Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me I don't remember how to get to it, but Defender does at least tell you that it deleted a file, and I'm pretty sure it does also give you some sort of further information. It's called quarantining, I believe. But it's behind like 5 panels in settings and you'd have to dig for it. URL: https://forum.audiogames.net/post/613308/#p613308 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Some antivirus programs, when you open their interface, show a description of why the file was deleted. I don't remember if Windows Defender has this feature, but it would be worth to see if it has written something about why it deleted the file (the virus name, description, etc). URL: https://forum.audiogames.net/post/613240/#p613240 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me I will try downloading different executables like Hello World to see where the problem is. Then I will try to compile the program line by line to check at which point defender starts complaining. URL: https://forum.audiogames.net/post/613221/#p613221 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me I also find it odd. I just don't find it, I guess mysterious? Sometimes AV software just decides it doesn't like you. I have had to let lots and lots of programming tools through over the years. Npm, Node, docker. Even WSL a couple times, despite that being *by* Microsoft. I don't think that I've ever had it go so far as to quarantine the downloaded file, but coding this kind of thing is totally the kind of thing where it might decide to do exactly that.the key difference between Goldwave and this is the scope, though. Saying "o it downloads an executable" isn't the point I'm making; the point I'm making is it downloads an executable that happens to have a *lot* of code that otherwise looks like a virus inside. Saying "but other autoupdaters work" is missing my point entirely. The only difference between a screen reader and a credit card stealing keylogger is that your screen reader isn't uploading stuff. If pointing these programs at non-NVDA executables also makes the behavior happen then it's probably Nuno's machine in some way (maybe they've got a second AV and have forgotten about it it for example).But specifically to Nuno: this probably isn't a programming problem, dealing with this problem and many others are why companies who write remote access IT troubleshooting software make lots and lots of money, and you shouldn't in any way feel bad about not being able to solve it. URL: https://forum.audiogames.net/post/613145/#p613145 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @20, its not wasting our time, at least it isn't for me. I actually find it quite odd. URL: https://forum.audiogames.net/post/613140/#p613140 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me I am sorry to waste your time. I just found this amusing and interesting. I still try to fight this problem to atleast understand it. I will try to rewrite this in more programming languages to see whether it is a common problem. URL: https://forum.audiogames.net/post/613138/#p613138 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @18, that makes absolutely no sense though. If I wget NVDA from the official website, its not flagged. How is this program any different from wget'ing or curl'ing the same file? This program is no different to wget && unzip nvda.exe && .\nvda\nvda.exe. So there's absolutely no reason it should be being flagged. Again, I refer you back to an updater for (say) GoldWave. GoldWave downloads a new executable binary of the setup program (which probably isn't signed). It then asks if you'd like to run it. You click okay. It runs. Defender never complains.NVDA downloads a setup program (which is just a fancy zip file converted into a special executable) and runs it. Again, no flag. So, again How is this any different other than this code downloading a zip file and extracting it before running the process?The only other difference in NVDA's update sequence and this program is that NVDA doesn't extract the setup file, but runs a separate program (the setup file) which performs the extraction, whereas this code downloads a zip file and performs the extraction inline. That shouldn't be a reason to go "Hey this is a virus, delete delete delete". URL: https://forum.audiogames.net/post/613128/#p613128 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @18, that makes absolutely no sense though. If I wget NVDA from the official website, its not flagged. How is this program any different from wget'ing or curl'ing the same file? This program is no different to wget && unzip nvda.exe && .\nvda\nvda.exe. So there's absolutely no reason it should be being flagged. Again, I refer you back to an updater for (say) GoldWave. GoldWave downloads a new executable binary of the setup program (which probably isn't signed). It then asks if you'd like to run it. You click okay. It runs. Defender never complains.NVDA downloads a setup program (which is just a fancy zip file converted into a special executable) and runs it. Again, no flag. So, again How is this any different other than this code downloading a zip file and extracting it before running the process?The only other difference in NVDA/s update sequence and this program is that NVDA doesn't extract the setup file, but runs a separate program which performs the extraction, whereas this code performs the extraction inline. That shouldn't be a reason to go "Hey this is a virus, delete delete delete". URL: https://forum.audiogames.net/post/613128/#p613128 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @18, that makes absolutely no sense though. If I wget NVDA from the official website, its not flagged. How is this program any different from wget'ing or curl'ing the same file? This program is no different to wget && unzip nvda.exe && .