VOGONS


Google Safe browsing Advisory

Topic actions

First post, by franpa

User metadata
Rank Oldbie
Rank
Oldbie

Your website triggers a warning from Google Safe Browsing, just thought you should be made aware of it. I navigate to the website using the latest Firefox under Windows 10 x64.

AMD Ryzen 3700X | ASUS Crosshair Hero VIII (WiFi) | 16GB DDR4 3600MHz RAM | MSI Geforce 1070Ti 8GB | Windows 10 Pro x64.

my website

Reply 2 of 22, by Dege

User metadata
Rank Oldbie
Rank
Oldbie

I'm aware of it, altough I don't 'experience' it myself because I ditched Chrome long ago.

Firefox == Chrome == Google Sh*t Browsing API (so Firefox is also a no-go for me)

Google uses the same set of AV's like VirusTotal, or it relies on VirusTotal itself directly, I don't know but this set of AV's contains a lot of noname pure craps with large false positive rate.
According to my experience, if about one third of the AV's reports a file as malware then google red flags the site.

That's why dege.freeweb.hu is in fact intermittently but continuously redflagged, and I'm got tired of it. If I could get rid of google completely, I'd do that with pleasure.
I either make the zip files of 2.63.1 password-protected (very lame) or just don't care about what google says. 😐

Reply 3 of 22, by Dege

User metadata
Rank Oldbie
Rank
Oldbie

I found a "nice" (or, let's just say: retard) analysis of dgVoodooCpl:

https://hybrid-analysis.com/sample/b8d28c0d5a … vironmentId=100

Beware!!! dgVoodooCpl is very very dangerous, it's threat rate is 91/100.

Let just see some of the gems (suspicious indicators) of the analysis. It's so annyoing by now that I'm not going to speak politely here:

Anti-Reverse Engineering PE file has unusual entropy sections […]
Show full quote

Anti-Reverse Engineering
PE file has unusual entropy sections

details
.rsrc with unusual entropies 7.11796850266
source
Static Parser
relevance
10/10

I don't know how entropy as a measure is defined and what formula it's calculated by, but I guess the id**ot found the uncompressed logo bmp's (that are much larger than a simple 32x32 icon) and "they don't look" like a typical code, jpeg or some other type of data, in which the values of consecutive bytes follows a more "random" pattern.

Relevance: 10/10 !!!

Environment Awareness Possibly tries to implement anti-virtualization techniques […]
Show full quote

Environment Awareness
Possibly tries to implement anti-virtualization techniques

details
"DosBox' or 'QEmu'.
; EnableGDIHooking: If enabled then dgVoodoo hooks GDI to be able to render graphical contents
; (like movie playback through the ancient Windows Multimedia AVI player library)
; rendered through GDI - experimental feature, for the time being it's implemented
; only for DX emulation

DesktopResolution = %s
DesktopBitDepth = %s
DeframerSize = %s
ImageScaleFactor = %s
DisplayROI = %s
Resampling = %s
FreeMouse = %s
WindowedAttributes = %s
Environment = %s
EnableGDIHooking = %s

;--------------------------------------------------------------------------

[Glide]

; VideoCard: "voodoo_graphics", "voodoo_rush", "voodoo_2", "voodoo_banshee", "other_greater"
; OnboardRAM:" (Indicator: "qemu")
"qemu" (Indicator: "qemu")
"QEmu" (Indicator: "qemu")
"; or can be set to 'DosBox' or 'QEmu'." (Indicator: "qemu")
source
String
relevance
4/10

"Possibly tries to implement anti-virtualization techniques."
Uhmmm, WTF??? Just because a string of 'DosBox' or 'QEmu' found??

Relevance: 4/10 (congrats, you ****)

Reads the active computer name […]
Show full quote

Reads the active computer name

details
"dgVoodooCpl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
source
Registry Access
relevance
5/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)

No, it doesn't. Maybe indirectly through a standard Windows API, like when it queries the current user roaming folder where the dgvoodoo file is seached by default.

Relevance: 5/10!!!

Contains ability to find and load resources of a specific module […]
Show full quote

Contains ability to find and load resources of a specific module

details
FindResourceW@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10

Yes, it loads its own resources from the .rsrc section, you id**ot.
Thanks God, Relevance is only 1/10.

Network Related Found potential IP address in binary/memory […]
Show full quote

Network Related
Found potential IP address in binary/memory

details
"2.63.0.0"
source
String
relevance
3/10

2.63.0.0 as a potential IP address. Hmm... need to say anything here beside ***** ** * *******?

