We make friends with antivirus software: how to avoid false positives

    In this article I want to talk about how the problem of false positives for antiviruses on our product was solved.

    If you do not have such problems, but you plan to protect your software with a tread, I recommend that you familiarize yourself with the material, since most likely you will have to go through the same thing.

    Step 1. Code signing

    The most effective way is to sign your executable files, if this is not done, antiviruses will scan them with special addiction.

    In order to convince the importance of this step, Alexander (Rouse_) Bagel kindly shared a clear example . The test application does not use a protector, there is no Internet access, it performs only one function - it considers CRC32 files. Compare the reports of signed and unsigned files:

    I think this is a sufficient argument in favor of the signature.

    I will not describe the technical side of obtaining a certificate and signing a file. I got the certificate in startssl(bribed by price and Russian-speaking support) for an individual Class 1 for $ 100 for two years without any red tape. To obtain a certificate for LLC (Class 2) there were difficulties in finding a notary lawyer in Moscow who would send his opinion by e-mail signed with a digital signature of Class 2 ... The

    approval of antiviruses is only a side benefit of the signed software, the main charms are this is an increase in customer confidence, saying "There is a CPU - that means not a collective farm!". Also, antiviruses, firewalls and UAC will not warn of an increased threat.

    Step 2. Angry letters

    The file is signed or not, but if someone swears on the virusstal (hereinafter VT) - it's time to write letters. To find out where to send complaints about false positives, special lists help:

    Be prepared that the virlabers' reaction to treatment takes a couple of weeks.

    Step 3. Automatically check VirusTotal on the build server

    If hinged protections are not used, then everything is simple, put together a release, uploaded it to VT, wrote off complaints and that’s all. But in the case of using protectors, there is an option to reduce the number of false positives without sending abuses.

    A bit of theory. When you recompile the same sources, the contents of the exe file does not change (except for timestamps in the headers). Therefore, rebuilding and re-sending to VT the situation with false positives will not solve: whoever cursed curses again.

    It is a completely different matter when using a protector (in my case VMProtect), which forms a unique virtual machine (instructions, handlers) and the corresponding virtualized code during each file processing. This unique data can either contain the signatures of a virus or not, which makes it possible that after a second reboot, antiviruses will skip the file.

    Reloading takes less time than waiting for an answer from the Virlabers, but you have to do a really hellish routine with your hands, because rebooting 20 times in anticipation of a miracle is a very working scenario. To automate this process, the VirusTotalScan utility was written, which will be discussed later.

    Using VirusTotalScan

    You can download the link . The program is console, the result of work is returned by the exit code: there are no 0 viruses, 1 a virus was found, 2 something else happened. Call Syntax:

      VirusTotalScan.exe api_key имя_файла [/ignore [имя_антивируса][ ...]]
        api_key          Ключ доступа VirusTotal API
        имя_файла        Путь до проверяемого файла
        имя_антивируса   Список антивирусов, мнение которых игнорируется

    To use it, you need the access key to the VirusTotal API, which can be obtained on the virustotal.com website after completing the registration:

    I will give the integration into the build server using my own example, the .bat script is used for assembly:

      IF EXIST "~program.exe" DEL "~program.exe" 
      rem Использование виртуальной машины
      echo Compiling with WMProtect  
      VMProtect_Con.exe "program.exe" "~program.exe" -pf "program.exe.vmp"
      rem Установим цифровую подпись
      signtool.exe ...
      rem закачка подписанного файла на VirusTotal
      rem пропустим антивирусы Qihoo-360 и CMC
      VirusTotalScan.exe 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0 "~program.exe" /ignore "Qihoo-360" "CMC"
      rem при ошибке отправим на повторное сканирование
      IF ERRORLEVEL 2 GOTO VirusTotalScan
      rem Нашелся вирус, перезащищаем
      IF ERRORLEVEL 1 ( 
       echo Vireses finded. RECOMPILE.
      rem вирусов нет, работаем дальше 
      rem заменим итоговый файл
      DEL "program.exe"
      COPY "~program.exe" "program.exe"
      DEL "~program.exe"

    From the example, everything should be clear. Ironically, the program itself received one false positive, wrote off a complaint - now I'm waiting for a couple of weeks for a decision.


    In conclusion, I want to thank Alexander , with whose filing the article began, and to warn you that it is not always possible to resolve the issue with the virlabists.

    Also popular now: