June 30, 2014 at 09:08We make friends with antivirus software: how to avoid false positives
In this article I want to talk about how the problem of false positives for antiviruses on our product was solved.
If you do not have such problems, but you plan to protect your software with a tread, I recommend that you familiarize yourself with the material, since most likely you will have to go through the same thing.
The most effective way is to sign your executable files, if this is not done, antiviruses will scan them with special addiction.
In order to convince the importance of this step, Alexander (Rouse_) Bagel kindly shared a clear example . The test application does not use a protector, there is no Internet access, it performs only one function - it considers CRC32 files. Compare the reports of signed and unsigned files:
I think this is a sufficient argument in favor of the signature.
I will not describe the technical side of obtaining a certificate and signing a file. I got the certificate in startssl(bribed by price and Russian-speaking support) for an individual Class 1 for $ 100 for two years without any red tape. To obtain a certificate for LLC (Class 2) there were difficulties in finding a notary lawyer in Moscow who would send his opinion by e-mail signed with a digital signature of Class 2 ... The
approval of antiviruses is only a side benefit of the signed software, the main charms are this is an increase in customer confidence, saying "There is a CPU - that means not a collective farm!". Also, antiviruses, firewalls and UAC will not warn of an increased threat.
The file is signed or not, but if someone swears on the virusstal (hereinafter VT) - it's time to write letters. To find out where to send complaints about false positives, special lists help:
Be prepared that the virlabers' reaction to treatment takes a couple of weeks.
If hinged protections are not used, then everything is simple, put together a release, uploaded it to VT, wrote off complaints and that’s all. But in the case of using protectors, there is an option to reduce the number of false positives without sending abuses.
A bit of theory. When you recompile the same sources, the contents of the exe file does not change (except for timestamps in the headers). Therefore, rebuilding and re-sending to VT the situation with false positives will not solve: whoever cursed curses again.
It is a completely different matter when using a protector (in my case VMProtect), which forms a unique virtual machine (instructions, handlers) and the corresponding virtualized code during each file processing. This unique data can either contain the signatures of a virus or not, which makes it possible that after a second reboot, antiviruses will skip the file.
Reloading takes less time than waiting for an answer from the Virlabers, but you have to do a really hellish routine with your hands, because rebooting 20 times in anticipation of a miracle is a very working scenario. To automate this process, the VirusTotalScan utility was written, which will be discussed later.
You can download the link . The program is console, the result of work is returned by the exit code: there are no 0 viruses, 1 a virus was found, 2 something else happened. Call Syntax:
To use it, you need the access key to the VirusTotal API, which can be obtained on the virustotal.com website after completing the registration:
I will give the integration into the build server using my own example, the .bat script is used for assembly:
From the example, everything should be clear. Ironically, the program itself received one false positive, wrote off a complaint - now I'm waiting for a couple of weeks for a decision.
In conclusion, I want to thank Alexander , with whose filing the article began, and to warn you that it is not always possible to resolve the issue with the virlabists.
If you do not have such problems, but you plan to protect your software with a tread, I recommend that you familiarize yourself with the material, since most likely you will have to go through the same thing.
Step 1. Code signing
The most effective way is to sign your executable files, if this is not done, antiviruses will scan them with special addiction.
In order to convince the importance of this step, Alexander (Rouse_) Bagel kindly shared a clear example . The test application does not use a protector, there is no Internet access, it performs only one function - it considers CRC32 files. Compare the reports of signed and unsigned files:
I think this is a sufficient argument in favor of the signature.
I will not describe the technical side of obtaining a certificate and signing a file. I got the certificate in startssl(bribed by price and Russian-speaking support) for an individual Class 1 for $ 100 for two years without any red tape. To obtain a certificate for LLC (Class 2) there were difficulties in finding a notary lawyer in Moscow who would send his opinion by e-mail signed with a digital signature of Class 2 ... The
approval of antiviruses is only a side benefit of the signed software, the main charms are this is an increase in customer confidence, saying "There is a CPU - that means not a collective farm!". Also, antiviruses, firewalls and UAC will not warn of an increased threat.
Step 2. Angry letters
The file is signed or not, but if someone swears on the virusstal (hereinafter VT) - it's time to write letters. To find out where to send complaints about false positives, special lists help:
- www.geekstogo.com/forum/topic/273320-where-to-submit-false-positives-to-antivirus-and-security-vendors
- forum.sysinternals.com/malware-policy-please-read_topic11134.html
- www.segura.ca/files.html
- www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm
Be prepared that the virlabers' reaction to treatment takes a couple of weeks.
Step 3. Automatically check VirusTotal on the build server
If hinged protections are not used, then everything is simple, put together a release, uploaded it to VT, wrote off complaints and that’s all. But in the case of using protectors, there is an option to reduce the number of false positives without sending abuses.
A bit of theory. When you recompile the same sources, the contents of the exe file does not change (except for timestamps in the headers). Therefore, rebuilding and re-sending to VT the situation with false positives will not solve: whoever cursed curses again.
It is a completely different matter when using a protector (in my case VMProtect), which forms a unique virtual machine (instructions, handlers) and the corresponding virtualized code during each file processing. This unique data can either contain the signatures of a virus or not, which makes it possible that after a second reboot, antiviruses will skip the file.
Reloading takes less time than waiting for an answer from the Virlabers, but you have to do a really hellish routine with your hands, because rebooting 20 times in anticipation of a miracle is a very working scenario. To automate this process, the VirusTotalScan utility was written, which will be discussed later.
Using VirusTotalScan
You can download the link . The program is console, the result of work is returned by the exit code: there are no 0 viruses, 1 a virus was found, 2 something else happened. Call Syntax:
VirusTotalScan.exe api_key имя_файла [/ignore [имя_антивируса][ ...]]
api_key Ключ доступа VirusTotal API
имя_файла Путь до проверяемого файла
имя_антивируса Список антивирусов, мнение которых игнорируется
To use it, you need the access key to the VirusTotal API, which can be obtained on the virustotal.com website after completing the registration:
I will give the integration into the build server using my own example, the .bat script is used for assembly:
:VMPROTECT
IF EXIST "~program.exe" DEL "~program.exe"
rem Использование виртуальной машины
echo Compiling with WMProtect
VMProtect_Con.exe "program.exe" "~program.exe" -pf "program.exe.vmp"
IF ERRORLEVEL 1 GOTO ERROR
rem Установим цифровую подпись
signtool.exe ...
:VirusTotalScan
rem закачка подписанного файла на VirusTotal
rem пропустим антивирусы Qihoo-360 и CMC
VirusTotalScan.exe 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0 "~program.exe" /ignore "Qihoo-360" "CMC"
rem при ошибке отправим на повторное сканирование
IF ERRORLEVEL 2 GOTO VirusTotalScan
rem Нашелся вирус, перезащищаем
IF ERRORLEVEL 1 (
echo Vireses finded. RECOMPILE.
GOTO VMPROTECT
)
rem вирусов нет, работаем дальше
rem заменим итоговый файл
DEL "program.exe"
COPY "~program.exe" "program.exe"
DEL "~program.exe"
From the example, everything should be clear. Ironically, the program itself received one false positive, wrote off a complaint - now I'm waiting for a couple of weeks for a decision.
Conclusion
In conclusion, I want to thank Alexander , with whose filing the article began, and to warn you that it is not always possible to resolve the issue with the virlabists.