A new approach to resolve antivirus False Positives
A new approach to resolve antivirus False Positives
Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
If you use PB in a professional context, this issue can even hurt your reputation and software sales (customers can easily get scared of installing something that their AV claims is malware.)
In addition to featuring really stupid scanning engines, some of those antivirus vendors are absolutely terrible at responding to false positive reports. Some of them do not even offer the slightest acknowledgment or response to submissions (and believe me, I've contacted some of them repeatedly).
I've been so upset with this situation that a few months ago, I decided to take a new approach: I have started working on a tool that aims to modify an Windows program such that no false positive detections get triggered, while leaving the program logic absolutely 100% intact. I also want to achieve this even without having access to the source code of the impacted programs.
Now this is quite a complex (and at times frustrating) undertaking, and I've already spent many, many hours working on this (much more time that I can afford to spend, actually!). BUT, the good news is that I've been getting pretty satisfying results in my testing so far (from 12/57 to 0/57 false detections on VirusTotal in some cases).
However, my application is nowhere near polished enough to be released at this stage, but while I'm developing and testing it, if some of you would like me to try it on a test PB executable of yours (not larger than 1 MB, please), I'd be pleased to do so.
Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
If you use PB in a professional context, this issue can even hurt your reputation and software sales (customers can easily get scared of installing something that their AV claims is malware.)
In addition to featuring really stupid scanning engines, some of those antivirus vendors are absolutely terrible at responding to false positive reports. Some of them do not even offer the slightest acknowledgment or response to submissions (and believe me, I've contacted some of them repeatedly).
I've been so upset with this situation that a few months ago, I decided to take a new approach: I have started working on a tool that aims to modify an Windows program such that no false positive detections get triggered, while leaving the program logic absolutely 100% intact. I also want to achieve this even without having access to the source code of the impacted programs.
Now this is quite a complex (and at times frustrating) undertaking, and I've already spent many, many hours working on this (much more time that I can afford to spend, actually!). BUT, the good news is that I've been getting pretty satisfying results in my testing so far (from 12/57 to 0/57 false detections on VirusTotal in some cases).
However, my application is nowhere near polished enough to be released at this stage, but while I'm developing and testing it, if some of you would like me to try it on a test PB executable of yours (not larger than 1 MB, please), I'd be pleased to do so.
Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Last edited by firace on Mon Mar 16, 2015 10:47 pm, edited 1 time in total.
Re: A new approach to resolve antivirus False Positives
Yes, you are for 100% right, I have the same problem using PBfirace wrote:OK, like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
If you use PB in a professional context, this issue can even hurt your reputation and software sales (customers can easily get scared of installing something that their AV claims is malware.)
It is nice hearing about your solution ...
very nice
I even will pay you for a working solution.
Marc,
- every professional was once an amateur - greetings from Pajottenland - Belgium -
PS: sorry for my english I speak flemish ...
PS: sorry for my english I speak flemish ...
Re: A new approach to resolve antivirus False Positives
Interesting idea.
I guess it's some kind of executable packer/encrypter.
Also it's not a PB specific problem. Would be usefull for every home made executable. No matter the compiler. I even get often false positives with VB.Net
Would like to give it a try.
Unfortunatly it will be added to the detections as soon as someone uses it for a real maleware.
I guess it's some kind of executable packer/encrypter.
Also it's not a PB specific problem. Would be usefull for every home made executable. No matter the compiler. I even get often false positives with VB.Net
Would like to give it a try.
Unfortunatly it will be added to the detections as soon as someone uses it for a real maleware.
Re: A new approach to resolve antivirus False Positives
I remember when UPX packed binaries weren't flagged as a virus... But then people started writing scrupulous code, hiding it by upx'ing it..
The minute someone "hides" the actual code by encrypt/pack, someone will abuse it, and then all files will get flagged as "possibly a virus" .. it's a cycle.
But, FWIW, it's not just PB - I've seen at least a dozen other compilers get flagged; including one VC compiled program...
The minute someone "hides" the actual code by encrypt/pack, someone will abuse it, and then all files will get flagged as "possibly a virus" .. it's a cycle.