Relevance: 3/10

Unusual Characteristics Imports suspicious APIs […]
Show full quote

Unusual Characteristics
Imports suspicious APIs

details
LoadLibraryW
LoadLibraryA
LockResource
CreateDirectoryW
GetProcAddress
GetFileSizeEx
GetModuleFileNameW
WriteFile
GetModuleHandleW
FindResourceW
CreateFileW
CreateFileA
FindWindowExW
source
Static Parser
relevance
1/10

"Unusual Characteristics + Imports suspicious APIs "
So, the most common API's like LoadLibrary, GetProcAddress, CreateFile and such is suspicious and unusual….
You poor ******** windows-guru.

Relevance: 1/10

Reads information about supported languages […]
Show full quote

Reads information about supported languages

details
"dgVoodooCpl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
source
Registry Access
relevance
3/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)

No, it doesn't. Maybe through some standard Windows API. But even if it did, then what?

Relevance: 3/10

Contains PDB pathways […]
Show full quote

Contains PDB pathways

details
"D:\Dev\dgVoodoo_2.6x\Bin\Win32\Release\dgVoodooCpl.pdb"
source
String
relevance
1/10

Yes, it's written there by the linker itself, you *****. In order to find the .pdb file when you want to debug the application.

Relevance: 1/10

Scanning for window names […]
Show full quote

Scanning for window names

details
"dgVoodooCpl.exe" searching for class "DGVOODOOCOMM"
source
API Call
relevance
10/10
ATT&CK ID
T1010 (Show technique in the MITRE ATT&CK™ matrix)

Yes, because it can communicate with running instances of dgvoodoo-wrapped processes. This one could be justifiable, but DGVOODOOCOMM is not a standard window-class name, not even one from some popular Windows-software or sg like that. So, where is the risk?? How many malwares have you encountered in your life scanning for DGVOODOOCOMM, you ****?

Relevance: 10/10

Connects to LPC ports […]
Show full quote

Connects to LPC ports

Dropped files

details
"dgVoodoo.conf" has type "ASCII text with CRLF line terminators"
source
Extracted File
relevance
3/10

:DDDDDDD What a threat!!!!!

Relevance: 3/10!!!!

Touches files in the Windows directory […]
Show full quote

Touches files in the Windows directory

details
"dgVoodooCpl.exe" touched file "%WINDIR%\System32\en-US\user32.dll.mui"
"dgVoodooCpl.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"dgVoodooCpl.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"dgVoodooCpl.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
source
API Call
relevance
7/10

No, it doesn't. Again, maybe Windows itself when calling into some standard Windows API. Your shit sandboxing environment can't tell where the call coming from?

Relevance: 7/10

Found potential URL in binary/memory […]
Show full quote

Found potential URL in binary/memory

details
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.benshoof.org/blog/minicrt"
Pattern match: "https://github.com/GPUOpen-Tools/common-src-S … ree/master/DX10"
Pattern match: "benshoof.org/blog/minicrt"
source
String
relevance
10/10

Yes, so it's for sure that dgVoodooCpl phones home and sends the collected keylogs to GitHub or Microsoft...
If your analyzer is thought to be so advanced and hyper-super then it could analyze the url's themself, at least if they are very well known common and excludable ones, or some other 'random'-nonsense ones (you could use your crap entropy-calculation here), or they are in a database or sg like that.

Relevance: 10/10 (congrats again, you moron)

System Security Opens the Kernel Security Device Driver (KsecDD) of Windows […]
Show full quote

System Security
Opens the Kernel Security Device Driver (KsecDD) of Windows

details
"dgVoodooCpl.exe" opened "\Device\KsecDD"
source
API Call
relevance
10/10
ATT&CK ID
T1215 (Show technique in the MITRE ATT&CK™ matrix)

No, it doesn't. For the n+1th time: maybe through some standard Windows API.

Relevance: 10/10

Summarized, to be absolutely "safe", I shouldn't include uncompressed BMP(!) files amongst the resources because these hyperadvanced modern AV analyzers cannot recognize them (only it's suspicious entropy), I shouldn't include a version number because that's a potential IP address, I shouldn't use any regular Windows API like CreateFile or LoadLibrary and I shouldn't mention URL's in the About dialog, and not even evil CR-LF's that could fly at throat.

