#ifdef 12 Posted 16 hours ago Do you remember that show last summer? 😶 Well. These same guys recently launched their own "VirusTotal" analog and, obviously, their new service is very stupid and dangerous too: But I suppose it's gaining popularity and/or is being actively promoted, because recently some clients (suffering from a special form of paranoia) started complaining: "VirusTotal" and "Hybrid Analysis" have started marking my signed (say "Hi" to CrowdStrike!) app as malicious: As you can see, the problem is specifically with the "wine_get_version" string, which Delphi for some reason includes even in a completely empty EXE (to verify, you can create a new empty "VCL, 32-bit, Release" project without a single line of code): Of course I reported this to CrowdStrike, but these guys definitely know how to make a problem out of nothing: So... Any ideas why Delphi does this, and how to avoid it? I don't need the "IsWine" check from SysInit.pas, but I can't figure out how to disable it: Yes, I know this string can be fixed in HEX, but I need a more reliable solution, I don't want to patch each of my files every release 🥲 Share this post Link to post
DelphiUdIT 200 Posted 14 hours ago This is a method to detect if it's running under wine emulation. Look this: https://stackoverflow.com/questions/27413641/how-to-detect-if-delphi-program-runs-in-playonmac Share this post Link to post
Remy Lebeau 1459 Posted 12 hours ago (edited) The RTL looks for Wine as part of its check to know whether it can use the Win32 API to access TLS (thread local storage) data, instead of using direct access to the GS register. Edited 12 hours ago by Remy Lebeau Share this post Link to post
#ifdef 12 Posted 5 hours ago (edited) Ok, thank you. And how can I permanently remove the "wine_get_version" string from my EXE? Because with this string CrowdStrike considers my EXE "malicious": ... but without this string (when I remove it in a HEX editor) it's just "suspicious" I suspect that CrowdStrike has been reading others' blogs and set up a simple trigger for this string, thus shifting this burden from their head to mine, because Delphi adds this string to all EXEs by default 😞 Right now, I'm patching each file, but what if I want to both get rid of the string and don't want to patch the file each time? Edited 5 hours ago by #ifdef Share this post Link to post
David Heffernan 2357 Posted 2 hours ago I personally want my program to run on Wine. Seems like Crowdstrike is the problem. Do you sign your executables? 2 Share this post Link to post
Remy Lebeau 1459 Posted 2 hours ago 3 hours ago, #ifdef said: And how can I permanently remove the "wine_get_version" string from my EXE? You can't, without patching the EXE or recompiling the RTL. Nor should you be doing so. You should be complaining to CrowdStrike instead. And code-signing your EXE. 1 Share this post Link to post
#ifdef 12 Posted 1 hour ago (edited) Of course, my code is signed: And it has always been signed: And yes, I contacted CrowdStrike. Everything is useless, that's why I'm here. For the guys at CrowdStrike it doesn't matter how exactly the "wine_get_version" string is used — they hate the very fact of its presence, so by default they consider any executable file containing it to be "malicious". This is the root of the problem, but they don't see any problem with this approach and therefore have no intention of fixing it, they're completely fine with it 😑 Edited 1 hour ago by #ifdef Share this post Link to post
David Heffernan 2357 Posted 1 hour ago What actual problem does this cause? How does this affect what you do? Share this post Link to post
#ifdef 12 Posted 41 minutes ago Clients have a system for selecting the software they use: according to the rules and regulations, at the selection stage they are forced to give priority to software that is impeccable in terms of security. When selecting, they do not figure out whether the software is actually dangerous or not, the verdict of competent and proven online services is enough for them. If the online services unanimously recognize the file as safe, the software goes to the next stage, and so on. It's like a face control 🙂 These are their rules, I cannot change them. All that is required of me is simply to comply with them and provide code that 100% passes any security checks. As is: Should be: Share this post Link to post
#ifdef 12 Posted 34 minutes ago (edited) In fact, the problem is idiotic, and it should not exist at all: CrowdStrike cannot even prove their false accusations (I asked what kind of danger this "wine_get_version" string carries and how exactly my application exploits it, but they, of course, ignored all my questions), but customers do not need any evidence from me — software from other providers successfully passes all checks, and my software is considered dangerous, and this is enough for any bureaucratic machine. I would never trust a heuristic that considers a file version to be an IPv4 address, and moreover — considers "0.0.0.0" to be a valid IPv4 address: But "the customer is always right" 🥲 Edited 27 minutes ago by #ifdef Share this post Link to post