\nvda\nvda.exe. So there's absolutely no reason it should be being flagged. Again, I refer you back to an updater for (say) GoldWave. GoldWave downloads a new executable binary of the setup program (which probably isn't signed). It then asks if you'd like to run it. You click okay. It runs. Defender never complains.NVDA downloads a setup program (which is just a fancy zip file converted into a special executable) and runs it. Again, no flag. So, again How is this any different other than this code downloading a zip file and extracting it before running the process? URL: https://forum.audiogames.net/post/613128/#p613128 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @18, that makes absolutely no sense though. If I wget NVDA from the official website, its not flagged. How is this program any different from wget'ing or curl'ing the same file? URL: https://forum.audiogames.net/post/613128/#p613128 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @17My point is that NVDA does. Program a downloads program b. Program b does all the things a virus would do. Problems result. That's not surprising to me.What may be surprising (and is unclear on a skim) is if this also happens if he downloads other executables.But in any case there's not much that can be done unless he's willing to buy code signing certificates, regardless of anything else we might or might not say. URL: https://forum.audiogames.net/post/613123/#p613123 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @16, he's posted the code. None of his code sends any of those messages or calls SetWindowsHook/SetWindowsHookEx. I'm not sure what code your reading but its not the code in this topic. If he called SetWindowsHookEx I would've asked about that way earlier. He also doesn't get his code to execute in other processes. He starts a process -- nvda.exe -- but does not use shellcode or any techniques that viruses might use. I'd love to read the code that your getting that from, because if its from NvDA, then yes, NVDA does call those functions... But by that logic, NVDA is a virus. Hell, by that logic every screen reader is a virus. Naturally, such a conclusion is false. If it weren't, it wouldn't be as popular as it is.Furthermore, as I said, his wording implies that its his app that's getting deleted. Perhaps both the zip file and the binary are being deleted, or perhaps its NVDA that's getting deleted; but either way, the deletion still doesn't make sense because if his .zip file is a portable copy of NVDA, the code signing transfers with the binary. Its embedded in the binary. Wherever the binary goes, the signature goes with it. And I'm pretty positive that NVDA is signed.If NVDA remote and such weren't signed, then defender would only delete those particular binaries and not the entire download. That is assuming, mind, that the deletion occurs *after* the extraction. If his wording is correct, deletion occurs before the downloader is even able to begin downloading the archive, so there's something else weird going on. URL: https://forum.audiogames.net/post/613119/#p613119 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @16, he's posted the code. None of his code sends any of those messages or calls SetWindowsHook/SetWindowsHookEx. I'm not sure what code your reading but its not the code in this topic. If he called SetWindowsHookEx I would've asked about that way earlier. He also doesn't get his code to execute in other processes. He starts a process -- nvda.exe -- but does not use shellcode or any techniques that viruses might use. I'd love to read the code that your getting that from, because if its from NvDA, then yes, NVDA does call those functions... But by that logic, NVDA is a virus. Hell, by that logic every screen reader is a virus. Naturally, such a conclusion is false. If it weren't, it wouldn't be as popular as it is.Furthermore, as I said, his wording implies that its his app that's getting deleted. Perhaps both the zip file and the binary are being deleted, or perhaps its NVDA that's getting deleted; but either way, the deletion still doesn't make sense because if his .zip file is a portable copy of NVDA, the code signing transfers with the binary. Its embedded in the binary. Wherever the binary goes, the signature goes with it. URL: https://forum.audiogames.net/post/613119/#p613119 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @16, he's posted the code. None of his code sends any of those messages or calls SetWindowsHook/SetWindowsHookEx. I'm not sure what code your reading but its not the code in this topic. If he called SetWindowsHookEx I would've asked about that way earlier. He also doesn't get his code to execute