We use Cybereason for Antivirus etc. which started last Friday to flag any executable built with Xojo 2024R4.2 or later as Gen:Variant.Fragtor.864759.
This happens on Windows 10 and later and it should be a false positive because it happens only for executables built with Xojo2024R4.2 even if it “liked” them before for many months .
To find out more, I started the Xojo2024R4.2 IDE (at least that is possible) and created a new Desktop Application, Tiny, which I compiled without any further additions. The resulting Tiny.exe is where the culprit lies (not the libs) so I uploaded it to virustotal where 8 of 71 security vendors flagged it, among them unfortunately BitDefender and GData.
It would be very helpful to get rid of this false positives as it makes normal developement impossible (you need to castrate the Antivir severely in order to be able to debug or build).
Here is the list of security vendors from Virustotal that deliver the false positives:
The detected variant I’m seeing is BehavesLike.Win64.Dropper.vm and from Skyhigh (SWG). Likely a false positive related to the network libraries would be my guess. As your result has far more detections than mine, you should open an Issues case and attach your project and built application. There may be something Xojo can do about it, there may not. In the end I usually have to submit these false positives directly to the security vendors to get the issue fixed.
With so many reports, I would also closely monitor/examine my own systems. It’s possible that the Trojan is actually present in the system and infecting newly created applications.
We made 32-bit Executables which triggered the Fragtor „sightings“ I mentioned. Just like you I am pretty sure this is a false positive because:
A) the trouble started as late as last Friday while we had 2024R4.2 built Executables in production since February
B) executables built with earlier Xojo versions do not make any problems even though they reside in the same share
As to sending stuff to the Antivirus-vendor: We have opened a case with Cybereason, problem is they reacted on the others vendors (Bitdefender, GData,…) where we are not customers
I am pretty sure there is no infection. Some of the „offensive“ executables have been around for nearly 5 months without creating any issues, and I can build stuff with earlier Xojo versions (on the same machine) that are all fine
Whitelisting does not really help in our case, because it does not allow you to debug and/or build (no stable hashsums). But looking at the link right now (thank you for inserting it) I see that Microsoft joined the club by now so maybe Xojo should become active after all (as many windows machines have Defender running)
There was talk some time ago that if you change the Optimization Level the executable signature may change and not get flagged. Not sure if this still the case or if it will help in this case.
In my case BitDefender is flagging “Gen:Variant.Fragtor.864759”, as in the original post. It only began doing so this weekend, perhaps because BD updated its definitions recently. I am still using 2025R1.1.
Submitting samples: Thanks for the links, I will have one of our security guys do this for me tomorrow morning as I lack the privileges to upload suspicious files.
Whitelisting: In order to whitelist an executable you need to compile it first which in itself takes forever and ends with the executable blocked by the antivirus.
I guess you mean quarantined. Some antivirus allow the user to submit quarantined samples right from the software alleging them being false positives.
Talk to the security guys on how to proceed in your case. The web interface for other cases I already provided. Over time more engines may start to list it as some kind of generic malware if no one points that.
Well, I did mean blocked. In order to better cope with the situation Cybereason has been set to just block, not quarantine. Difference is that the file stays at its original location. Anyhow, we will continue tomorrow (german time)
Still I do not understand what exactly should get whitelisted - after all this affects ALL 32-Bit desktop applications built with Xojo R2024R4.2 or later.
What makes me wonder is that XOJO apparently does not care, whether its product gets rendered useless by - presumably - false positives.. With GData, BitDefender and Microsoft quite a bit of windows users should be affected and an ide that can not build applications seems somewhat useless to me
You submit some sample that triggers a false positive. The simpler, the best. If its a Print “Hello World” it’s great, but it may need something else you wrote. The binary code rendered contains some combinations of factors that triggered a “suspicious behavior” flag, or some simple coincidental signature. Then you will upload the sample with all information they ask you, they will analyze and probably will report back. If they don’t find any bad behavior, just a bad coincidence, they will provide a way to the signature library to avoid reporting similar cases again as some variant (your case will be “whitelisted”) and ALL similar cases automatically will be solved. This typically takes like 3 days + the vendor updating their database + your endpoint receiving the updates. Affected users must act with their vendors. They trade infos, some reports start to spread if no one cares and more AV will report false positives, whitelists spread too, but may be faster if you report a complaint to your AV engine instead of waiting.
Ok, I can see the misunderstanding.
You mean the vendor whitelisting the offending part of the xojo framework while I meant the whitelisting we can do at our site to keep the antivirus from blocking known apps.
Thank you for pointing me to the upload links for Bitdefender (already done) and Microsoft (later this day)
