Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: foo_midi (Read 82979 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: foo_midi

Reply #200
Having an issue configuring loop settings. In previous versions of foo_midi, I configured the component to play indefinitely but only when loop info is detected in the MIDI file. However, with newer foo_midi versions, I can't seem to replicate this, and the play indefinitely option seems to play all MIDI files forever rather than just files with loop info.

Re: foo_midi

Reply #202
Absolutely bullshit. Half of those files haven't even changed since the last time I updated, and they're still setting it off now.

I'm dying to see these files from before January 28th that somehow magically don't set off any scanners. Files containing modules that currently set off the scanner. Files that haven't changed in six or more months, and have verifiable PGP signatures.

Spent hours doing a rebuild, now it only sets off one major scanner. This scanner only accepts reports of false positive or negative from their customers, damn. Anyone want to help out?

Re: foo_midi

Reply #203
Sorry for the problems. :(

I would never fathom that you would do something malicious, but sites can get highjacked and links get swapped out for fake ones, etc.

But thanks for looking into it and fixing it up/clarifying, I can sleep a little easier now. (Not that you really fixed anything, AV's are still random BS special snowflakes, lol, they probably all just copy each others "homework", change it a little and go, yup looks good, so if one says BAD!, a ton will too...)

Sorta off-topic now, but for whatever reason foobar2000.org is still not HTTPS in 2020, has Peter given any reason why it is the way it is? Can he not change it to HTTPS?

Re: foo_midi

Reply #204
I don't control foobar2000.org completely. It's HTTPS, but the HTTP doesn't force redirect to HTTPS, except on certain admin paths. I should bug Peter to change that, since he's really the one in charge of that server.

Re: foo_midi

Reply #205
New Secret Sauce hashes. It appears that the trial version on Roland's website is now at version 1.06.
1.06 32-bit: 6588E6AA17A57BA874E8B675114214F0.
1.06 64-bit: 6ABFBF61869FC436D76C93D1BC7E2735.

Re: foo_midi

Reply #206
Got your email. Your files will need meta indicators on the duplicate channel tracks.

It will need either:

Meta 4 or 9 on all tracks, with different device/port strings for each port track that is on the same channel. It doesn't really matter what the strings are, as it will simply detect two overlapping channels with different strings between the two (or three).

Or.

Meta 0x21, with the number of a port, on each channel track. The number needs to be different between different tracks that are on the same channel and need to go to different ports.

Currently, my code just detects unique instances of a name or number on a given channel. It "makes sense" to make them just port 0 for port 0, 1 for port 1, in that order. But I've seen files that have unique identifiers across the entire file, so I had to just dedup instead.

Oh, and I don't properly handle SysEx message splitting, so you'll need to do that yourself. Port 0 sysex will be sent to all three virtual ports, while port 1 and 2 will be sent to only their virtual ports.

Re: foo_midi

Reply #207
Quote from: im_special on
Any comment on these alarming number of "malware" detection's from the recent midi plugin uploads? Like I get false positives, but with these many different sources, you never know if something might be a foot...

https://www.reddit.com/r/foobar2000/comments/f3qzq8/foobar2000_midi_component_2214_20200202_malware/


I got the same virus/trojan warning when I updated foo_midi today. Avast flagged vsthost32.exe. Virustotal says that 18 different scanners identify it as carrying a trojan. Attached is a screen grab.

This is  vsthost32.exe version 1.0.0.12, dated 2/16/2020.

Where can I get the previous version of foo_midi until this is resolved?

Re: foo_midi

Reply #208
Virustotal also finds funny business in file scpipe32.dll (screengrab attached.) I submitted all other exe and dll files, but these are the only two that were flagged.

Re: foo_midi

Reply #209
false positives... I updated and haven't had any issues.... of course I do not bother with the insanity that is anti-virus... I just keep my PC locked down hard.. with top of the line firewall etc...
 

Re: foo_midi

Reply #210
False positives. Please report them to your antivirus vendors as such. Previous versions are not retained anywhere, and it wouldn't matter anyway, because they're not specially whitelisted, either. You'll find versions from a year ago are now setting off "all new" detections for viruses that have just been invented.

Anyone want to pay me $500 for one year worth of automatic whitelist, the technology known as code signing?

Re: foo_midi

Reply #211
Quote from: Melchior on
false positives... I updated and haven't had any issues.... of course I do not bother with the insanity that is anti-virus... I just keep my PC locked down hard.. with top of the line firewall etc...

