BBC BASIC for SDL 2.0 version 1.04a released

[Deleted User 9295]

I have released version 1.04a of BBC BASIC for SDL 2.0, the cross-platform programming language for Windows, MacOS, Linux, Raspbian, Android and iOS. The changes in this version are as follows:

• BASIC Interpreter / Run Time Engine
  
  The VDU 23,24,n| command updates the 'character spacing adjustment' when a proportional-spaced font is used (negative values cause the characters to close up, positive values cause them to spread apart).
  
  The @tmp$ system variable has been changed on Linux (including Raspbian) and MacOS so that it points to a user-specific directory. Previously, problems could arise if BBC BASIC was run as 'root' (causing files with root ownership to be stored in @tmp$) and then subsequently as a user without privileges to delete them. On other platforms @tmp$ has always been user-specific.

• Example Programs
  
  hangman.bbc: David Williams' nice hangman program, ported to BBCSDL whilst preserving its original look-and-feel as closely as possible.
  
  figleaf.bbc: A rendition of Scott Joplin's 'Fig Leaf Rag' (transcribed by Ron Stickley for my Z80 Music program in 1984) accompanied by an animated 3D piano keyboard.

This new version may be downloaded, for all the supported platforms, from the usual location. The GitHub repository has been updated (used to build the MacOS, Raspbian, iOS and 64-bit Linux editions, currently) although doubts have been expressed over whether GitHub is the right solution going forwards.

Please remember that if you use the Android Application Generator you should download a new APK template to ensure that any updates to the run-time engine are incorporated in your own apps.

[BobsBoard]

I can't recall getting asn error last time, but my AVG has moved bbcsdl.exe to quarantine owing to it being infected by Win32:Shiz {Spy}.

Should I report it as a false possitive ?


- And as always, thanks for your good work.

Regards,

Roger

[Deleted User 9295]

Should I report it as a false possitive ?

There's no mechanism that I'm aware of by which any malware could have infiltrated the exe, since it's compiled using GCC from sources that are all under my control (and my own AV doesn't flag either the exe or the tools that are used to build it), but it would be rash of me to say that it's impossible. If you are inclined to report it as a potential false positive that might shed further light on it, but it must be your decision.

[BobsBoard]

Sent to AVG, lets see what they say... Downloaded from your site today.

[Deleted User 9295]

Sent to AVG, lets see what they say... Downloaded from your site today.

Keep us informed. Meanwhile I've recompiled it with a trivial change that doesn't affect functionality simply to force the exe to have a different signature.

[BobsBoard]

I get the same AVG detection. Lets give them 48hrs then..

Roger

[Deleted User 9295]

I get the same AVG detection. Lets give them 48hrs then..

Here's something very strange. If I rebuild the exe from scratch, Virustotal reports that it is clean. However, after I have signed it using my Code Signing certificate, it reports having the infection! That is pretty crazy: signing an executable should make it appear less suspicious to an AV tool, not more!

I'd love to know what is going on here. I could distribute the unsigned version, but that obviously wouldn't be sensible because the certificate gives you confidence that the file hasn't been tampered with since it left me. And, yes, the signing tool scans clean as well. It will be interesting to hear what AVG say.

[Deleted User 9295]

And, yes, the signing tool scans clean as well. It will be interesting to hear what AVG say.

Just as an additional check, I downloaded a fresh copy of 'signtool.exe' directly from Microsoft's site (it's more recent than the one I had) and used that to sign bbcsdl.exe. The result was the same. So, superficially, it's the presence of the signature itself which is triggering the 'virus' detection. I suppose it's remotely possible that a sequence of bytes in my SHA-2 certificate, by chance, matches a virus signature but that would tend to suggest that any executable I sign would also trigger an alert!

[BobsBoard]

It downloaded OK just now, but AVG picked it up after it openned. Error report sent, then 10 minutes later I get notification that the file is OK.- See attachment.

bbcsdl.JPG (13.58 KiB) Viewed 4852 times

[Deleted User 9295]

It downloaded OK just now

I've temporarily replaced the version available for download with an unsigned exe, as that is currently the only workaround available to me. But as I explained it's not a satisfactory solution because all the advantages of signing (confidence that the file hasn't been tampered with, the possibility of revoking the certificate etc.) are lost. In addition, Windows is far more likely to display a warning (independent of your AV solution) on trying to run an unsigned executable.

So unless and until AVG confirm that the original, signed, exe is clean and update their scanner this remains a serious issue. If it affects every signed executable I create, I might as well give up developing software now! So much for spending hundreds of pounds on a Code Signing Certificate.

[BobsBoard]

Hi Richard,

If you upload the "signed" version I'm happy to go round the loop again to see if the AVG dabase accepts it now. Although as I still had the original zip file in my download I ran it again andf I get the original error with the bbcsdl.exe file gets removed/sent to quarantine.

[Deleted User 9295]

If you upload the "signed" version I'm happy to go round the loop again to see if the AVG dabase accepts it now.

If the signed version in the zip you originally downloaded still isn't accepted, I'm sure that a re-uploaded one wouldn't be either. If you are expecting a report back from AVG on your original false positive submission, let's wait and see what they say.

[colonel32]

False positives like this aren’t that uncommon, especially for some AV software that uses aggressive heuristics, or when software packages regularly release updated versions. It often happens with software I release. Even for data files that contain no executable code!

In my opinion you should persist with the signed versions, and continue to provide personal assurances there is no malware included to people who trust you.

Let the AV software companies sort their own detection algorithms and reporting mechanism out. You’re doing nothing wrong.

Discerning people will eventually stop using their products if they become too hard to use. And it’s pretty easy for discerning people to unquarantine false positives.

[Deleted User 9295]

False positives like this aren’t that uncommon, especially for some AV software that uses aggressive heuristics

I'm well aware of that, but the circumstances here are unusual for two reasons. Firstly it's not a heuristic detection (which I have suffered from on multiple previous occasions) but a detection of a specific virus signature, which is less commonly a false positive. Secondly, only the signed executable is being flagged, not the unsigned version; I have never encountered that before and it seems very surprising to me. I'm not even aware that what is 'tagged onto' the exe when signing actually contains any code, as such.

In my opinion you should persist with the signed versions, and continue to provide personal assurances there is no malware included.

Normally I would agree, but many of my users are ultra cautious and will not touch with a bargepole anything that is flagged as dangerous by their AV. And I can't with confidence say that "there is no malware" since how can I be sure? Maybe Microsoft's 'signtool' utility is infected, maybe my certificate is infected. Neither seems at all likely but I can't rule it out as impossible.

So for the time being I'll distribute the unsigned version that doesn't trigger a detection. It's not an ideal situation but it should hopefully keep more of my users 'on board' until this issue can be properly resolved. After all the vast majority of EXEs available for download, even from respected vendors, are not signed.