The "drummer" is inside every program. Is this normal?
Quote from leopold on October 8, 2022, 8:44 pmColleagues, through the analyzer virustotal.com was able to establish that any application compiled in VisualNeoWin is seen in a network connection to one or more of these addresses :
13.107.*.*:80 (TCP) United States Microsoft Corporation
20.99.*.*:443 (TCP) United States Microsoft Corporation
23.216.147.*:443 (TCP) United States Akamai Technologies, Inc.In other words, there is always a "drummer" inside your program.
Colleagues, through the analyzer virustotal.com was able to establish that any application compiled in VisualNeoWin is seen in a network connection to one or more of these addresses :
13.107.*.*:80 (TCP) United States Microsoft Corporation
20.99.*.*:443 (TCP) United States Microsoft Corporation
23.216.147.*:443 (TCP) United States Akamai Technologies, Inc.
In other words, there is always a "drummer" inside your program.
Quote from fkapnist on October 8, 2022, 9:43 pmWindows detects program crashes and sends error reports to Microsoft.
Akamai is probably the parent CloudNEO Hosting Website.
....
neoEdge.exe once displayed some strange rectangles on my PC.
It has been updated since then and the rectangles are gone,
but I wonder if some antivirus software may interpret it as monitoring users' online activities without their knowledge?
Windows detects program crashes and sends error reports to Microsoft.
Akamai is probably the parent CloudNEO Hosting Website.
....
neoEdge.exe once displayed some strange rectangles on my PC.
It has been updated since then and the rectangles are gone,
but I wonder if some antivirus software may interpret it as monitoring users' online activities without their knowledge?
Quote from Darbdenral on October 8, 2022, 10:52 pmI believe that the IP address belongs to Akamai, which is a company Microsoft uses to manage traffic to their servers. Maybe something crashed on their server during all their tests, so error reporting maybe catches it and their Windows server sends a report to Microsoft? Just a guess..
I believe that the IP address belongs to Akamai, which is a company Microsoft uses to manage traffic to their servers. Maybe something crashed on their server during all their tests, so error reporting maybe catches it and their Windows server sends a report to Microsoft? Just a guess..
Quote from Vadim on October 9, 2022, 9:25 am@leopold
Hi! Apparently this happens not only with VisualNEO Win projects, because I compile NeoCommands in NeoBook (due to the fact that the new version of VisualNEO Win displays tips for hotkeys in the main application menu in German, and I need it in English).
Hi! Apparently this happens not only with VisualNEO Win projects, because I compile NeoCommands in NeoBook (due to the fact that the new version of VisualNEO Win displays tips for hotkeys in the main application menu in German, and I need it in English).
Quote from luishp on October 11, 2022, 4:39 pmI can confirm VisualNEO compiled programs are not doing any kind of connections to any remote host.
I think it's probably Windows itself checking whatever...
I can confirm VisualNEO compiled programs are not doing any kind of connections to any remote host.
I think it's probably Windows itself checking whatever...
Quote from leopold on October 11, 2022, 6:23 pm@luishp
I think it's not Windows, but one of the modules on which VisualNEO is based.
I checked it with other known programs and no network activity is registered in them.
This is easy to check with the servicehttps://www.virustotal.com/gui/home/upload
I think it's not Windows, but one of the modules on which VisualNEO is based.
I checked it with other known programs and no network activity is registered in them.
This is easy to check with the service
Quote from fkapnist on October 11, 2022, 8:13 pmVirusTotal is interesting but it seems that almost everything gets flagged!
I tested the "Cool Calculator" exe sample of VisualNEO Web and it found (4)
Freebasic (0)
Lazarus (0)
pdScript (1)
Purebasic (5)
thinBasic (8)
AutoIt (6)
Only the executables compiled in Freebasic and Lazarus were "clean."
VirusTotal is interesting but it seems that almost everything gets flagged!
I tested the "Cool Calculator" exe sample of VisualNEO Web and it found (4)
Freebasic (0)
Lazarus (0)
pdScript (1)
Purebasic (5)
thinBasic (8)
AutoIt (6)
Only the executables compiled in Freebasic and Lazarus were "clean."
Quote from leopold on October 12, 2022, 7:27 am@fkapnist
You are talking about virus detection,
but the original topic was about the network behavior of programs.Or did I misunderstand you?
You are talking about virus detection,
but the original topic was about the network behavior of programs.
Or did I misunderstand you?
Quote from fkapnist on October 12, 2022, 7:34 amQuote from leopold on October 12, 2022, 7:27 am@fkapnist
You are talking about virus detection,
and the original topic was about the network behavior of programs.Or did I misunderstand you?
Neither Neobook or VisualNEO Win showed any network activity in my scans.
Quote from leopold on October 12, 2022, 7:27 amYou are talking about virus detection,
and the original topic was about the network behavior of programs.Or did I misunderstand you?
Neither Neobook or VisualNEO Win showed any network activity in my scans.
Quote from fkapnist on October 12, 2022, 4:19 pmI compiled a simple executable (an alertbox) both with Neobook5 and with VisualNeo Win.