That strikes me as false bravado. The fact that you have allowed a program to update itself means that your computer is not really "locked down" - you have permitted outside files onto the local computer, and you have no practical way of knowing what those files are doing. Anti-virus is flawed, but unless you can view and fully understand the source code, you have little else to rely on. A positive alarm may not be a definitive last word, but it seems to me to be a valid reason to find out why the alarm was sounded.

Re: foo_midi

Reply #212
Quote from: kode54 on
False positives. Please report them to your antivirus vendors as such. Previous versions are not retained anywhere, and it wouldn't matter anyway, because they're not specially whitelisted, either. You'll find versions from a year ago are now setting off "all new" detections for viruses that have just been invented.

My previous version didn't set off any alarms, and I do full scans every once in a while. So, why did this one set it off? And 18 scanners suddenly going off seems like more than mere coincidence.

For example, I have a backup of the complete foo_midi component dated 11/27/17 (ver 1.0.0.11), and it scans clean with Avast (local) and Virustotal online. I also found another version of 1.0.0.11 from an 1/3/2018 update, and it doesn't ring any Avast or Virustotal alarms, either. It's only the 1.0.0.12 version.

Re: foo_midi

Reply #213
Upload your file here, then. I'll make it my official version for now until forever, since I obviously can't use a clean virtual machine to develop any more, without "introducing" "viruses" into the mix.

The last two people who made this claim never bothered to upload their file to me. Maybe you'll be different?

E: Also, make your own VirusTotal upload and link to it here. That way, nobody can claim I "infected" "your" file in the process of uploading it.

Re: foo_midi

Reply #214
Quote from: kode54 on
Upload your file here, then. I'll make it my official version for now until forever, since I obviously can't use a clean virtual machine to develop any more, without "introducing" "viruses" into the mix.

The last two people who made this claim never bothered to upload their file to me. Maybe you'll be different?

E: Also, make your own VirusTotal upload and link to it here. That way, nobody can claim I "infected" "your" file in the process of uploading it.

OK. But it's not my claim, it's Ad-Aware, ALYac, Arcabit, Avast, AVG, BitDefender, Cyren, eScan, F-Prot, FireEye, GData, MAX, Sangfor Engine Zero, and TrendMicro-HouseCall's claim. And since two people here have noticed the issue, there are sure to be plenty more people out there who just haven't reported it.

Attached is foo_midi-files.zip, which has these files in it. They are renamed so as to not be easily executable. The first one is reported to be clean. The other two may not be. The newest files are from a freshly downloaded copy of foo_midi.fb2k-component.

vsthost32.exe (ver 1.0.0.1)

https://www.virustotal.com/gui/file/bddb907d7b44ffa942b34cf4311160e0f70f2f45c12bc71c4c662e303f061911/detection

scpipe32.exe (ver 1.0.0.1)

https://www.virustotal.com/gui/file/b39c95d47a270b3f3c629188e48fa878474d369b2f6ab79bc9e87be22a8771d0/detection

vsthost32.exe (ver 1.0.0.2)

https://www.virustotal.com/gui/file/aee2b9707836a4696fe0c0d6c32f2a398b29ec70b257c1df604959eb24410f3a/detection

I've downgraded foo_midi to the 2017 version until this is resolved.

edit: Attachment removed per request of poster.

Re: foo_midi

Reply #215
Fine. I'm pulling all binaries for my components. You fuckers can compile your own goddamn shit.

E: Here, have a VirusTotal entry on what would have been an update to foo_midi. See, one engine, based on a stupid AI, finds it "Malicious". Chances are, because of that, it's been submitted to all the other vendors for flagging as malicious as well, and it will have 17+ engines detecting it in short order. I'm done with this shit.

Re: foo_midi

Reply #216
Quote from: rednoise on
Quote from: kode54 on
Upload your file here, then. I'll make it my official version for now until forever, since I obviously can't use a clean virtual machine to develop any more, without "introducing" "viruses" into the mix.

The last two people who made this claim never bothered to upload their file to me. Maybe you'll be different?

E: Also, make your own VirusTotal upload and link to it here. That way, nobody can claim I "infected" "your" file in the process of uploading it.

OK. But it's not my claim, it's Ad-Aware, ALYac, Arcabit, Avast, AVG, BitDefender, Cyren, eScan, F-Prot, FireEye, GData, MAX, Sangfor Engine Zero, and TrendMicro-HouseCall's claim. And since two people here have noticed the issue, there are sure to be plenty more people out there who just haven't reported it.

