POLINK: fatal error: Zugriff verweigert Error code: 1

[Bitbeisser]

I am not quite sure what you are trying to tell us here (or if you just keep flogging a dead fish)...

I just created a brand new project, copied with your source code of this imensly important program and scanned wit with the various AVs at my disposal and I do not get a false positive on any of them, here just one example of the result:

[agp]

Don't blame me for this problem and don't address it to me. I spend a lot of time (hours of hours) to investigate this. What you tell me in your example ist only that your avast scanner is detecting nothing. Try an upload your exe you've compiled to

https://www.virustotal.com/

but ensure that it is compiled with full debug info!! Then post the results here.

What system are you running? Win 7 64 bit?

[CommonTater]

None of this is the linker's fault...
Seriously, this is the virus scanners, not the programming tools.

I have a pet theory that some of the bigger corporations are turning in reports on the free stuff as a means of forcing people to pay... but that's just a theory.

[agp]

@  CommonTater

Have you an explanation or a theory why lcc-win32 (which based on lcc like Pelles C too) is so extremly overloaded with virus warnings from the big player in the AV business? By the way lcc-win32 has a terrible IDE. 

Try this simple helloworld on VisualC++ 2008 and 2010 (I have done this) and you wouldn't found any of this warnings (OK, there was one warning from very unknown scanners), whether you include debug info or not or do other compiler/linker settings.

I also tried the old version of Pelle v5. There were 15 warnings on virustotal !! You don't want wo use such a software. Fortunately the newer the PellesC version the better or less warnings, which leads me to believe that Pelle has possibly figured out that there is a problem on that and done something against, but I don't know.

As I said before, it would be nice to read more additional experiences of others in this regard. I don't think that Pelle is a "dead fish" (your talk in the other thread), so lets keep the debate open. I think code safety (virus safety) is not a secondary matter.

[Bitbeisser]

Don't blame me for this problem and don't address it to me. I spend a lot of time (hours of hours) to investigate this. What you tell me in your example ist only that your avast scanner is detecting nothing. Try an upload your exe you've compiled to

https://www.virustotal.com/

but ensure that it is compiled with full debug info!! Then post the results here.

Two false positives, on AntiVir and Ikarus, whatever that is. This scan doesn't tell shit, specially if this is only triggered with debug info, which should not be "out in the wild" in the first place. The sample itself is so simple that it rather demonstrate that these are just annoying false positives from some rather obscure anti virus tools, nothing more...

What system are you running? Win 7 64 bit?

Whatever you want, I did the scans at on my setups on Windows XPSP3 Pro/32bit, Windows 7 Ultimate 64bit, Windows Server 2003 Standard 32bit, Windows Server 2008 64bit, it doesn't matter what OS you're running if an application is considered (containing) a virus or not...

Ralf

[Bitbeisser]

@  CommonTater

Have you an explanation or a theory why lcc-win32 (which based on lcc like Pelles C too) is so extremly overloaded with virus warnings from the big player in the AV business? By the way lcc-win32 has a terrible IDE.

Because it's a free tool that might be used by a lot of virus authors and those AV software that show those warnings do a shoddy job in identifying what actually constitutes the virus part and instead trigger "detection" on parts of program initializations or library routines instead of actual malicious parts... 

Try this simple helloworld on VisualC++ 2008 and 2010 (I have done this) and you wouldn't found any of this warnings (OK, there was one warning from very unknown scanners), whether you include debug info or not or do other compiler/linker settings.

I also tried the old version of Pelle v5. There were 15 warnings on virustotal !! You don't want wo use such a software. Fortunately the newer the PellesC version the better or less warnings, which leads me to believe that Pelle has possibly figured out that there is a problem on that and done something against, but I don't know.

No, more likely that the virus authors switched tools (away from LCC) and Pelle's C over time has less and less in common with the original LCC code....

As I said before, it would be nice to read more additional experiences of others in this regard. I don't think that Pelle is a "dead fish" (your talk in the other thread), so lets keep the debate open. I think code safety (virus safety) is not a secondary matter.

There simply isn't anything you can do, beside pestering the AV manufacturers to deal properly with those false positives or simply ignore those obscure programs that keep giving those false positives...

Ralf

[agp]

Two false positives, on AntiVir and Ikarus, whatever that is.
Ralf

OK, thanks for that!

specially if this is only triggered with debug info

Try and compile it as multithreaded lib, upload to virustotal and show the result. The AntiVir warning disappear.

By the way, the worse (for me) is not to get a virus warning. The worse is linking is blocked.

The sample itself is so simple that it rather demonstrate that these are just annoying false positives from some rather obscure anti virus tools, nothing more...

Yes it is simple and that's a good thing point out the problem. I don't agree with you that AntiVir is "obscure". It may not common where you live but in germany it's a very known AntiVirus SW and I havn't found that there is another better one out there. Here we have a special rare problem. Because the exe file that one can compile when debugging console app code changes every time on compilation and so there is currently no chance to adapt the VDF scanner files which is normally done in just 24 hours.

[CommonTater]

Have you an explanation or a theory why lcc-win32 (which based on lcc like Pelles C too) is so extremly overloaded with virus warnings from the big player in the AV business? By the way lcc-win32 has a terrible IDE. 

Ok... bottom line and I'm outa this thread...

This is NOT the fault of the compiler or linker....

