Wrote

I have some good news regarding false positive detection! After a long night and morning I've found binary pattern which triggers some AVs to mark executables created by Viewer as malicious...
Knowing it I've added possibility to give AVs a fight! Unfortunately I have to disable compression of internal resources to do it, but I do not think it is so bad.
Please try a new SMath Studio version - it has the following checkbox (uncheck -> file size increased -> AVs are happy -> profit):

Alright, so I decided to break this down and test individual exe files in order to determine which plugin/s is/are causing the false positive. The good news is that I have determined it to be the Table Region and X-Y Plot.

Attached are all the different exe files I created using the latest nightly build following the procedure described above. All of them are fine except the Table Region and X-Y Plot. Right away when saving the zip to my desktop from outlook I get the threat detection notice for Trojan:Win32/Wacatac.B!ml. I get this same notice for both files (Table Region and X-Y Plot). Not sure why I don't get the AgentTesla warning I got for my original exe, but there it is.

Maybe someone with much more knowledge than me can provide some input into the matter.

I will upload the exe that I'm having trouble with as well, just need to clean up some nonpublic info.

Файл не найден.Файл не найден.Файл не найден.Файл не найден.Файл не найден.Файл не найден.

Here is the original exe I was having trouble with. It was compiled on the most recent nightly build with the compression box unchecked. Doesn't rigger the AgentTesla waring as before, but is showing the same Wacatac warning the test files triggered. By guess is that without compression the exe no longer triggers the AgentTesla warning. Not sure this exe offers any new information as compared with the previous test exe files, but nonetheless here it is.

ASCE 7 Wind Profile Comparison Tool_External.zip (1 МиБ) скачан 66 раз(а).

*I might add that the same file emailed back to the computer where it was created does not trigger any warnings from windows defender when pulling it out of outlook.

Thank you! All this information really helped me.

Here are the results with XY-Plot:

https://www.virustotal.com/gui/file/8340f37b69476b76cd6fb3079eb18ace6a9f47d2106106ad31acd53c184c649c/detection

This is really great, because it means that problem with MS AV only and this might be because of some difference between built-in plug-ins and third-party ones.
And I found one!

I do not sign third-party plug-ins with code certificate. And this is something I can actually fix.

Please give me several hours and I will enable signing third-party plug-ins and test everything. I really hope it will help!

Thanks again.

Thank you Andrey, as always super great work!

One more interesting observation.

I've been working on computer 1 where I was creating the exe files and sending them to computer 2 for testing.
I went ahead and compiled an exe from computer 2 which was receiving my test emails (using the same .sm file I was using on computer 1). Then I sent the zipped exe created on computer 2 from computer 1 via email back to computer 2, and sure enough no viruses warnings.

Maybe this is due to different settings within windows Defender on each machine?
The issue with the false positive seems to be only present when the exe is created on computer 1 and sent to computer 2 (even if it copied from a USB.).

Not sure if this information is useful

Wrote

Thank you Andrey, as always super great work!

One more interesting observation.
...

Hi. Yes, he does it again. One question: assuming that the version for SMath is the same, does both computers have the same plugin versions? Here is where you can check that:



Best regards.
Alvaro.

Wrote

Hi. Yes, he does it again. One question: assuming that the version for SMath is the same, does both computers have the same plugin versions? Here is where you can check that:

Yes, both have the same version (02.7802.13079)

X-Y Plot and Table Regions are updated now. If everything will be fine I will handle all others.

Thanks Andrey, I will create a new exe and test things out.

I think the issue with the false positives on windows AV is solved. First try it still kicked out and virus detection warning, but then tried to copy it from outlook again and nothing came up, AV was silent, so I think we are good now. Thanks to those who are much more capable with SMath than me.

One more thing. Is there any way to get away from the windows defender unknown source warning you get when you first run and SMath exe created on a different computer? Not a show stopper issue, but just one thing less to have to explain to an end user of the exe.