Here are the results from VirusTotal:
---
exe compiled with Neobook.exe (found 2 virus alerts)
1. Jiangmin -- Trojan.Qhost.fd
2. MaxSecure -- Trojan.Malware.300983.susgen
No Network Communication
---------------------------------------------------------
exe compiled with VisualNEOWin.exe (found 3 viruses)
1. MaxSecure -- Trojan.Malware.300983.susgen
2. SecureAge -- Malicious
3. Zillya -- Adware.Generic.Win32.173390
Network Communication
IP TrafficContacted IP Addresses (1)
IP Detections Autonomous System Country
20.99.184.37 0/ 95 8075 US-----------------------------
When I added a WebBrowser Object to VisualNEO Win, the IP traffic apparently increased:
Network Communication
IP Traffic
192.168.0.1:137 (UDP)
20.99.184.37:443 (TCP)
23.216.147.76:443 (TCP)---------------
@leopold
So, it seems that VisualNeoWin does contact an IP address, but Neobook5 did not.
Thanks for the info.
I compiled a simple executable (an alertbox) both with Neobook5 and with VisualNeo Win.
Here are the results from VirusTotal:
---
exe compiled with Neobook.exe (found 2 virus alerts)
1. Jiangmin -- Trojan.Qhost.fd
2. MaxSecure -- Trojan.Malware.300983.susgen
No Network Communication
---------------------------------------------------------
exe compiled with VisualNEOWin.exe (found 3 viruses)
1. MaxSecure -- Trojan.Malware.300983.susgen
2. SecureAge -- Malicious
3. Zillya -- Adware.Generic.Win32.173390
Network Communication
IP Traffic
Contacted IP Addresses (1)
IP Detections Autonomous System Country
20.99.184.37 0/ 95 8075 US
-----------------------------
When I added a WebBrowser Object to VisualNEO Win, the IP traffic apparently increased:
Network Communication
IP Traffic
192.168.0.1:137 (UDP)
20.99.184.37:443 (TCP)
23.216.147.76:443 (TCP)
---------------
So, it seems that VisualNeoWin does contact an IP address, but Neobook5 did not.
Thanks for the info.
Quote from luishp on October 14, 2022, 2:12 pmThis is quite strange. I'm sure there is not any connection to any host from VisualNEO Win source code.
In fact VisualNEO Win and NeoBook source code are almost the same.
The given IP's seems to be owned by Microsoft.
This is quite strange. I'm sure there is not any connection to any host from VisualNEO Win source code.
In fact VisualNEO Win and NeoBook source code are almost the same.
The given IP's seems to be owned by Microsoft.
Quote from fkapnist on October 14, 2022, 4:22 pmQuote from luishp on October 14, 2022, 2:12 pmThis is quite strange. I'm sure there is not any connection to any host from VisualNEO Win source code.
In fact VisualNEO Win and NeoBook source code are almost the same.
The given IP's seems to be owned by Microsoft.Neobook and VisualNEO Win have different registration methods.
Neobook has only one Key.
VisualNEO Win has a different Key for each installation. Maybe it uses a script to validate registration online?
.
Quote from luishp on October 14, 2022, 2:12 pmThis is quite strange. I'm sure there is not any connection to any host from VisualNEO Win source code.
In fact VisualNEO Win and NeoBook source code are almost the same.
The given IP's seems to be owned by Microsoft.
Neobook and VisualNEO Win have different registration methods.
Neobook has only one Key.
VisualNEO Win has a different Key for each installation. Maybe it uses a script to validate registration online?
.
Quote from Nickj_UK on February 12, 2025, 12:43 amI know this is an old thread but any typically any application that is obfuscated and packed, is likely to flag a false positive, if there is too much entropy (the code is complex and 'disordered' it looks like encryption and a false positive is likely to flag a false positive, if the code signing step is slightly wrong it will flag a false positive.
Essentially the heuristic used don't look for 'cars' they look for parts of cars so if it see's a hub cap it assumes the car is hidden in the obfuscation or packing. If the hub cap resembles in any way the type used on a known model of car it will flag that the specific model of car is there.
Some AV engines just scan the first 4kb, some scan all of the file so any file that has a section of code used in any previously encountered virus or a section that is similar can trigger a false positive.Using a web browser will often have a call to 192.168.0.1:137 it's common use is the gateway for your router
The other two are most likely related to the use of TNetHTTPClient, so uses the host system-provided HTTP APIs like WinInet orWinHTTP on Windows.
So the adresses given are normal behaviour when you use MS Edge.
I know this is an old thread but any typically any application that is obfuscated and packed, is likely to flag a false positive, if there is too much entropy (the code is complex and 'disordered' it looks like encryption and a false positive is likely to flag a false positive, if the code signing step is slightly wrong it will flag a false positive.
Essentially the heuristic used don't look for 'cars' they look for parts of cars so if it see's a hub cap it assumes the car is hidden in the obfuscation or packing. If the hub cap resembles in any way the type used on a known model of car it will flag that the specific model of car is there.
Some AV engines just scan the first 4kb, some scan all of the file so any file that has a section of code used in any previously encountered virus or a section that is similar can trigger a false positive.
Using a web browser will often have a call to 192.168.0.1:137 it's common use is the gateway for your router
The other two are most likely related to the use of TNetHTTPClient, so uses the host system-provided HTTP APIs like WinInet orWinHTTP on Windows.
So the adresses given are normal behaviour when you use MS Edge.