It's 1/2 your fault for letting code with debugging symbols (a prime vector for reverse engineering, btw) out into the wild.
The other 1/2 is the AV scanner's fault for doing a crappy job of recognizing actual viruses.

10-4 ...

[Bitbeisser]

None of this is the linker's fault...
Seriously, this is the virus scanners, not the programming tools.

I have a pet theory that some of the bigger corporations are turning in reports on the free stuff as a means of forcing people to pay... but that's just a theory.

Oh, please, not another attack of the tinfoil hat brigade....

Those false positives that I have seen myself when checking on those rumors that Pelle's C created programs trigger virus warnings are all from rather small and partially obscure anti virus vendors that just want to get their share of the pie.
And to get ahead of the herd, some of them seem to do a very shoddy job of identifying possible malicious code and rather seem to identify parts of a stock program initialization or library routines instead of actively malicious code, which might be much more difficult to detect due to tricks played by the virus authors.
And when using a relatively low-volume tool like Pelle's C (or LCC or a lot of other less common program environments), it is simply much more likely to get a false positive identification because of this than with some high volume tools like VC++ or GCC for example...

And that a program compiled with full debug info might get more false positives is technically not surprising either. Some of the techniques used to debug programs are simply similar to tricks used by virus authors to try and prevent decryption and detection when their virus code is run in debuggers. So if a AV vendor again is doing a poor job in identifying the actual malicious code and instead uses pieces of legitimate debugging info in a program, than there is very little that you can do on your end. Again beside pestering those AV tool makers to do a better job...

Ralf

[CommonTater]

Oh, please, not another attack of the tinfoil hat brigade....

Hey ... carefult with that... I resemble that remark! 

[Bitbeisser]

Try and compile it as multithreaded lib, upload to virustotal and show the result. The AntiVir warning disappear.

Not surpised at all, as likely the initialization or runtime library code that they use to detect the alleged malware is not used in that case. Once again rather a strong hint that their detection method simply stinks...

By the way, the worse (for me) is not to get a virus warning. The worse is linking is blocked.

If you are running a tool that gives you these kinds of problems, simply ditch it, it is just not worth dealing with it.
Either they react on a properly described false positive or move on to something more sane. As I mentioned, AVast (which I currently consider the most secure and sane of all current AV products) can come up with a warning about sandboxing a newly created application, which I take rather as a sign that it is doing it's job and pays attention in an otherwise rather unintrusive way and I can decide if I want to do this or even disable that warning all together...

Yes it is simple and that's a good thing point out the problem. I don't agree with you that AntiVir is "obscure".

Maybe less obscure than Ikarus (which I looked up by now, they are from Vienna, Austria) or Jiangmin (some Chinese outfit that has problems presenting them on their international site even in proper English).

It may not common where you live but in germany it's a very known AntiVirus SW and I havn't found that there is another better one out there.

Yes, AntiVir is less common here in the USA (ich bin Deutscher!) but I run into it a couple of times a year in my work as an IT consultant. And so far, not in a positive way.
AVast or AVG, which I prefer out of experience at my line of work, aren't US software either but do a much better job as all those little garage outfits that have crept up in the last few years. Or those bloated behemoths like Symantec/Norton or McAfee...

Here we have a special rare problem. Because the exe file that one can compile when debugging console app code changes every time on compilation and so there is currently no chance to adapt the VDF scanner files which is normally done in just 24 hours.

But the fact that you have to keep doing this is a sure sign that they are just going about detecting the alleged malware the wrong way. It's not the whole program that triggers the alert, it's just a piece (or several pieces) of code that they identify as the 'code signature' of the alleged malware. Or that's what it is supposed to do...

Ralf

[Bitbeisser]

Oh, please, not another attack of the tinfoil hat brigade....

Hey ... carefult with that... I resemble that remark! 

[migf1]

...
I don't agree with you that AntiVir is "obscure". It may not common where you live but in germany it's a very known AntiVirus SW and I havn't found that there is another better one out there. Here we have a special rare problem. Because the exe file that one can compile when debugging console app code changes every time on compilation and so there is currently no chance to adapt the VDF scanner files which is normally done in just 24 hours.

I'm also using Avira AntiVir for many years, across several Windows versions. Yeap, it raises several false positives with Pelles C, and once it raised false positives for executables built with some older version of mingw32. You could try lowering the heuristics detection level form High to Medium, or even put offensive execs and or libs to the Exceptions list. At least, that's what I did

[agp]

Good news from the (anti) virus front. Today there was a huge file update for Avira Free AntiVir and now the false virus problem on linking console code as I described ist GONE!!

In the mean time I updated to AntiVir v13, so I couln't promise that this applies to the older version v12 (but I think so). A check at virus total online engine did not confirm that until now, but I think this will be in the next few days when they had updated their scanners.

Thanks to all for the comments especially migf1.

[migf1]

Good news from the (anti) virus front. Today there was a huge file update for Avira Free AntiVir and now the false virus problem on linking console code as I described ist GONE!!

In the mean time I updated to AntiVir v13, so I couln't promise that this applies to the older version v12 (but I think so). A check at virus total online engine did not confirm that until now, but I think this will be in the next few days when they had updated their scanners.

Thanks to all for the comments especially migf1.

I thank you too for the good news about the new version of Avira AntiVir