But, FWIW, it's not just PB - I've seen at least a dozen other compilers get flagged; including one VC compiled program...
Re: A new approach to resolve antivirus False Positives
Interesting replies!
Unfortunately I don't have much time to post these days, but just to show a little practical example of my progress:
Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Produces this sad result:
After processing it, things now look much better fortunately:
I'm REALLY tired now, so am off now and will come back later this week. I will also certainly consider all the interesting feedback in this thread.
Unfortunately I don't have much time to post these days, but just to show a little practical example of my progress:
Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Produces this sad result:
After processing it, things now look much better fortunately:
I'm REALLY tired now, so am off now and will come back later this week. I will also certainly consider all the interesting feedback in this thread.
Re: A new approach to resolve antivirus False Positives
Quite interesting; except CMC and TotalDefense that are usually the ones returning clear results on hard core viruses detected by other 50 AV programs in VirusTotal but they always report false positive from PB code, by compiling this particular code in 5.31 x86 I didn't get any of the other results you've got.firace wrote:Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Re: A new approach to resolve antivirus False Positives
I've been using 5.30 x86 Demo. This might explain the difference, or perhaps you are using different compilation settings? Any chance you could upload the exe somewhere so I can have a look?bbanelli wrote:Quite interesting; except CMC and TotalDefense that are usually the ones returning clear results on hard core viruses detected by other 50 AV programs in VirusTotal but they always report false positive from PB code, by compiling this particular code in 5.31 x86 I didn't get any of the other results you've got.firace wrote:Simply compiling the the example clock from: http://rosettacode.org/wiki/Draw_a_clock#PureBasic
Re: A new approach to resolve antivirus False Positives
OK, unfortunately at this stage I don't have the time nor the financial resources to afford developing a proper, robust tool as I originally planned, although I would still like to pursue this at some point in the future.
However, for those users using PB professionally and who do need help resolving those False Positives as soon as possible, I am thinking about offering some type of service to help you get there. On average, it takes me about one hour per executable to get a clean VirusTotal record, and I don't need access to the source code for that. I might need the uncommented compiler-generated ASM in some cases, though.
However, for those users using PB professionally and who do need help resolving those False Positives as soon as possible, I am thinking about offering some type of service to help you get there. On average, it takes me about one hour per executable to get a clean VirusTotal record, and I don't need access to the source code for that. I might need the uncommented compiler-generated ASM in some cases, though.
Re: A new approach to resolve antivirus False Positives
Why not simply submit a false-positive report to all of the major AV companies? The reputable ones have simple submission forms.
-
- Always Here
- Posts: 6425
- Joined: Fri Oct 23, 2009 2:33 am
- Location: Wales, UK
- Contact:
Re: A new approach to resolve antivirus False Positives
Longevity. A few AV releases down the line, and the AV has different false positives on the same app. What is really needed are some formal controls over AV software companies - they should have their software tested by an independent authority before they are allowed to release it, every release. That authority should be funded jointly by the AV software companies and a consortium of the big fish, say MS, Google and Apple.
In case you haven't noticed, some AV's use identical 'engines' (and possibly identical databases?). My view is that it's not beyond the realms of possibility that some of the AV companies are self-perpetuating.......
In case you haven't noticed, some AV's use identical 'engines' (and possibly identical databases?). My view is that it's not beyond the realms of possibility that some of the AV companies are self-perpetuating.......
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
If it sounds simple, you have not grasped the complexity.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
A new approach to resolve antivirus False Positives
@firace ...
What I learned from your postings so far is that your concept seems to use similar tactics like malware authors - changing stuff in the ready built executable to underrun/pass the signature checks and heuristics of the AVs. Infact this will work but also might raise the AVs companies attention to such executables when they somewhen pop out of the cycle by accident (when you throw it into Virustotal the AVs have it and will take a closer look at it even if only automated) or at least when someone - as already mentioned - use it for real malware.
I have to admit that my executables often do have problems with falsepositives because of the way they act. I like to build portable executables (I mean executables that are portable, so not to be confused with PE) without the need of an installation. Therefore my exes often have some DLLs or even other EXEs (ie whois, wget, etc) on board which they drop into the temp folder and use it from there. Actually my exes have the best intention but from a perspective of the exes behavior the alarmclocks of an AV might already be rang on this stage and do not think that someone there will take a closer look to get a glance of the real intention of an exe.
