1. Anders Melander Avatar Anders Melander
  2. Melander
  3. Better Translation Manager
  4. Issues

DOS PE file header missing

Issue #42 invalid
Daniel Brunner created an issue

When switching from BTM Build 1.1.7465.55536 to Build 2.0.8370.39904, many of my language files were suddenly detected as viruses with virustotal. When I compare the finished files with a hex editor, the PE file header is missing (left). With the earlier version (right), the PE header is still in there.

Can you make the PE file header be written again with the latest version of BTM so that the files are not recognised as viruses?

Comments (7)

  1. Anders@Melander

    The change you’re referring to is commit 7baba77bf1c3c0cf246d958a5b13f0087ac804c6 from July 2020.

    The PE header isn’t missing; It just doesn’t contain the usual (and obsolete) stub code that prints the “This program cannot be run in DOS mode” message.

    So the problem is a false positive from VirusTotal. Since VirusTotal is just an aggregator of many different virus checkers the problem should be reported as a false positive at the originating virus checkers. See: https://support.virustotal.com/hc/en-us/articles/115002122305-VirusTotal-is-detecting-a-legitimate-software-I-have-developed-what-can-I-do-

    Since this problem doesn’t really originate with BTM I’m going to close the issue here. What I can do, however, is to make it possible to specify a custom resource module stub (i.e. this file) via the command line. It is already possible to do so via a conditional compilation define (INTERNAL_RESOURCE_MODULE) so it’s a minor change.

  4. Daniel Brunner reporter

    In my workflow so far I use BTM to translate the file and select "Compile all languages" directly in BTM. If this works with #43 as well, it would work for me.

    The problem with false positives has only existed for about 2 months and is reported by almost all anti-virus programs, incl. Microsoft, ESET, McAfee, Norton, ...

    Suddenly, from one day to the next, the language files on the servers of various customers were deleted by the antivirus programs.

    I think that other users of BTM will run into the same problem.

  5. Anders@Melander

    In my workflow so far I use BTM to translate the file and select "Compile all languages" directly in BTM. If this works with #43 as well, it would work for me.

    I think it will. With the current implementation, when INTERNAL_RESOURCE_MODULE isn't defined, the PE stub will be loaded from an external file in the same folder as the BTM exe (AFAIR). I will change this so the logic isn’t controlled with a symbol. The command line switch will be for the corresponding functionality for use by the command line program.

    The problem with false positives has only existed for about 2 months and is reported by almost all anti-virus programs, incl. Microsoft, ESET, McAfee, Norton, ...

    It’s really an unavoidable problem. The heuristic virus definitions change all the time and even if I changed the PE stub back there’s no guarantee that that wouldn’t also trigger false positives from time to time (which is has already done in the past).

    It would possibly help if the resource modules were digitally signed but since the creation of the modules is done by the user (i.e. you), then it would have to be the user that acquired and installed the certificate to use. IMO it would make the whole process too complex and fragile if BTM were to do it automatically

    I think the solution must be to whitelist the files/folder on the local system (so the local virus scanner doesn’t delete the files) and then digitally sign the files manually if that is desired.

  7. Anders@Melander

    Having looked at the source, I can see that I've already implemented most of the required functionality; If the file EmptyResourceModule.dll exists, in the same folder as amTranslationManager.exe, then that file will be used as the PE stub.

    Unfortunately, the original PE stub (the one that worked for you) was hardcoded in the source and as such can't be easily extracted as a file, but you should be able to find another small, empty DLL or EXE somewhere, save it as EmptyResourceModule.dll, and then use that as the PE stub. You can try this one (I just searched for “smallest PE file” and picked one):

    I have verified that it works with BTM (using the HelloWorld example) but I don’t know how your antivirus will react to it. When I tested it with VirusTotal, the empty file was flagged by 7 vendors, while the generated resource module was flagged by 2. The default, empty PE stub was not flagged, while the generated resource module, using the default PE stub, was flagged by 7 vendors.

  8. Log in to comment
Assignee
Type
bug
Priority
major
Status
invalid
Component
Resource Module builder
Votes
1
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!