Attached is foo_midi-files.zip, which has these files in it. They are renamed so as to not be easily executable. The first one is reported to be clean. The other two may not be. The newest files are from a freshly downloaded copy of foo_midi.fb2k-component.

vsthost32.exe (ver 1.0.0.1)

https://www.virustotal.com/gui/file/bddb907d7b44ffa942b34cf4311160e0f70f2f45c12bc71c4c662e303f061911/detection

scpipe32.exe (ver 1.0.0.1)

https://www.virustotal.com/gui/file/b39c95d47a270b3f3c629188e48fa878474d369b2f6ab79bc9e87be22a8771d0/detection

vsthost32.exe (ver 1.0.0.2)

https://www.virustotal.com/gui/file/aee2b9707836a4696fe0c0d6c32f2a398b29ec70b257c1df604959eb24410f3a/detection

I've downgraded foo_midi to the 2017 version until this is resolved.

You ought to be banned.
¡Se habla español! Also available in purple and orange.

Re: foo_midi

Reply #217
Quote from: kode54 on
Fine. I'm pulling all binaries for my components. You fuckers can compile your own goddamn shit.

E: Here, have a VirusTotal entry on what would have been an update to foo_midi. See, one engine, based on a stupid AI, finds it "Malicious". Chances are, because of that, it's been submitted to all the other vendors for flagging as malicious as well, and it will have 17+ engines detecting it in short order. I'm done with this shit.

I warned you many times that the AV business is a protection cartel.

Re: foo_midi

Reply #218
Quote from: rednoise on
vsthost32.exe (ver 1.0.0.1)

https://www.virustotal.com/gui/file/bddb907d7b44ffa942b34cf4311160e0f70f2f45c12bc71c4c662e303f061911/detection

vsthost32.exe (ver 1.0.0.2)

https://www.virustotal.com/gui/file/aee2b9707836a4696fe0c0d6c32f2a398b29ec70b257c1df604959eb24410f3a/detection

Hey. You incredibly thick fuckstick. This is literally the only difference between those two files. Oh, and maybe a new compiler, freshly downloaded from Microsoft.

Re: foo_midi

Reply #219
Wow @rednoise all the way back to 2017 for a component that frequently sees several updates in a single month?  Really?  You're a total asshole, no developer at all likes that shit.

Re: foo_midi

Reply #220
Quote from: KDDLB on
You ought to be banned.

If you mean because I uploaded a potentially infected file, you're right. That was a very bad idea. I was just trying to cooperate with the developer. I don't see how to edit or delete my post, so I'll report it myself.

kode54, if you still want the files, I'm happy to send them to you. Please don't take this personally. Nobody is claiming you intentionally  infected any files. Nobody is even claiming the files are definitely infected. The only claim is that something about them is setting off alarms in multiple virus scanning engines from different companies. Seems to me it would be a good thing to know exactly why. You're liable to get more people questioning it as time goes by.

Re: foo_midi

Reply #221
Quote from: Chibisteven on
Wow @rednoise all the way back to 2017 for a component that frequently sees several updates in a single month?  Really?  You're a total asshole, no developer at all likes that shit.

It's the most recent one I have besides the latest, and the developer says no others are available.

Re: foo_midi

Reply #222
You are implying that someone, who is well acknowledged in the HA community as a developer, would willingly infect their own files.

Why would they do that?

AVs are a complete blackbox, and if you read the source code, you will see its entirely illogical to infect their own files.


EDIT: Ill use one of my own examples. I wrote an executable compressor. Apparently, anything other than UPX is "bad"

https://www.virustotal.com/gui/file/7aa8c756af59955d12d77788b3b5963add9416d2c220649c8813cb9facc95377/detection

That shows how broken the AV system is. AVs rely on signatures "only". There is no deeper analysis involved. At all.

Re: foo_midi

Reply #223
I said I don't have old binaries. I have the old source code, it's a versioned repository going back at least a decade. Going back to old source and building it again with a new compiler will just result in more false positives. Hell, I'd be willing to bet that rebuilding it with a 2017 compiler will have the same problem, just from having a file build timestamp from this year.

Did I forget to mention that all of the source code is entirely public?

Re: foo_midi

Reply #224
Quote from: mudlord on
You are implying that someone, who is well acknowledged in the HA community as a developer, would willingly infect their own files.

No, I am not. Please read my post more closely.