vb6.exe into quarantine.
    I haven't checked yet if it also does that if you use WINAPI to remove files.
    **edit** I just checked with WinAPI's DeleteFile, and it also put's your application into quarantine, so it all comes down to the application deleting multiple .MDB files.

    (version agent 6.1.1271/13.1.1149, everything updated to at least 13-07-2017)
    Last edited by SuperDre; Jul 13th, 2017 at 09:22 AM.

  2. #2
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    These "malware signature" patterns usually involve a little bit more.

    Sadly so many miscreants are using VB6 that just being detected as a compiled VB6 program gets you a lot of "demerits" as your program gets scored for flagging. Deleting multiple files in succession might also be a trigger, though I'd doubt MDB files would be considered special. You just never know.

    But usually there is something else going on in a program to put it over the limit, scoring too many demerits to go unflagged. Anything that looks like a compressed file within a resource gets you a point or two, any resource clearly a PE file (EXE, DLL, etc.) gets you a point or two. Use of certain DLLs get you a point or two, and so on.

    I've heard that some antimalware scores a VB6 p-code EXE "safer" but so far that's rumor.

    You can't really know what things count against a program. That's the point, otherwise people would "game" the detection even more than they do now.

  3. #3

    Thread Starter
    Addicted Member
    Join Date
    Mar 2009
    Posts
    244

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    I got it on our business application, and wrote a small test application which is really nothing more than the standard EXE project (no extra references and compiled to native code), and no manifests or something like that.

    It also happens from within the VB6 IDE, LOL.

    Well I tried it on .CDF files and it wasn't a problem, used .MDB files and it was put into quarantine (our businessapplication uses many MDB files and users can delete and create them on the fly).

    But you're right, who knows what more 'points' trigger it. I just created this topic as a warning. I've contacted our IT person to let him report it to Trend Micro, as I needed too many information which I didn't have to put in a support request with Trend Micro. (So I think that report won't ever happen). And I didn't know if it also happens with the consumer version, otherwise I could have reported it through the consumer support.

  4. #4
    Frenzied Member
    Join Date
    Apr 2012
    Posts
    1,253

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    Weren't Trend Micro's earlier versions of their apps coded in VB6? The betrayal!
    If you don't know where you're going, any road will take you there...

    My VB6 love-children: Vee-Hive and Vee-Launcher

  5. #5
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    CDF files? Are these something else or just MDB files named as *.CDF?

    The Jet 4.0 OLE DB Provider will accept funky extensions just fine. It seems a bit weak for antivirus software to trigger simply based on file extension for something like this but I guess I can see it being done.

    Having no manifest generally gets you demerits from the hints I've read at one vendor's support site (they are always cagey about details). Signed code usually counts in your favor, but that isn't always practical and there are so many baddies signing code these days it is beginning to become less of a mark of trust. It used to be far harder to get a code signing certificate, now there is little requirement but to fork over a bit of cash.

  6. #6

    Thread Starter
    Addicted Member
    Join Date
    Mar 2009
    Posts
    244

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    CDF files were just an example (they are just comma separated files for some accountancy application).
    I think Trend Micro checks when specific filetypes are deleted, like .MDB, cause when I renamed the CDF files to MDB and then deleted them it was put into quarantine.
    To me Manifests are only a hassle, they add nothing really special, any malware can add manifests, and you are right, signing your application isn't anything special anymore (we still don't do that, yeah, I know, we're 'lazy', but that's our managers choice).

  7. #7
    New Member
    Join Date
    Jul 2017
    Posts
    9

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    I have just run into this problem and confirm it doesn't seem to discriminate on file type. It has more to do with the executable file taking the action of quick multi-file deletes. Trend has quarantined my exe, tagging it as an "unauthorized file encryption". So, whenever I try to delete 3 files or more in quick succession, the exe crashes and trend removes it from it's installed folder (quarantines it). Still working on how to get around this.

    Kevin

  8. #8
    Fanatic Member
    Join Date
    Jan 2013
    Posts
    894

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    wait, are you signing the app EXE files?, because if unsign the app will be flagged from the bare beginning.

    Unsign software overall VB6 will trig all kind of alarms, do not matter what!.

    But anyway, by example, AVAST runs in sandbox my signed updater, and as the updater checks the MD5 of all file in the same directory checking for updates, sometime it gets flagged, and AVAST says, this file has suspicious behaviour, quarentine it, auto sent to "laboratory", just for hours later say "This files is clean", "Thanks for collaborating, blah blah blah".

