Prevent self-developed software from being diagnosed as a virus - antivirus

Let me describe my situation, I develop some accounting software of VB winform to use, normaly my software will modify registry to set offcie trusted location and whether the user who reads in registry has admin authority. However, I found here that it is no problem for VirusTotal to scan my exe on the first day after I developed the software. But after a few days, VirusTotal will appear and say that my exe is a virus,this makes my exe in the another computer antivirus detect as a virus, even if I run scaning on VirusTotal on the first day.
Why is it not a virus on the first day, but later diagnosed as a virus?
Is reading registry or modifying registry the cause of the diagnosed virus?
Any documentation or any behavior that is not allowed?
What can be done to avoid this problem other than to file a false positives list after it is detected as a virus

Antivirus software works based on heuristics and signatures. In your case an actual virus may have similar behavior, e.g. because it modifies the same registry entries, which leads to the false positive. The is no "documentation on what is allowed" otherwise somebody writing an actual virus would use that as a rule book to evade detection. The delay in detection is likely caused because the antivirus software performs a periodic scan, which only then checks your executable.
Most antivirus software allows to mark files or directories as trusted and exclude them from scanning. This may be a suitable solution for you.

Related

Trigger reboot and script execution, securely

I am using PowerShell to manage Autodesk installs, many of which depend on .NET, and some of which install services, which they then try to start, and if the required .NET isn't available that install stalls with a dialog that requires user action, despite the fact that the install was run silently. Because Autodesk are morons.
That said, I CAN install .NET 4.8 with PowerShell, but because PowerShell is dependent on .NET, that will complete with exit code 3010, Reboot Required.
So that leaves me with the option of either managing .NET separately, or triggering that reboot and continuing the Autodesk installs in a state that will actually succeed.
The former has always been a viable option in office environments, where I can use Group Policy or SCCM or the like, then use my tool for the Autodesk stuff that is not well handled by other approaches. But that falls apart when you need to support the Work From Home scenario, which is becoming a major part of AEC practice. Not to mention the fact that many/most even large AEC firms don't have internal GP or SCCM expertise, and more and more firm management is choosing to outsource IT support, all to often to low cost glorified help desk outfits with even less GP/SCCM knowledge. So, I am looking for a solution that fits these criteria.
1: Needs to be secure.
2: Needs to support access to network resources where the install assets are located, which have limited permissions and thus require credentials to access.
3: Needs to support remote initiation of some sort, PowerShell remote jobs, PowerShell remoting to create a scheduled task, etc.
I know you can trigger a script to run at boot in System context, but my understanding is that because system context isn't an actual user you don't have access to network resources in that case. And that would only really be viable if I could easily change the logon screen to make VERY clear to users that installs are underway and to not logon until they are complete and the logon screen is back to normal. Which I think is really not easily doable because Microsoft makes it near impossible to make temporary changes/messaging on the logon screen.
I also know I can do a one time request for credentials on the machine, and save those credentials as a secure file. From then on I can access those credentials so long as I am logged in as the same user. But that then suggests rebooting with automatic logon as a specific user. And so far as I can tell, doing that requires a clear text password in the registry. Once I have credentials as a secure file, is there any way to trigger a reboot and one time automatic logon using those secure credentials? Or is any automatic reboot and logon always a less than secure option?
EDIT: I did just find this that seems to suggest a way to use HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon without using a plain text DefaultPassword. The challenge is figuring out how to do this in PowerShell when you don't know C#. Hopefully someone can verify this is a viable approach before I invest too much time in trying to implement it for testing. :)
And, on a related note, everything I have read about remote PowerShell jobs and the Second Hop Problem suggests the only "real" solution is to use CredSSP, which is itself innately insecure. But it is also a lot of old information, predating Windows 10 for the most part, and I wonder if that is STILL true? Or perhaps was never true, since none of the authors claiming CredSSP to be insecure explained in detail WHY it was insecure, which is to me a red flag that maybe someone is just complaining to get views.

Dealing with antivirus false positives

I'm in the process of releasing my first game on steam. As part of a review process the executable is sent to about 70 virus detection services through https://www.virustotal.com/
One of these called VBA32 reported my executable as malicious (BScope.TrojanSpy.Keylogger), which must be a false positive. I've tried contacting the antivirus company but haven't head back yet.
How would you go about dealing with this?
Is this likely to affect customers trying to install the game?
Are there any best practices for not getting flagged by antivirus?
The game is written in a custom c++ engine using only the win32 libraries.