Reply 6 of 22, by Dege

User metadata
Rank Oldbie
Rank
Oldbie

I don't like it. Actually, I switched to Edge when the early betas came out.
Firefox, as an other (common) alternative, also seems to be a great browser, but unfortunately it relies on Google Safe Browsing API too, that's why I said that it's no-go for me.
But it's just my preference, nothing more (no flamewar intended).
Or, I'd say, my main point is: Microsoft, unlike Google, has its own AV software so I can submit my releases for analysis if needed. I cannot do that with Google, the appeal doesn't lie there.

Reply 7 of 22, by CrossBow777

User metadata
Rank Member
Rank
Member

For the record I use Chrome and I'm NOT getting any warning messages about Vogons on my end. I do have another forum I visit frequently that does trigger a Chrome warning but I just click the go to side anyway and still truck on. BTW that side has figured out that what is triggering it is something in the wordpress code as a whole on their end and they aren't PHP/HMTL experts so they aren't sure where the issue is exactly or how to patch it out.

But to state again, I'm not getting any warning for Vogons on my PC.

g883j7-2.png
Midi Modules: MT-32 (OLD), MT-200, MT-90, SD-20

Reply 8 of 22, by konc

User metadata
Rank Oldbie
Rank
Oldbie
CrossBow777 wrote on 2020-02-29, 14:51:

For the record I use Chrome and I'm NOT getting any warning messages about Vogons on my end. I do have another forum I visit frequently that does trigger a Chrome warning but I just click the go to side anyway and still truck on. BTW that side has figured out that what is triggering it is something in the wordpress code as a whole on their end and they aren't PHP/HMTL experts so they aren't sure where the issue is exactly or how to patch it out.

But to state again, I'm not getting any warning for Vogons on my PC.

This thread is in the dgVoodoo subforum and is about Dege's site, not vogons

Reply 10 of 22, by Stiletto

User metadata
Rank l33t
Rank
l33t
willow wrote on 2020-02-29, 16:43:

If you use google and write dgvoodoo as key word, dege websites doesn't appear anymore. With qwant, it's the first answer.

Eh? Works fine here. https://www.google.com/search?q=dgvoodoo

"I see a little silhouette-o of a man, Scaramouche, Scaramouche, will you
do the Fandango!" - Queen

Stiletto

Reply 11 of 22, by dr_st

User metadata
Rank l33t
Rank
l33t

Dege, I do want to ask. Developers all over the world use standard Windows APIs, include version numbers in their binaries, and probably uncompressed graphics as resources. What makes your program special that it triggers all these false positives time after time again?

Reply 12 of 22, by Falcosoft

User metadata
Rank Oldbie
Rank
Oldbie
dr_st wrote on 2020-03-02, 08:57:

...
What makes your program special that it triggers all these false positives time after time again?

It's not special at all. This is a common problem that affects many small developers. E.g:
http://blog.nirsoft.net/2009/05/17/antivirus- … all-developers/
https://coolsoft.altervista.org/en/blog/2018/ … mall-developers
I also regularly have to fight with different anti-virus engines with my MidiPlayer:
Re: Falcosoft Soundfont Midi Player
The Bass/Bassmidi libraries are also regularly flagged as malicious:
http://www.un4seen.com/forum/?topic=17835.msg … 25251#msg125251

So I think the problem is not Dege's 'special' program but:
1. Nowadays AV engines are overly paranoid. They think 100 false positives are still better than 1 false negative and make the life of small developers very hard. E.g. 'reputation based' heuristics is a joke. It's used even by Microsoft 's Smartscreen filter. It means a Catch 22 for small developers. The program is flagged as malicious just because it's not used by many others. That's it. But how a program can be used by many others when it's flagged/deleted right after it's released?

2. In case of many AV engines if you are not a Microsoft sized company you have absolutely no chance of reporting false positives:
https://www.reddit.com/r/antivirus/comments/6 … alse_positives/

3. Google invites more and more AV engines to Virustotal without checking if there are any possibilities to report them false positives.
The newer ones typically do not have any reporting forms (even no public emails) but even if one has with more and more 'independent' AV vendors it becomes a nightmare to report false positives to each vendor one by one. Google/Virustotal should have a more small developer friendly workflow to handle false positives.

4. Google gives absolutely no feedback what exactly is Google's problem with your site/downloads. You can shoot blindly in the dark to find out what triggered safe browsing alert. Even if Dege would handle all the problems reported by this Falcon Sandbox there is absolutely no guarantee that it changes Google 's opinion about his site/download.
If you have Developer's Console (it was called Webmaster's Tools before) you usually can see the name of the problematic file on your site and you can request a re-review. But there is no other help and Google literally NEVER responds to your messages/questions.

@Dege: I have seen your exe uses UPX compression. According to my previous experiences an UPX compressed executable has a much greater chance to trigger false alarms .