in other processes. He starts a process -- nvda.exe -- but does not use shellcode or any techniques that viruses might use. URL: https://forum.audiogames.net/post/613119/#p613119 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @14Very few things start sending WM_GETOBJECT around, calling SetWindowsHookEx, and arranging for parts of their code to run in other processes. If that isn't the definition of a virus from the perspective of automated processes I don't know what is.Antiviruses also examine system activity. Unsecured http urls to weird domains could trip it. I'm not sure how we'd find out if that's the case or not. But I wouldn't be so quick to dismiss it unless you've got a good source saying that it's not considered. URL: https://forum.audiogames.net/post/613109/#p613109 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me FUn think, if I run the file"a.exe"The PBN executable is not flagged.But if I run"a\b.exe"it gets flagged and deleted. Of course, both a and b do not exist. URL: https://forum.audiogames.net/post/613100/#p613100 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @13, I considered that but as I noted in my post I rejected that theory because the security of a protocol (either HTTP or others) isn't considered by the majority of AV software (it would most likely be considered by the .NET framework itself). The use of an insecure HTTP URL is suspicious, I'll give you that, but its still not really an argument for the executable file being completely deleted. Furthermore, I have NVDA remote and Malwarebytes has yet to remove NVDA from my system. Defender relying purely on whether code has been signed or not seems illogical and downright stupid, especially considering that code signing protection can be disabled.Similarly, the argument of a domain being blocked doesn't make sense either; if it were being blocked the binary would still be allowed to run but it wouldn't be allowed to connect to the domain. From what the OP is saying, it sounds like the file, remote.exe, is itself being erased, not NVDA.Finally, system calls doesn't make sense either. What specific system calls would need to execute? I'm kinda confused on this particular argument.Edit: also, windows syscalls are also very wordy. "NtAccessCheckByTypeResultListAndAuditAlarmByHandle"? "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter"? And people say that Java is wordy... URL: https://forum.audiogames.net/post/613094/#p613094 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @13, I considered that but as I noted in my post I rejected that theory because the security of a protocol (either HTTP or others) isn't considered by the majority of AV software (it would most likely be considered by the .NET framework itself). The use of an insecure HTTP URL is suspicious, I'll give you that, but its still not really an argument for the executable file being completely deleted. Furthermore, I have NVDA remote and Malwarebytes has yet to remove NVDA from my system. Defender relying purely on whether code has been signed or not seems illogical and downright stupid, especially considering that code signing protection can be disabled.Similarly, the argument of a domain being blocked doesn't make sense either; if it were being blocked the binary would still be allowed to run but it wouldn't be allowed to connect to the domain. From what the OP is saying, it sounds like the file, remote.exe, is itself being erased, not NVDA.Finally, system calls doesn't make sense either. What specific system calls would need to execute? I'm kinda confused on this particular argument.Edit: also, windows syscalls are also very long-winded. "NtAccessCheckByTypeResultListAndAuditAlarmByHandle"? And people say that Java is wordy... URL: https://forum.audiogames.net/post/613094/#p613094 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @13, I considered that but as I noted in my post I rejected that theory because the security of a protocol (either HTTP or others) isn't considered by the majority of AV software (it would most likely be considered by the .NET framework itself). The use of an insecure HTTP URL is suspicious, I'll give you that, but its still not really an argument for the executable file being completely deleted. Furthermore, I have NVDA remote and Malwarebytes has yet to remove NVDA from my system. Defender relying purely on whether code has been signed or not seems illogical and downright stupid, especially considering that code signing protection can be disabled.Similarly, the argument of a domain being blocked doesn't make sense either; if it were being blocked the binary would still be allowed to run but it wouldn't be allowed to connect to the domain. From what the OP is saying, it sounds like the file, remote.exe, is itself being erased, not NVDA.Finally, system calls doesn't make sense either. What specific system calls would need to execute? I'm kinda confused on this particular argument. URL: https://forum.audiogames.net/post/613094/#p613094 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @13, I considered that but as I noted in my post I rejected that theory because the security of a protocol (either HTTP or others) isn't considered by the majority of AV software. I have NVDA remote and Malwarebytes has