A new approach to resolve antivirus False Positives
Re: A new approach to resolve antivirus False Positives
I just wanted to throw this in here but for me just putting:
ShowConsole()
HideConsole()
Somewhere in the source code (far apart) fixes everything for Avast (even when never called). Also filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged. It's just the completely console-less / window-less and information-less application that virus scanners seem to hate a lot which is exactly what our temporary PureBasic executables are.
It's still annoying that just about every F5 gets flagged though however this may help some.
ShowConsole()
HideConsole()
Somewhere in the source code (far apart) fixes everything for Avast (even when never called). Also filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged. It's just the completely console-less / window-less and information-less application that virus scanners seem to hate a lot which is exactly what our temporary PureBasic executables are.
It's still annoying that just about every F5 gets flagged though however this may help some.
Re: A new approach to resolve antivirus False Positives
My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: A new approach to resolve antivirus False Positives
Embedding a digital signature in the app and in the installer does help with some AV. Still ridiculous that all the effort and expense is on our side because of poor quality on the AV developer's side.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.
Re: A new approach to resolve antivirus False Positives
Exactly. That's why it's so hard to automate it all.Dude wrote:My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged
Re: A new approach to resolve antivirus False Positives
No, I'm not inserting any extra instructions, nor encrypting, packing, or otherwise obfuscating the existing code.heartbone wrote:Consider the strategy of complaining to the many magazine technical columnists and online tech bloggers making sure a bcc: is sent to the financial officers of the offending AV company.firace wrote:Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.Because you titled this thread as you did, it encouraged my thinking which generated the following question.Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Are you massaging the executable (by inserting NOPs and the like) to get past the AV detectors?
I'm achieving results mainly by working on the data sections (as surprising as that may be) and file and memory alignments. Finding an effective set of tricks was largely the result of a huge amount of trial and error, facilitated by a little fuzzer-like(*) tool that I wrote for this purpose. Each executable is a different case, which is why it is so hard to automate the whole process.
My goal is obviously not to help malware go undetected by AVs, but to help legit PB apps to avoid being flagged as malicious for no good reason (I'm thinking MemPad, ProcDOT, Chompston, and countless others.)
To address Didel's valid concerns, for each request, I could either deliver the ready-to-use clean executable, or a clear set of custom instructions so the modified executable can be directly built by you, thus removing issues of trust.
(*) https://www.owasp.org/index.php/Fuzzing
Re: A new approach to resolve antivirus False Positives
Don't make us wait too long.firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you
Re: A new approach to resolve antivirus False Positives
I am ready to start!Dude wrote:Don't make us wait too long.firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you
I will give higher precedence to older user accounts, and freeware projects that already have public releases.
For such projects I will do it for free.
For commercial projects, I will charge a fee (probably close to my hourly rate, but to be discussed), only if you're happy with the result.
So far I've had a 95% success rate - meaning, eliminating all False Positives on VirusTotal.
(Remember, each executable is a different story and there is no single magic formula.)
I have enough time to help 1 or 2 users this week.
Whoever is interested, please post a description of your application, and a download link.
I will then contact you by PM.
Re: A new approach to resolve antivirus False Positives
Any news on this so we can do it ourselves?
Re: A new approach to resolve antivirus False Positives
Unfortunately I abandoned this project as I lost motivation.Manuel wrote:Any news on this so we can do it ourselves?
Re: A new approach to resolve antivirus False Positives
That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".firace wrote:Unfortunately I abandoned this project as I lost motivation.
Re: A new approach to resolve antivirus False Positives
I'll check if I still have my notes related to this, but don't hold your breath - it was a work in progress, way too messy, and most of it probably obsolete now: AV engines have evolved quite a bit in the meantime, and VirusTotal also added new AVs that really don't like PB executablesManuel wrote:That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".firace wrote:Unfortunately I abandoned this project as I lost motivation.
- aaaaaaaargh
- User
- Posts: 55
- Joined: Thu Jul 27, 2006 1:24 pm
Re: A new approach to resolve antivirus False Positives
Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though.
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though.
Re: A new approach to resolve antivirus False Positives
This system is the money-producing-machinery of the av-companies. They hold parts of these companies, selling the certificates.aaaaaaaargh wrote:Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though.