So, imho (at least for the scenario I talked about) a solution might be to cancel the portable approach and have real installers which I wouldnt like much as I decided to have it the portable way on purpose.
Still there might be another way - although some malware uses this trick too: start to sign your exes, signed exes often are waved through the checks or might at least get a better initial flavor at AVs.
Update: One more thing about the service (give me your executable and I make it right) you are thinking of - please dont take it personal but with this is somewhat of an invitation or at least potential to have a man in the middle on board of the exe afterwards in terms of a modified exe!? Simply put, I would have a bad gutfeel about that all the time.
Cheers,
Didel
What I learned from your postings so far is that your concept seems to use similar tactics like malware authors - changing stuff in the ready built executable to underrun/pass the signature checks and heuristics of the AVs. Infact this will work but also might raise the AVs companies attention to such executables when they somewhen pop out of the cycle by accident (when you throw it into Virustotal the AVs have it and will take a closer look at it even if only automated) or at least when someone - as already mentioned - use it for real malware.
I have to admit that my executables often do have problems with falsepositives because of the way they act. I like to build portable executables (I mean executables that are portable, so not to be confused with PE) without the need of an installation. Therefore my exes often have some DLLs or even other EXEs (ie whois, wget, etc) on board which they drop into the temp folder and use it from there. Actually my exes have the best intention but from a perspective of the exes behavior the alarmclocks of an AV might already be rang on this stage and do not think that someone there will take a closer look to get a glance of the real intention of an exe.
So, imho (at least for the scenario I talked about) a solution might be to cancel the portable approach and have real installers which I wouldnt like much as I decided to have it the portable way on purpose.
Still there might be another way - although some malware uses this trick too: start to sign your exes, signed exes often are waved through the checks or might at least get a better initial flavor at AVs.
Update: One more thing about the service (give me your executable and I make it right) you are thinking of - please dont take it personal but with this is somewhat of an invitation or at least potential to have a man in the middle on board of the exe afterwards in terms of a modified exe!? Simply put, I would have a bad gutfeel about that all the time.
Cheers,
Didel
Go, tell it on the mountains.
Re: A new approach to resolve antivirus False Positives
@Didel: These are good points and I'm actually very aware of them already, being involved in infosec myself (as a whitehat researcher). I will be sure take those points into account when offering the service.
- Teddy Rogers
- User
- Posts: 92
- Joined: Sun Feb 23, 2014 2:05 am
- Location: Australia
- Contact:
Re: A new approach to resolve antivirus False Positives
Try Enigma Virtual Box, it will virtualise everything in to one binary for portability and it is freeware too...Didelphodon wrote:Therefore my exes often have some DLLs or even other EXEs (ie whois, wget, etc) on board which they drop into the temp folder and use it from there.
http://enigmaprotector.com/en/aboutvb.html
Ted.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: A new approach to resolve antivirus False Positives
thx for the pointer
Go, tell it on the mountains.
Re: A new approach to resolve antivirus False Positives
Man, that contains several, rather dangerous ideas. If there are going to be controls over AV software companies, then there will need to be some controllers. That authority will originate with the funding. Do you think that the masters would stop with controlling only the AV companies?IdeasVacuum wrote:What is really needed are some formal controls over AV software companies - they should have their software tested by an independent authority before they are allowed to release it, every release. That authority should be funded jointly by the AV software companies and a consortium of the big fish, say MS, Google and Apple.
Consider the strategy of complaining to the many magazine technical columnists and online tech bloggers making sure a bcc: is sent to the financial officers of the offending AV company.firace wrote:Like many of us, I am sick and tired of all those false positives antivirus detections. They have been impacting us for years, without much that we can do.
Because you titled this thread as you did, it encouraged my thinking which generated the following question.Sorry for the lack of technical detail for now, but I will add more information to this topic as my work progresses - and provided I manage to keep enough motivation to continue!
Are you massaging the executable (by inserting NOPs and the like) to get past the AV detectors?
Keep it BASIC.