Can't set the priority of a service

I noticed that my fan goes up a lot on occasion for no apparent reason. Investigation shows that it's the process Antimalware Service Executable, the service Windows Defender Antivirus Service and the file executed is MsMpEng.exe.
I want it to be able to run still but not go bananas, so I tried to set its priority to low. However, Windows barked at me that the operation could not be completed and that access was denied.
How can I force the service to run at a limited performance?
You can't, by design. That "by design" means that if you find a hack, a future security update of Windows will likely render your hack inoperable.
The key word here is "security". The whole point of anti-malware is that detects malware even when the malware tries to avoid detection. To make that work, Windows treats anti-malware software as a special case, and offers it additional protection. If there was an answer to your question, it would be treated by Microsoft as a bug.

How to stop antivirus false positives everytime we re-release software?

Windows Defender and AVG/Avast pickup our software application as a virus/false positive everytime we release. We have a code signing certificate and add taggant as well.
Every time we release the software we have to go through the process of doing a false positive form on multiple AV vendors sites.
How can we get our company code signing cert marked as safe or avoid this time consuming false positive report process on each release?
Edit: Is there any premiere support we can pay for to have this done automatically?
Edit2: we actually had our certificate revoked due to "malware distribution" as a result of these false positives. It seems there is no recourse other than to buy another one.
Signing cert doesn't help most of the time, it's probably a coding pattern which is similar to a virus listed in them, best you can do is contacting the AV to whitelist you to get past through that.
My recommendation is to contact with the AV vendors and told them your problem. Probably your software have some strings or patters defined that potentially trigger the heuristics of the AV. You can try to find that strings easily in your base code and base64/xor/encrypt them and see what happens with the AV, that may help to solve your problem
While it is certainly possible that your software shares some characteristics with know malware, I would guess that it is a "cloud" detection.
Cutting through the marketing speak, it basically means that (among other possible caues) your file is flagged as suspicious if it has not been seen on many other PCs.
Try removing any thing that could activate antivirus flags, like self-extracting, UPX, file encryption, suspicious website requests, or suspicious behaviour.
Why to remove these?
self-extracting is triggered because it's a suspicious behaviour (not really normal to do)
UPX is detected as some malwares try to hide the malware by being compressed by UPX, as antiviruses need to decompress it.
File encryption may be easily detected as Riskware / EncoderTool / Ransomware
Suspicious websites: Evit downloading files from strange URL.
I had this problem with a program auto-update, an antivirus detected it as a TrojanDownloader.
If your program doesn't do any of these things, I can't help you more, as that is a problem that the programmer community has.
I wish that could help

Norton File Insight marking installer as a threat

Norton Antivrus is marking an installer of mine, foobar_revision_1922.exe improperly as a threat because it has Very Few Users ( less than 5 in the Norton Community, WS.Reputation.1 ) and places the file in quarantine. Has anyone encountered this situation?
What is the best way to prevent Norton from flipping out?
This seems tedious and a Catch-22.
For future releases, such as foobar_revision_2116.exe, I would need to have five trusted users of the new version to pass quarantine.
If I rename all releases to a common filename foobar_installer.exe than this removes the useful version information and I imagine that the filesize is stored by Norton and this would fail anyway.
Suggestions?
Thanks.
Edit:
I have found the answer after a little more searching - https://submit.symantec.com/whitelist/. Symantec has a whitelist program
Edit 2
Norton offers Apple-like response times:
We have received your recent request
to Symantec's Software White-list
Request program. Complete requests
with all necessary information will be
processed immediately. Once a
determination has been made regarding
your request you will be notified via
e-mail as to the decision made and the
next steps, if any. For a Software
White-list request, Symantec will
target a response of advising you of
our final determination within 3
weeks. This timeframe is subject to
Symantec being supplied with all the
necessary information to allow for a
proper determination. Requests of
incomplete information may result in a
delay of the final determination. Any
request for additional information
regarding your submission will be sent
to the contact email address you
provided at the time of submission.
I had a similar problem: Norton File Insight flagging my posted MSI as a possible threat. I did the white-list application and it was approved fairly quickly (I believe within a day or two). It was probably approved quickly because it was digitally signed allowing the Norton team to confirm the file quickly.
But Norton File Insight, like IE9's new SmartScreen Filter, is not very friendly to small software developers. Norton File Insight just does not recognize that my MSI is digitally signed with a certificate from a trusted certificate authority. AND, I lost my white-listed status as soon as I posted an update to the MSI. I post updates probably 20 times a week so I think Norton File Insight will keep giving my customers grief.
And of course it is perpetually stuck on Very Few Users have downloaded this.
So the solution is to keep petitioning Symantec to get its act together and to keep filing White-List requests. Hardly ideal.