yet to remove NVDA from my system. Defender relying purely on whether code has been signed or not seems illogical and downright stupid, especially considering that code signing protection can be disabled.Similarly, the argument of a domain being blocked doesn't make sense either; if it were being blocked the binary would still be allowed to run but it wouldn't be allowed to connect to the domain. From what the OP is saying, it sounds like the file, remote.exe, is itself being erased, not NVDA.Finally, system calls doesn't make sense either. What specific system calls would need to execute? I'm kinda confused on this particular argument. URL: https://forum.audiogames.net/post/613094/#p613094 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Skimming, I don't see anyone asking if the server you're downloading from is HTTPS with a valid certificate. I would start there.My money is on your program trips antivirus because your program isn't signed and it's downloading/trying to run something that wants to make a bunch of system calls that are used only by screen readers and viruses. This will be especially fun if his copy does contain unsigned code. Unspoken, Objsounds, NVDA Remote, etc. all contain unsigned dlls, as do many others. If you also add a non-secure connection into the mix, that's going to be extra fun, and also domains themselves can be used to flag viruses as well so if his domain got associated with one then that's even more fun on top.Even if you get the program working, I wouldn't expect it to work reliably. I don't mean that as "you're a new programmer". I mean that as in I couldn't write this myself and expect it to work most places without shelling out for a very expensive yearly subscription to get a code signing certificate, and even then that's only going to be good for like 90% of the time. This probably can't be done reliably enough to run a business around as a couple IT people in a metaphorical basement. Even if you get it working with Defender, the next person with a different antivirus that it trips won't be so easy. URL: https://forum.audiogames.net/post/613086/#p613086 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Hmm, is the program what gets flagged, or NVDA itself? Because if it's NVDA; if his copy includes remote, that's why. URL: https://forum.audiogames.net/post/613064/#p613064 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me It does even before execution. URL: https://forum.audiogames.net/post/613059/#p613059 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me just a small thought. if you run the program as administrator, does defender still flag it? URL: https://forum.audiogames.net/post/613056/#p613056 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Yeah, thank you, Microsoft. Is there anything I can do or I should tell myfriend that he should find a better programmer? URL: https://forum.audiogames.net/post/612981/#p612981 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Okay, so I updated my ClamAV database and ran the following command:clamscan --verbose --archive-verbose --bell --allmatch=yes --bytecode=yes --bytecode-unsigned=yes --detect-pua=yes --detect-structured=yes --structured-ssn-format=2 --structured-ssn-count=1 --structured-cc-count=1 --scan-mail=yes --phishing-sigs=yes --phishing-scan-urls=yes --heuristic-alerts=yes --heuristic-scan-precedence=yes --normalize=no --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-swf=yes --scan-html=yes --scan-xmldocs=yes --scan-hwp3=yes --scan-archive=yes --alert-broken=yes --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-doc=yes --alert-macros=yes --alert-exceeds-max=yes --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes --disable-cache remote.exeAnd it yielded nothing. (Yes, I included arguments that were already enabled and some which weren't necessary, but this is generally what I use to scan files minus the --verbose and --archive-verbose option.) URL: https://forum.audiogames.net/post/612903/#p612903 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Okay, so I updated my ClamAV database and ran the following command:clamscan --verbose --archive-verbose --bell --allmatch=yes --bytecode=yes --bytecode-unsigned=yes --detect-pua=yes --detect-structured=yes --structured-ssn-format=2 --structured-ssn-count=1 --structured-cc-count=1 --scan-mail=yes --phishing-sigs=yes --phishing-scan-urls=yes --heuristic-alerts=yes --heuristic-scan-precedence=yes --normalize=no --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-swf=yes --scan-html=yes --scan-xmldocs=yes --scan-hwp3=yes --scan-archive=yes --alert-broken=yes --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-doc=yes --alert-macros=yes --alert-exceeds-max=yes --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes --disable-cache remote.exeYielded nothing. (Yes, I included arguments that were already enabled and some which weren't necessary, but this is generally what I use to scan files minus the --verbose and --archive-verbose option.) URL: https://forum.audiogames.net/post/612903/#p612903 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @Kyleman Nah, its not that simple. He of ten helps people whose knowledge about computers ends on pointing an icon and clicking it. And he does so remotely URL: