A new approach to resolve antivirus False Positives

Everything else that doesn't fall into one of the other PB categories.
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

A new approach to resolve antivirus False Positives

Post by firace »

Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
If you use PB in a professional context, this issue can even hurt your reputation and software sales (customers can easily get scared of installing something that their AV claims is malware.)

In addition to featuring really stupid scanning engines, some of those antivirus vendors are absolutely terrible at responding to false positive reports. Some of them do not even offer the slightest acknowledgment or response to submissions (and believe me, I've contacted some of them repeatedly).

I've been so upset with this situation that a few months ago, I decided to take a new approach: I have started working on a tool that aims to modify an Windows program such that no false positive detections get triggered, while leaving the program logic absolutely 100% intact. I also want to achieve this even without having access to the source code of the impacted programs.

Now this is quite a complex (and at times frustrating) undertaking, and I've already spent many, many hours working on this (much more time that I can afford to spend, actually!). BUT, the good news is that I've been getting pretty satisfying results in my testing so far (from 12/57 to 0/57 false detections on VirusTotal in some cases).

However, my application is nowhere near polished enough to be released at this stage, but while I'm developing and testing it, if some of you would like me to try it on a test PB executable of yours (not larger than 1 MB, please), I'd be pleased to do so.

Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Last edited by firace on Mon Mar 16, 2015 10:47 pm, edited 1 time in total.
marc_256
Enthusiast
Enthusiast
Posts: 742
Joined: Thu May 06, 2010 10:16 am
Location: Belgium
Contact:

Re: A new approach to resolve antivirus False Positives

Post by marc_256 »

firace wrote:OK, like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
If you use PB in a professional context, this issue can even hurt your reputation and software sales (customers can easily get scared of installing something that their AV claims is malware.)
Yes, you are for 100% right, I have the same problem using PB
It is nice hearing about your solution ...
very nice

I even will pay you for a working solution.

Marc,
- every professional was once an amateur - greetings from Pajottenland - Belgium -
PS: sorry for my english I speak flemish ...
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: A new approach to resolve antivirus False Positives

Post by Thorium »

Interesting idea.
I guess it's some kind of executable packer/encrypter.
Also it's not a PB specific problem. Would be usefull for every home made executable. No matter the compiler. I even get often false positives with VB.Net

Would like to give it a try.
Unfortunatly it will be added to the detections as soon as someone uses it for a real maleware.
jassing
Addict
Addict
Posts: 1745
Joined: Wed Feb 17, 2010 12:00 am

Re: A new approach to resolve antivirus False Positives

Post by jassing »

I remember when UPX packed binaries weren't flagged as a virus... But then people started writing scrupulous code, hiding it by upx'ing it..
The minute someone "hides" the actual code by encrypt/pack, someone will abuse it, and then all files will get flagged as "possibly a virus" .. it's a cycle.
But, FWIW, it's not just PB - I've seen at least a dozen other compilers get flagged; including one VC compiled program...
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

Interesting replies!

Unfortunately I don't have much time to post these days, but just to show a little practical example of my progress:

Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic

Produces this sad result:
Image


After processing it, things now look much better fortunately:
Image


I'm REALLY tired now, so am off now and will come back later this week. I will also certainly consider all the interesting feedback in this thread.
User avatar
bbanelli
Enthusiast
Enthusiast
Posts: 543
Joined: Tue May 28, 2013 10:51 pm
Location: Europe
Contact:

Re: A new approach to resolve antivirus False Positives

Post by bbanelli »

firace wrote:Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Quite interesting; except CMC and TotalDefense that are usually the ones returning clear results on hard core viruses detected by other 50 AV programs in VirusTotal :D but they always report false positive from PB code, by compiling this particular code in 5.31 x86 I didn't get any of the other results you've got.
"If you lie to the compiler, it will get its revenge."
Henry Spencer
https://www.pci-z.com/
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

bbanelli wrote:
firace wrote:Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Quite interesting; except CMC and TotalDefense that are usually the ones returning clear results on hard core viruses detected by other 50 AV programs in VirusTotal :D but they always report false positive from PB code, by compiling this particular code in 5.31 x86 I didn't get any of the other results you've got.
I've been using 5.30 x86 Demo. This might explain the difference, or perhaps you are using different compilation settings? Any chance you could upload the exe somewhere so I can have a look?
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

OK, unfortunately at this stage I don't have the time nor the financial resources to afford developing a proper, robust tool as I originally planned, although I would still like to pursue this at some point in the future.

