McAfee False Positive

SavannahLion has asked for the wisdom of the Perl Monks concerning the following question:

I'm not quite sure how to present this question. The gist of the problem is, McAfee thinks the code I just wrote is a virus, "New Perl."

It appears I wasn't the only one to bump into this. There is a post McAfee Forums dated Dec 26, 2007 with someone asking about the same thing. Naturally, no response from anyone at McAfee and Google isn't turning up much.

What I'm working on is a database-like script. The script is basic and currently doesn't leverage any of the established SQL based databases. It is really one of those, "I'm bored today, I'd like to write something to pass the time," kind of thing. In any case, each record is handled as a hash (and later stored in a flat file modeled after WikiWikiWeb). Each hash key has an associated function by the same name.

Because it's just a bored project, I've implemented some things I've never tried before. One is to auto-generate core functions for hash keys by running the script in an "update" mode. Essentially, part of the code examines the hash keys, compares it to a blocked section of the perl and matches up functions with hash keys. If it finds a match, it keeps it in a hash. If no match is found, it stores it in another hash to be commented and stored elsewhere in the code (in case I want to reuse the code) and if new keys without matching functions are found, it generates skeleton functions. Then it copies the rest of the perl script, drops in the stored and updated functions in the appropriate location and in order. Voila! (Note this is the section surrounded by the Source Code Maintainence comment). You'll note the code is incomplete. This is a work in progress and doesn't work in its current iteration.

Next I wanted to examine a particular string, pick out each character in the string and run through a collection of functions (marginally related to the described process above). The test string is stored in $toke and the characters are separated and acted on in the for loop with the substr.

As dumb luck would have it, I decided to save the work before leaving and McAfee balked at a virus! Then it proceeded to delete my entire script! All I could do was to print out the changes and rebuild the rest from the test file generated by the script.

To narrow down the cause I C&P the code below into its own script. McAfee balked at it. I tried what tricks I knew to avoid McAfee from getting rid of my file but I kind of need this particular set of code to accomplish my goals. What exactly is triggering McAfee and how do I work around this?

Please keep in mind this is a work in progress and I haven't worked out all the bugs. It's also incomplete such as under the elsif statement. and construction of the %subs has probably could be better written. I spotted at least three spots that should be looked at for potential bugs. Point is, this is the exact code McAfee balked at.

my $toke = 'abcdefghijklmnopqrstuvwxyz';
for (my $i = 0; $i <= length($toke); $i++) {
    print substr($toke,$i,1);
}


&update;
#DBCODE START
#DBCODE END

#Source Code Maintainence START
#Update DB management source code
sub update {
    my $start = '#DBCODE START';
    my $end = '#DBCODE END';
    my $trig = 0;
    my $se = $start;
    my %subs;
    my %oldsubs = (misc => '');
    foreach (keys %keys) {$subs{$_} = ''}
    if (-f $0) {
        open(FI, '<', $0) or die 'Unable to open '.$0;
        open(FO, '>', $0 .'.new') or die 'Unable to open '.$0.'.new';
        while (<FI>) {
            if(m/^$se/) {
                $trig = ($trig?0:1);
                $se = $end;
                print FO;
            } elsif($trig) {
                
            } else {
                print FO;
            }
        }
        close FI;
        close FO;
    }
    
}
#Source Code Maintainence END
[download]

On a side note. Altering McAfee's behavior is not possible. I have control over my laptop (from where I type this) but IT restricts what I can modify on the desktop. It took a lot of convincing to allow me to have Perl installed. Making any adjustments to McAfee's behavior is out of the question.

