fighting a false-positive flagging by multiple antivirus vendors

recently i woke up to this: “Hi, some of our employees are using your application. This morning they have received an upgrade notification (in yellow banner) to get the latest version of your app. Our anti-virus/malware has triggered on your module called “somefile.exe” detected at risk being a “Trojan.Gen.MBT “. below few resources that i’ve found useful in going from https://virustotal.com reporting 25 different vendors flagging our application as a virus to just 1.

first interesting tidbit: somefile.exe is small win32 binary compiled from c++ code using visual studio. to be on the safe side we’ve re-compiled it on a clean machine, it was still recognized as a threat – so we ware sure it’s not an elaborate attack on our build infrastructure. we want one step further and stripped all of the code leaving just this:

#include "framework.h"
#include "Project2.h"

int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
                     _In_opt_ HINSTANCE hPrevInstance,
                     _In_ LPWSTR    lpCmdLine,
                     _In_ int       nCmdShow)
{
}

guess what – it’s detected by 15 anti-virus vendors as a threat. or maybe i should write snake-oil sales people?

i’ve started contacting different av vendors. most did not respond but there was a reaction – within few days ~ half of them stopped flagging that particular exe as a threat. since ‘forever’ we’ve been digitally signing installer of our application and each msi / msp file. i’ve found a reddit thread suggesting that it’s worth signing individual binaries too. this helped, but it’s scary: mere presence of valid digital signature does not tell much about lack of maliciousness of a file.

some of the AV vendors started to respond – notably TrendMicro suggested that we should notify them whenever we change a signing certificate – which means that they’ve added custom weights or white-listed the particular cert that we use currently.

McAfee still recognizes new builds of our application but has a white-listing process for each release that we’ll follow.

some resources that ware helpful:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

(Spamcheck Enabled)