{"id":3053,"date":"2020-03-22T09:32:27","date_gmt":"2020-03-22T08:32:27","guid":{"rendered":"https:\/\/kudzia.eu\/b\/?p=3053"},"modified":"2020-03-22T09:41:45","modified_gmt":"2020-03-22T08:41:45","slug":"fighting-a-false-positive-flagging-by-multiple-antivirus-vendors","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2020\/03\/fighting-a-false-positive-flagging-by-multiple-antivirus-vendors\/","title":{"rendered":"fighting a false-positive flagging by multiple antivirus vendors"},"content":{"rendered":"

recently i woke up to this: “Hi, some of our employees are using your application. This morning they have received an upgrade notification (in yellow banner) to get the latest version of your app. Our anti-virus\/malware has triggered on your module called “somefile.exe” detected at risk being a “Trojan.Gen.MBT “. below few resources that i’ve found useful in going from https:\/\/virustotal.com reporting 25 different vendors flagging our application as a virus to just 1.<\/p>\n

<\/p>\n

first interesting tidbit: somefile.exe is small win32 binary compiled from c++ code using visual studio. to be on the safe side we’ve re-compiled it on a clean machine, it was still recognized as a threat – so we ware sure it’s not an elaborate attack on our build infrastructure. we want one step further and stripped all of the code leaving just this:<\/p>\n

\r\n#include "framework.h"\r\n#include "Project2.h"\r\n\r\nint APIENTRY wWinMain(_In_ HINSTANCE hInstance,\r\n                     _In_opt_ HINSTANCE hPrevInstance,\r\n                     _In_ LPWSTR    lpCmdLine,\r\n                     _In_ int       nCmdShow)\r\n{\r\n}\r\n<\/pre>\n
guess what – it’s detected by 15 anti-virus vendors as a threat<\/a>. or maybe i should write snake-oil sales people?<\/p>\n
i’ve started contacting different av vendors. most did not respond but there was a reaction – within few days ~ half of them stopped flagging that particular exe as a threat. since ‘forever’ we’ve been digitally signing installer of our application and each msi \/ msp file. i’ve found a reddit thread<\/a> suggesting that it’s worth signing individual binaries too. this helped, but it’s scary: mere presence of valid digital signature does not tell much about lack of maliciousness of a file.<\/p>\n
some of the AV vendors started to respond – notably TrendMicro suggested that we should notify them whenever we change a signing certificate – which means that they’ve added custom weights or white-listed the particular cert that we use currently.<\/p>\n
McAfee still recognizes new builds of our application but has a white-listing process for each release that we’ll follow.<\/p>\n
some resources that ware helpful:<\/p>\n