I can't really describe how much it irritates me McAfee thinks what I'm writing is a virus. I've already spent two days trying to play nice with McAfee. I'm so annoyed I'm tempted to burn a Live Disc and just work from that environment while I'm on the desktop. I'm not sure how I'm going to explain to my supervisor why my phone monitor isn't running though. :\

Comment on McAfee False Positive Download Code

Replies are listed 'Best First'.
Re: McAfee False Positive by Anonymous Monk on Apr 08, 2010 at 06:41 UTC
What exactly is triggering McAfee and how do I work around this? Don't write self-modifying programs (in other words, don't act like a virus)	[reply]
Re^2: McAfee False Positive by SavannahLion (Pilgrim) on Apr 08, 2010 at 12:56 UTC
The code doesn't actually modify itself yet. It generates a copy of itself during the process. In fact because it's incomplete. It really just strips code out of itself. If I remove either the for loop or the maintainence block, McAfee lets it run. Combine the two and... well.	[reply]
Re: McAfee False Positive by Marshall (Canon) on Apr 08, 2010 at 07:14 UTC
Not quite sure that you are trying to do, but in Perl, $0 normally means the name of the executing program, `#!/usr/bin/perl use warnings; use strict; print "$0\n"; __END__ prints: C:\TEMP\dollar0.pl` [download] If you try to open $0 for writing, this will cause some problems! Maybe you are trying to get the command line args to your program and there are ways to do that. Update: I recommend using "warnings" and "strict" as I have shown above.	[reply] [d/l]
Re^2: McAfee False Positive by SavannahLion (Pilgrim) on Apr 08, 2010 at 12:59 UTC
I want the name of the executing program. I'm trying to use the hash to generate skeleton functions for the hash itself. If you note I open two files. One is $0 to read itself and one is $0.new for the output. I removed an entire previous section that McAfee wasn't balking at. It contains program setup including hash construction and unrelated functions. Also included, but I completely forgot to include here are the strict and warnings. They're there, I just didn't include them here. Sorry about that.	[reply]
Re: McAfee False Positive by Jenda (Abbot) on Apr 08, 2010 at 09:58 UTC
It would probably be enough to keep the generated code in a separate file and leave the main script alone. You can extract the whole section into which you intend to insert code into a file and then require() it in the main script. That way you do not have to modify the script itself and thus should not trigger the antivirus. Jenda Enoch was right! Enjoy the last years of Rome.	[reply]
Re^2: McAfee False Positive by SavannahLion (Pilgrim) on Apr 08, 2010 at 13:03 UTC
That's kind of what I'm doing now, but I'll modify the code not to reference $0 and use some other name and see if that stops triggering McAfee. It's worth a looksee	[reply]
Re^3: McAfee False Positive by Marshall (Canon) on Apr 13, 2010 at 12:02 UTC
You can "read yourself" and write a newfile with perhaps modified contents of yourself, but you cannot write over yourself. I am running McAfee and the below works. #!/usr/bin/perl -w use strict; my $path = $0; print "reading: $path\n"; open (my $in, '<', $path) or die "cannot open $path"; open (my $out, '>', "$path.new") or die "cannot open \"$path.new\""; while (<$in>) { print; print $out $_; } __END__ from STDOUT: reading: C:\TEMP\scratch.pl #!/usr/bin/perl -w use strict; my $path = $0; print "reading: $path\n"; open (my $in, '<', $path) or die "cannot open $path"; open (my $out, '>', "$path.new") or die "cannot open \"$path.new\""; while (<$in>) { print; print $out $_; } __END__ from cat, i.e. type in Win lingo: C:\TEMP>cat scratch.pl.new #!/usr/bin/perl -w use strict; my $path = $0; print "reading: $path\n"; open (my $in, '<', $path) or die "cannot open $path"; open (my $out, '>', "$path.new") or die "cannot open \"$path.new\""; while (<$in>) { print; print $out $_; } __END__ [download]	[reply] [d/l]
Re: McAfee False Positive by runrig (Abbot) on Apr 08, 2010 at 15:33 UTC
What happens if you put an __END__ at the end of your program, do a `seek(DATA, 0, 0)` and read from the DATA filehandle instead of opening $0? E.g.: `#!/usr/bin/perl use strict; use warnings; seek(DATA, 0, 0); while(<DATA>) { print; } __END__` [download]	[reply] [d/l] [select]
Re: McAfee False Positive by Burak (Chaplain) on Apr 08, 2010 at 21:31 UTC
For the record; I've not extended my McAfee subscription because I'm annoyed with their so called "Artemis" technology(!) generating too much false positives and the damned thing was slowing down my laptop. I'm now using Avast Home instead. So far, so good.	[reply]


Clear questions and runnable code get the best and fastest answer
	PerlMonks