Website, Facebook, Youtube
Falcosoft Midi Player + Munt VSTi + BassMidi VSTi topic

Reply 13 of 22, by dr_st

User metadata
Rank l33t
Rank
l33t

From reading those links, I think it's more than just being a small developer with a small user base. I can understand that as a small developer, if you get flagged, it's harder to get unflagged. But something must be flagging things in the first place. Or are you suggesting that these AV heuristics are nothing other than a bunch of whitelists and everything not on it gets flagged? This doesn't seem true.

From what I see, executable compression is often marked as suspicious, as well as software that looks at or does anything with keys and passwords (like Nir Sofer's stuff).

Reply 14 of 22, by Falcosoft

User metadata
Rank Oldbie
Rank
Oldbie
dr_st wrote on 2020-03-02, 16:13:

Or are you suggesting that these AV heuristics are nothing other than a bunch of whitelists and everything not on it gets flagged? This doesn't seem true.

It's definitely true for reputation based heuristics but no, generally I'm just suggesting that many AV engine use some dumb static pattern matching. These pattern matching processes usually do not even consider context (not to mention execution) and typically punish compilers, compressors, tools, arbitrary byte sequences blindly.
Just out of curiosity I decompressed Dege's exe and uploaded to Virustotal. Nearly half of the engines do not detect the decompressed file as harmful anymore. So these detections cannot be related to resources, API calls, execution behavior, etc. since they are the same in case of both compressed and decompressed versions. The funny thing is UPX is the most known/frequently used exe compressor and the decompression can be done by anyone (the source is available). If these engines cannot cope with this that tells something about their credibility.
Compressed:
https://www.virustotal.com/gui/file/61503e96d … bd7d0/detection
Decompressed:
https://www.virustotal.com/gui/file/9b850d25d … d81e4/detection

dr_st wrote on 2020-03-02, 16:13:

From what I see, executable compression is often marked as suspicious, as well as software that looks at or does anything with keys and passwords (like Nir Sofer's stuff).

Yes, it's definitely true for compression but e.g. VirtualMidisynth or WirelessNetView fits into which category?

Last edited by Falcosoft on 2020-03-02, 17:48. Edited 2 times in total.

Website, Facebook, Youtube
Falcosoft Midi Player + Munt VSTi + BassMidi VSTi topic

Reply 15 of 22, by ZellSF

User metadata
Rank Oldbie
Rank
Oldbie
dr_st wrote on 2020-03-02, 16:13:

From reading those links, I think it's more than just being a small developer with a small user base. I can understand that as a small developer, if you get flagged, it's harder to get unflagged. But something must be flagging things in the first place. Or are you suggesting that these AV heuristics are nothing other than a bunch of whitelists and everything not on it gets flagged? This doesn't seem true.

ws.reputation.1

There's definitely AV software that goes by reputation only, so to suggest that others lean heavily on it isn't outlandish.

Reply 16 of 22, by Dege

User metadata
Rank Oldbie
Rank
Oldbie
Falcosoft wrote on 2020-03-02, 09:57:
It's not special at all. This is a common problem that affects many small developers. E.g: http://blog.nirsoft.net/2009/05/17/a […]
Show full quote
dr_st wrote on 2020-03-02, 08:57:

...
What makes your program special that it triggers all these false positives time after time again?

It's not special at all. This is a common problem that affects many small developers. E.g:
http://blog.nirsoft.net/2009/05/17/antivirus- … all-developers/
https://coolsoft.altervista.org/en/blog/2018/ … mall-developers
I also regularly have to fight with different anti-virus engines with my MidiPlayer:
Re: Falcosoft Soundfont Midi Player
The Bass/Bassmidi libraries are also regularly flagged as malicious:
http://www.un4seen.com/forum/?topic=17835.msg … 25251#msg125251

So I think the problem is not Dege's 'special' program but:
1. Nowadays AV engines are overly paranoid. They think 100 false positives are still better than 1 false negative and make the life of small developers very hard. E.g. 'reputation based' heuristics is a joke. It's used even by Microsoft 's Smartscreen filter. It means a Catch 22 for small developers. The program is flagged as malicious just because it's not used by many others. That's it. But how a program can be used by many others when it's flagged/deleted right after it's released?