    Also, when I move the MSINET.OCX from HTTP queries to FTP , It hits lots of firewall/routing/security barriers, it is sad, but I did lots of works changing to ftp, and it is worse than HTTP and only having problem with WEB-CACHES!, now I have problems with everything.

    The FTP automation from MSINET.OCX, don't works on half customer's networks.... I run in a lot of problems.

    Before with HTTP, I just set a letter saying "Just disable thunder-caché or any other web-cache for a moment", and that was the only worry.
    Last edited by flyguille; Jul 14th, 2017 at 10:51 AM.

  9. #9
    New Member
    Join Date
    Jul 2017
    Posts
    9

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    flyguille, I don't understand "signing the app". Please explain. BTW, this only happens on certain machines and they all run the same app.

  10. #10
    Fanatic Member
    Join Date
    Jan 2013
    Posts
    894

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    Quote Originally Posted by jaugernautkp1 View Post
    flyguille, I don't understand "signing the app". Please explain. BTW, this only happens on certain machines and they all run the same app.
    When you distribute software is suppose it to have your digital signature, so security programs can thrust you, if your real life profile is CLEAN, so signing files as "made by you" allows all security apps to relax!. And you don't enter in that kind of trouble.

    Also when the customer download your software, the EXECUTION WARNING says, "this EXE is from $$$$$ company, or $$$$$$$$$$$(your name)$$$$$$ editor, if you thrust him,, run it!. ELSE case, it says THIS FILE IS FROM UNKNOW SOURCE WAAAAAAAAAAAAARNING , DONT RUN IT!.

  11. #11
    Fanatic Member
    Join Date
    Jan 2013
    Posts
    894

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    To become a software editor you needs to provide your real life paper, personal papers, and/or business papers, to an certificating authority, are global authorities, I am authorized by COMODO, and use the K-SOFTWARE app for signing my files, the app is just a wrap for the microsoft sign tool (which is command line). Oh, and it costs like 99 US$ per year. It is like your global license as a programmer.

    But if your apps are doing profit, you are selling it, it is a must have. Don't matter which language you are using, your app will be mark as suspicious if unknow source (not signed).

    Warning, if in real life you had or have a business, any kind, you probably already have a D.U.N.S. record, if you didn't it, don't worry, your goverment or your bank did it!.

    And most probably your DUNS record is outdated, incompleted, etc. So if the authority certificating finds that you have that record, they will asks to upgrade it with your current information, like address or telephone number (landline). Etc. This is a office headache, that can go about two or three weeks.

    When the Duns&Bradstreet organization sent to you your DUNS certificate, then you can forward it to the COMODO certificating authority.
    Last edited by flyguille; Jul 14th, 2017 at 11:24 AM.

  12. #12
    Fanatic Member
    Join Date
    Jan 2013
    Posts
    894

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    The good side? you will be known internationally with a business record!, generating trust in the financial market about you. And is something more that you can set in your Curriculum.

  13. #13
    New Member
    Join Date
    Jul 2017
    Posts
    9

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    Thanks flyguille. I'm a novice programmer at absolute best and definitely do not consider myself a "software editor", so digitally signing my apps would not be something I'd want to delve into. My apps are simple for use within my small group to improve efficiency only. With that said, I'll research this more and perhaps consider it in the future. For now, I am focusing on finding out why Trend antivirus tagged my app on my machine and not others. This app has been running under Trends antivirus for quite a while successfully and only recently has been tagged, so perhaps a recent Trend update has triggered this behavior.

  14. #14
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: FYI: Trend Micro quarantines VB6 applications which use 'Kill' multiple times

    Most likely Trend Micro did change their database of detection heuristics recently. This is probably in reaction to a new threat they discovered.

    These products tend to look for a lot of things, from runs of byte values within a program to its pattern of use of certain operations. Some things like being a VB6 program automatically earn you some number of demerits as a possible suspect, so it only takes a few more suspicious things to put you over the limit.

    Even adding a simple manifest marking your EXE as non-legacy with "asInvoker" can take a few demerits off. Example:

    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"
     xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
      <assemblyIdentity name="Bil.Mar.Farms.AR.DailyRpt" processorArchitecture="X86"
       type="win32" version="3.7.0.362" />
      <asmv3:trustInfo>
        <security>
          <requestedPrivileges>
            <requestedExecutionLevel level="asInvoker" uiAccess="false" />
          </requestedPrivileges>
        </security>
      </asmv3:trustInfo>
    </assembly>
    But note that unless it is embedded most anti-malware ignores an application manifest. An external manifest may even gain you a demerit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width