A new approach to resolve antivirus False Positives

Everything else that doesn't fall into one of the other PB categories.
Henry00
User
User
Posts: 88
Joined: Thu Jul 12, 2012 7:00 pm
Location: Germany
Contact:

Re: A new approach to resolve antivirus False Positives

Post by Henry00 »

I just wanted to throw this in here but for me just putting:

ShowConsole()
HideConsole()

Somewhere in the source code (far apart) fixes everything for Avast (even when never called). Also filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged. It's just the completely console-less / window-less and information-less application that virus scanners seem to hate a lot which is exactly what our temporary PureBasic executables are.

It's still annoying that just about every F5 gets flagged though however this may help some.
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: A new approach to resolve antivirus False Positives

Post by Dude »

Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged
My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: A new approach to resolve antivirus False Positives

Post by IdeasVacuum »

Embedding a digital signature in the app and in the installer does help with some AV. Still ridiculous that all the effort and expense is on our side because of poor quality on the AV developer's side.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

Dude wrote:
Henry00 wrote:filling out every single information field in my executable (author, version, original filename etc.) stopped PBHGEN (windowless) from being flagged
My experience is the exact opposite of this. VirusTotal flagged my exe with 9 false positives, but removing ALL the information fields resulted in just 1 false positive. So, clearly what works for one exe, won't work for another.
Exactly. That's why it's so hard to automate it all.
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

heartbone wrote:
firace wrote:Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
Consider the strategy of complaining to the many magazine technical columnists and online tech bloggers making sure a bcc: is sent to the financial officers of the offending AV company.
Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Because you titled this thread as you did, it encouraged my thinking which generated the following question.
Are you massaging the executable (by inserting NOPs and the like) to get past the AV detectors?
No, I'm not inserting any extra instructions, nor encrypting, packing, or otherwise obfuscating the existing code.

I'm achieving results mainly by working on the data sections (as surprising as that may be) and file and memory alignments. Finding an effective set of tricks was largely the result of a huge amount of trial and error, facilitated by a little fuzzer-like(*) tool that I wrote for this purpose. Each executable is a different case, which is why it is so hard to automate the whole process.

My goal is obviously not to help malware go undetected by AVs, but to help legit PB apps to avoid being flagged as malicious for no good reason (I'm thinking MemPad, ProcDOT, Chompston, and countless others.)

To address Didel's valid concerns, for each request, I could either deliver the ready-to-use clean executable, or a clear set of custom instructions so the modified executable can be directly built by you, thus removing issues of trust.

(*) https://www.owasp.org/index.php/Fuzzing
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: A new approach to resolve antivirus False Positives

Post by Dude »

firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you
Don't make us wait too long. :)
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

Dude wrote:
firace wrote:or a clear set of custom instructions so the modified executable can be directly built by you
Don't make us wait too long. :)
I am ready to start!

I will give higher precedence to older user accounts, and freeware projects that already have public releases.
For such projects I will do it for free.

For commercial projects, I will charge a fee (probably close to my hourly rate, but to be discussed), only if you're happy with the result.

So far I've had a 95% success rate - meaning, eliminating all False Positives on VirusTotal.
(Remember, each executable is a different story and there is no single magic formula.)

I have enough time to help 1 or 2 users this week.
Whoever is interested, please post a description of your application, and a download link.
I will then contact you by PM.
Manuel
User
User
Posts: 14
Joined: Thu Mar 02, 2017 11:15 pm
Location: Barcelona

Re: A new approach to resolve antivirus False Positives

Post by Manuel »

Any news on this so we can do it ourselves?
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

Manuel wrote:Any news on this so we can do it ourselves?
Unfortunately I abandoned this project as I lost motivation.
Manuel
User
User
Posts: 14
Joined: Thu Mar 02, 2017 11:15 pm
Location: Barcelona

Re: A new approach to resolve antivirus False Positives

Post by Manuel »

firace wrote:Unfortunately I abandoned this project as I lost motivation.
That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

Manuel wrote:
firace wrote:Unfortunately I abandoned this project as I lost motivation.
That's not good to hear. Want to tell us what you did, so we can learn and do it ourselves? "Teach a man a fish".
I'll check if I still have my notes related to this, but don't hold your breath - it was a work in progress, way too messy, and most of it probably obsolete now: AV engines have evolved quite a bit in the meantime, and VirusTotal also added new AVs that really don't like PB executables :(
User avatar
aaaaaaaargh
User
User
Posts: 55
Joined: Thu Jul 27, 2006 1:24 pm

Re: A new approach to resolve antivirus False Positives

Post by aaaaaaaargh »

Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though. :-(
User avatar
Bisonte
Addict
Addict
Posts: 1226
Joined: Tue Oct 09, 2007 2:15 am

Re: A new approach to resolve antivirus False Positives

Post by Bisonte »

aaaaaaaargh wrote:Hello there,
I've had a lot of problems with false positives in the past, especially when using executable compressors and license systems. However I have found that most AVs will stop nagging when you use code signing for your executable.
I got programs from 16 / 61 to just 2 / 61 hits on virustotal.com by using code signing while still enjoying the benefits of a software protection / licensing system.
Those code siging certificates aren't cheap, though. :-(
This system is the money-producing-machinery of the av-companies. ;) They hold parts of these companies, selling the certificates.
PureBasic 6.04 LTS (Windows x86/x64) | Windows10 Pro x64 | Asus TUF X570 Gaming Plus | R9 5900X | 64GB RAM | GeForce RTX 3080 TI iChill X4 | HAF XF Evo | build by vannicom​​
English is not my native language... (I often use DeepL to translate my texts.)
Post Reply