We are friends with your software with antiviruses: how to avoid false positives
In this post I want to talk about how the problem of false triggering antivirus on our product was solved.
If you have no such problems, but you are planning to protect your software with a tread - I recommend you to familiarize yourself with the material, since most likely you will have to go through the same.
')
The most effective way is to sign your executable files, if this is not done, the antiviruses will scan them with a special bias.
In order to convince of the importance of this step, Alexander (Rouse_) Bagel kindly shared a good example . In the application under test, the protector is not used, there is no access to the Internet, it performs only one function - it counts CRC32 files. Let's compare the reports of signed and unsigned files:
I think this is a sufficient argument in favor of the signature.
I will not describe the technical side of obtaining a certificate and signing the file. I received a certificate in the startssl (bribed with a price and Russian-language support) for a Class 1 person for $ 100 for two years without any red tape. To obtain a certificate for an LLC (Class 2), it was difficult to find a notary lawyer in Moscow who would send his opinion by digitally signed Class 2 e-mail ...
Approval of antiviruses is only a side advantage of the signed software, but the main charms are an increase in customer confidence, they say, “Having CPU means not a collective farm!”. Also, antiviruses, firewalls and UAC will not warn about the increased threat.
A file is signed or not, but if someone swears at a virus counter (hereinafter VT), it’s time to write letters. Find out where to send complaints about false positives help special lists:
Be prepared that the reaction of virlabovtsev to treatment takes a couple of weeks.
If you do not use mounted protections, then everything is simple, collected the release, uploaded it to VT, wrote off complaints and that's it. But in the case of the use of protectors there is an option to reduce the number of false positives without sending abuses.
A bit of theory. When recompiling the same source code, the contents of the exe file does not change (except for time stamps in the headers). Therefore, rebuilding and re-sending to VT will not solve the situation with false positives: the one who cursed will curse again.
It is quite another thing when using a protector (in my case VMProtect), which at each file processing forms a unique virtual machine (instructions, handlers) and the corresponding virtualized code. This unique data can either contain the signatures of a virus, or not, hence the likelihood that the anti-virus will miss the file after re-protecting it.
Re-protection takes less time than waiting for a response from the Virlabians, but they have to do a truly hellish routine with their hands, because re-protecting 20 times in anticipation of a miracle is quite a working scenario. To automate this process, the VirusTotalScan utility was written, which will be discussed further.
You can download the link . The program is console, the result of the work is returned by the exit code: there are no 0 viruses, 1-virus is found, 2-something else happened. Call syntax:
To use the required access key to the VirusTotal API, which can be obtained on the site virustotal.com after registration:
I will give the integration into the build server by my example, the build uses a .bat script:
From the example, everything should be clear. Ironically, the program itself received one false positive, wrote off the complaint - now I wait a couple of weeks for a decision.
In conclusion, I want to thank Alexander , with whose filing the article began, and to warn you - it is not always possible to resolve the issue with the Virlabians.
If you have no such problems, but you are planning to protect your software with a tread - I recommend you to familiarize yourself with the material, since most likely you will have to go through the same.
Step 1. Code signing
')
The most effective way is to sign your executable files, if this is not done, the antiviruses will scan them with a special bias.
In order to convince of the importance of this step, Alexander (Rouse_) Bagel kindly shared a good example . In the application under test, the protector is not used, there is no access to the Internet, it performs only one function - it counts CRC32 files. Let's compare the reports of signed and unsigned files:
I think this is a sufficient argument in favor of the signature.
I will not describe the technical side of obtaining a certificate and signing the file. I received a certificate in the startssl (bribed with a price and Russian-language support) for a Class 1 person for $ 100 for two years without any red tape. To obtain a certificate for an LLC (Class 2), it was difficult to find a notary lawyer in Moscow who would send his opinion by digitally signed Class 2 e-mail ...
Approval of antiviruses is only a side advantage of the signed software, but the main charms are an increase in customer confidence, they say, “Having CPU means not a collective farm!”. Also, antiviruses, firewalls and UAC will not warn about the increased threat.
Step 2. Angry letters
A file is signed or not, but if someone swears at a virus counter (hereinafter VT), it’s time to write letters. Find out where to send complaints about false positives help special lists:
- www.geekstogo.com/forum/topic/273320-where-to-submit-false-positives-to-antivirus-and-security-vendors
- forum.sysinternals.com/malware-policy-please-read_topic11134.html
- www.segura.ca/files.html
- www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm
Be prepared that the reaction of virlabovtsev to treatment takes a couple of weeks.
Step 3. Automatic check of VirusTotal on the build server
If you do not use mounted protections, then everything is simple, collected the release, uploaded it to VT, wrote off complaints and that's it. But in the case of the use of protectors there is an option to reduce the number of false positives without sending abuses.
A bit of theory. When recompiling the same source code, the contents of the exe file does not change (except for time stamps in the headers). Therefore, rebuilding and re-sending to VT will not solve the situation with false positives: the one who cursed will curse again.
It is quite another thing when using a protector (in my case VMProtect), which at each file processing forms a unique virtual machine (instructions, handlers) and the corresponding virtualized code. This unique data can either contain the signatures of a virus, or not, hence the likelihood that the anti-virus will miss the file after re-protecting it.
Re-protection takes less time than waiting for a response from the Virlabians, but they have to do a truly hellish routine with their hands, because re-protecting 20 times in anticipation of a miracle is quite a working scenario. To automate this process, the VirusTotalScan utility was written, which will be discussed further.
We use VirusTotalScan
You can download the link . The program is console, the result of the work is returned by the exit code: there are no 0 viruses, 1-virus is found, 2-something else happened. Call syntax:
VirusTotalScan.exe api_key _ [/ignore [_][ ...]] api_key VirusTotal API _ _ , To use the required access key to the VirusTotal API, which can be obtained on the site virustotal.com after registration:
I will give the integration into the build server by my example, the build uses a .bat script:
:VMPROTECT IF EXIST "~program.exe" DEL "~program.exe" rem echo Compiling with WMProtect VMProtect_Con.exe "program.exe" "~program.exe" -pf "program.exe.vmp" IF ERRORLEVEL 1 GOTO ERROR rem signtool.exe ... :VirusTotalScan rem VirusTotal rem Qihoo-360 CMC VirusTotalScan.exe 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0 "~program.exe" /ignore "Qihoo-360" "CMC" rem IF ERRORLEVEL 2 GOTO VirusTotalScan rem , IF ERRORLEVEL 1 ( echo Vireses finded. RECOMPILE. GOTO VMPROTECT ) rem , rem DEL "program.exe" COPY "~program.exe" "program.exe" DEL "~program.exe" From the example, everything should be clear. Ironically, the program itself received one false positive, wrote off the complaint - now I wait a couple of weeks for a decision.
Conclusion
In conclusion, I want to thank Alexander , with whose filing the article began, and to warn you - it is not always possible to resolve the issue with the Virlabians.
Source: https://habr.com/ru/post/228059/
All Articles