However, for those users using PB professionally and who do need help resolving those False Positives as soon as possible, I am thinking about offering some type of service to help you get there. On average, it takes me about one hour per executable to get a clean VirusTotal record, and I don't need access to the source code for that. I might need the uncommented compiler-generated ASM in some cases, though.
User avatar
Tenaja
Addict
Addict
Posts: 1948
Joined: Tue Nov 09, 2010 10:15 pm

Re: A new approach to resolve antivirus False Positives

Post by Tenaja »

Why not simply submit a false-positive report to all of the major AV companies? The reputable ones have simple submission forms.
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: A new approach to resolve antivirus False Positives

Post by IdeasVacuum »

Longevity. A few AV releases down the line, and the AV has different false positives on the same app. What is really needed are some formal controls over AV software companies - they should have their software tested by an independent authority before they are allowed to release it, every release. That authority should be funded jointly by the AV software companies and a consortium of the big fish, say MS, Google and Apple.

In case you haven't noticed, some AV's use identical 'engines' (and possibly identical databases?). My view is that it's not beyond the realms of possibility that some of the AV companies are self-perpetuating.......
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

A new approach to resolve antivirus False Positives

Post by Didelphodon »

@firace ...
What I learned from your postings so far is that your concept seems to use similar tactics like malware authors - changing stuff in the ready built executable to underrun/pass the signature checks and heuristics of the AVs. Infact this will work but also might raise the AVs companies attention to such executables when they somewhen pop out of the cycle by accident (when you throw it into Virustotal the AVs have it and will take a closer look at it even if only automated) or at least when someone - as already mentioned - use it for real malware.

I have to admit that my executables often do have problems with falsepositives because of the way they act. I like to build portable executables (I mean executables that are portable, so not to be confused with PE) without the need of an installation. Therefore my exes often have some DLLs or even other EXEs (ie whois, wget, etc) on board which they drop into the temp folder and use it from there. Actually my exes have the best intention but from a perspective of the exes behavior the alarmclocks of an AV might already be rang on this stage and do not think that someone there will take a closer look to get a glance of the real intention of an exe.

So, imho (at least for the scenario I talked about) a solution might be to cancel the portable approach and have real installers which I wouldnt like much as I decided to have it the portable way on purpose.

Still there might be another way - although some malware uses this trick too: start to sign your exes, signed exes often are waved through the checks or might at least get a better initial flavor ;-) at AVs.

Update: One more thing about the service (give me your executable and I make it right) you are thinking of - please dont take it personal but with this is somewhat of an invitation or at least potential to have a man in the middle on board of the exe afterwards in terms of a modified exe!? Simply put, I would have a bad gutfeel about that all the time.

Cheers,
Didel
Go, tell it on the mountains.
firace
Addict
Addict
Posts: 899
Joined: Wed Nov 09, 2011 8:58 am

Re: A new approach to resolve antivirus False Positives

Post by firace »

@Didel: These are good points and I'm actually very aware of them already, being involved in infosec myself (as a whitehat researcher). I will be sure take those points into account when offering the service.
User avatar
Teddy Rogers
User
User
Posts: 92
Joined: Sun Feb 23, 2014 2:05 am
Location: Australia
Contact:

Re: A new approach to resolve antivirus False Positives

Post by Teddy Rogers »

Didelphodon wrote:Therefore my exes often have some DLLs or even other EXEs (ie whois, wget, etc) on board which they drop into the temp folder and use it from there.
Try Enigma Virtual Box, it will virtualise everything in to one binary for portability and it is freeware too...

http://enigmaprotector.com/en/aboutvb.html

Ted.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: A new approach to resolve antivirus False Positives

Post by Didelphodon »

thx for the pointer
Go, tell it on the mountains.
User avatar
heartbone
Addict
Addict
Posts: 1058
Joined: Fri Apr 12, 2013 1:55 pm
Location: just outside of Ferguson

Re: A new approach to resolve antivirus False Positives

Post by heartbone »

IdeasVacuum wrote:What is really needed are some formal controls over AV software companies - they should have their software tested by an independent authority before they are allowed to release it, every release. That authority should be funded jointly by the AV software companies and a consortium of the big fish, say MS, Google and Apple.
Man, that contains several, rather dangerous ideas. If there are going to be controls over AV software companies, then there will need to be some controllers. That authority will originate with the funding. Do you think that the masters would stop with controlling only the AV companies? :?:
firace wrote:Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
Consider the strategy of complaining to the many magazine technical columnists and online tech bloggers making sure a bcc: is sent to the financial officers of the offending AV company.
Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Because you titled this thread as you did, it encouraged my thinking which generated the following question.
Are you massaging the executable (by inserting NOPs and the like) to get past the AV detectors?
Keep it BASIC.
Post Reply