https://forum.audiogames.net/post/612872/#p612872 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me Kay, let's do it.https://drive.google.com/file/d/1CsKiiS … sp=sharing URL: https://forum.audiogames.net/post/612867/#p612867 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @4, I disagree. This technique (downloading files, extracting them, and running processes) is not so different from how autoupdaters work. An autoupdater needs only to download an executable binary and run it via an invocation method like the one displayed here. By that logic, autoupdaters are also malicious and should be flagged by defender, something that we haven't seen a case of. I significantly doubt that is the culprit. Similarly, I doubt the use of an insecure protocol (though that may be a contributing factor) is an actual problem, though it is not best practice.@Op, do you mind uploading a copy of your compiled binary? I can run it through ClamAV (and perhaps you can run it through virustotal as well) to see what they see. URL: https://forum.audiogames.net/post/612861/#p612861 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @4, I disagree. This technique (downloading files, extracting them, and running processes) is not so different from how autoupdaters work. An autoupdater needs only to download an executable binary and run it via an invocation method like the one displayed here. By that logic, autoupdaters are also malicious and should be flagged by defender, irrespective of whether it has been signed or not. I significantly doubt that is the culprit. Similarly, I doubt the use of an insecure protocol (though that may be a contributing factor) is an actual problem, though it is not best practice. URL: https://forum.audiogames.net/post/612861/#p612861 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me @4, I disagree. This technique (downloading files, extracting them, and running processes) is not so different from how autoupdaters work. An autoupdater needs only to download an executable binary and run it via an invocation method like the one displayed here. I significantly doubt that is the culprit. Similarly, I doubt the use of an insecure protocol (though that may be a contributing factor) is an actual problem, though it is not best practice. URL: https://forum.audiogames.net/post/612861/#p612861 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me If it walks like a duck and quacks like a duck, then it must be a duck right? Usually yes, but with tech it's harder. You are doing a lot of very tell-tale signs of malware.1. Get into target system.2. Ping back to a central server.3. download malicious payload.4. extract and run.If this person owns their own server, they can easily set up an ssh, vnc, or any myriad of any other remote solution to download this copy of NVDA. then they can run it themselves not some random unsigned program that may or may not be malicious. URL: https://forum.audiogames.net/post/612854/#p612854 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me
I know teh code is horrible, yet it has to work well, not to be good.using System;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.IO.Compression;using System.Linq;using System.Net;using System.Text;using System.Threading.Tasks;namespace RemoteHelper{ class Program { static void Main(string[] args) { WebClient w = new WebClient(); Console.WriteLine("Sprawdzanie środowiska pod kątem istnienia poprzedniej wersji programu..."); if (Directory.Exists("nvda")) { Process p2 = new Process(); p2.StartInfo.FileName = "nvda\\nvda\\nvda.exe"; p2.StartInfo.Verb = "runas"; p2.Start(); return; } Console.WriteLine("Trwa pobieranie plików pomocy zdalnej.\nW zależności od prędkości Twojego łącza internetowego może to zająć kilka minut..."); w.DownloadFile("http://violinist.pl/nvda.zip", "nvda.zip"); Console.WriteLine("Plik został pobrany. Trwa uruchamianie pomocy zdalnej."); ZipFile.ExtractToDirectory("nvda.zip","nvda"); Process p = new Process(); p.StartInfo.FileName = "nvda\\nvda\\nvda.exe"; p.StartInfo.Verb = "runas"; p.Start(); return; } }}
URL: https://forum.audiogames.net/post/612847/#p612847
--
Audiogames-reflector mailing list
Audiogames-reflector@sabahattin-gucukoglu.com
https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: A very interesting thing that happens to me
Re: A very interesting thing that happens to me What exactly does your code do to run NVDA in the extracted form? URL: https://forum.audiogames.net/post/612834/#p612834 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
A very interesting thing that happens to me
A very interesting thing that happens to me My friend wanted me to write him a simple program that will download his prepared copy of NVDA from his server and launch it. If I make the program to launcyh the file from its directory, its all fine, yet when I extract NVDA to a directory and launch it, defender starts flagging my file to the point where I cannot even compile it, I mean, I can compile but I don't manage to test becauset he program is eaten by the Great Brother.I tried with two programming languages (C# and PureBasic), and both of them behave in the exact same way. WTH is happening here? URL: https://forum.audiogames.net/post/612833/#p612833 -- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