2. In case of many AV engines if you are not a Microsoft sized company you have absolutely no chance of reporting false positives:
https://www.reddit.com/r/antivirus/comments/6 … alse_positives/

3. Google invites more and more AV engines to Virustotal without checking if there are any possibilities to report them false positives.
The newer ones typically do not have any reporting forms (even no public emails) but even if one has with more and more 'independent' AV vendors it becomes a nightmare to report false positives to each vendor one by one. Google/Virustotal should have a more small developer friendly workflow to handle false positives.

4. Google gives absolutely no feedback what exactly is Google's problem with your site/downloads. You can shoot blindly in the dark to find out what triggered safe browsing alert. Even if Dege would handle all the problems reported by this Falcon Sandbox there is absolutely no guarantee that it changes Google 's opinion about his site/download.
If you have Developer's Console (it was called Webmaster's Tools before) you usually can see the name of the problematic file on your site and you can request a re-review. But there is no other help and Google literally NEVER responds to your messages/questions.

@Dege: I have seen your exe uses UPX compression. According to my previous experiences an UPX compressed executable has a much greater chance to trigger false alarms .

Nice summary, thanks!! It's good to feel I'm not alone. 😀

As for upx, yes, it has greater chance for false alarms. Or not. dgVoodooCpl gets flagged even if it's uncompressed. The case I analysed in my previous post is about an uncompressed version of the cpl.

At my former workplace, Sophos was the obligatory AV installed on all machine. When I compiled the cpl on my machine, it got deleted right at the moment when the linker finished with it and a kind window popped up, saying that a threat was beaten off. This particular AV software proved to be so crap that in the end the IT allowed devs to remove it from their computers.

Actually, I've been playing this idiot game for a year by now: experimenting on VirusTotal with what version of the cpl has the least alert rate. Sometimes the uncompressed one, sometimes the compressed one, sometimes a compessed one with lower compression rate. Even if a .zip reaches a low hit rate there, a few days later the result magically changes and google alerts me about the malicious software on my site, so I have to start experimenting again. But I can't really do anything, most of the AV shits always detect it as malicious.
I've got tired of it all. I can't send each release to 20-25 places for AV analysis, even if I could, it'd take tremendous time to manage.

dr_st wrote on 2020-03-02, 08:57:

Dege, I do want to ask. Developers all over the world use standard Windows APIs, include version numbers in their binaries, and probably uncompressed graphics as resources. What makes your program special that it triggers all these false positives time after time again?

I thought my post about the analysis made it clear: because these 'antiviruses' are pure crap.
I have a version number 2.63.0.0 in the .rsrc section, inside a block with dedicated VERSION type, and this AV thinks of it as a potential IP adress… My mind blows up.

Nowadays AV's behave exactly like a virus: they eat up computer resources, delete files on their own mercy and frighten the user off with messages about terrible dangers.
And I'm not joking. I think one shouldn't use any third party AV on a Windows (10) machine. Defender is more than good enough.

I think I tend to recline upon Defender in the future and don't care about the rest. Not even Google 'Safe' 😀 Browsing, even if the site gets flagged.

Reply 17 of 22, by antrad

User metadata
Rank Member
Rank
Member

When I was programming a video game for a hobby in 2010 I had Kaspersky AV installed and it would flag the game executable as a keylogger. And when I shared the game on forums, people would not trust me to try it because of this. That was the last time I used an anti-virus program.

Reply 18 of 22, by spiroyster

User metadata
Rank Oldbie
Rank
Oldbie
Dege wrote on 2020-03-02, 19:50:

Nowadays AV's behave exactly like a virus: they eat up computer resources, delete files on their own mercy and frighten the user off with messages about terrible dangers.
And I'm not joking. I think one shouldn't use any third party AV on a Windows (10) machine. Defender is more than good enough.

+1

I have a email template ready to send Avast as we get flagged pretty much every release... IDP.ALEXA.51 usually.... and we aren't the only ones (https://steamcommunity.com/app/594570/discuss … 66500521493233/).

Yes AV's these days are the bastard love child of snake-oil and malware... 21st century registry clearners!
I've relied on windows defender for at least a decade now and never had a problem (that I know of o.0).

Reply 19 of 22, by dr_st

User metadata
Rank l33t
Rank
l33t

Oh, I agree that they are all crap. It's been years since I used any AV other than Windows Defender. And even that flags my completely legitimate Windows/Office activators as malicious. 😜

But there are probably things that are more likely to be triggered. Like, perhaps, non-standard compilers, etc.

Out of curiosity I uploaded a silly C program I once wrote when I was solving someone's programming homework, which does nothing but string and substring analysis. 2/71 flagged it as Malicious/Unsafe - Cylance and SecureAGE APEX. So at least these two probably automatically flag every unknown binary.