21

I'm creating a piece of software, that will run on windows and will act like launcher for the game, to serve as an auto-updater and file verifier in client side PC.

One thing I don't understand, why my antivirus software (Avast) is considering my exe file as dangerous and won't start it without asking to put it into sandbox, for safe use.

Is there any rules that my software should obey, to be treated as good, or should I pay hundreds of dollars for some sort of digital signing and other stuff?

I'm using C# with MS Visual Studio 2010.

VirusTotal report. No DLL injections, working as remote file downloader, using WebClient() class.

It is not like it warns about virus, but it "suggests" to sandbox it. Look at screenshot:enter image description here

gnat
  • 21,442
  • 29
  • 112
  • 288
Deele
  • 391
  • 1
  • 3
  • 8
  • 2
    I suggest you first upload your program to http://www.virustotal.com to get an impression of the number of vendors that consider your app suspicious. If all AV programs flag your app you'll have to find out what your code is doing that an AV program might consider suspect. It is practically impossible to determine what heuristics AV vendors use - I doubt they'll tell you. If it's only one or two, you can report false positives to them (check their website, or google "vendorname report false positive"). The downside of this is that you'll have to do this with every release of your software. – Jan Doggen Mar 18 '13 at 11:33
  • It's not doing anything DLL-Injection related activity, is it? – TtT23 Mar 18 '13 at 11:33
  • Make sure your computer is not infected with a virus. I've never seen that behaviour before unless there is an infection. – Sam Mar 18 '13 at 11:34
  • Tell us in more detail what your code does. Thinks like running as admin (elevation), hooking Winsock, DLL injection, etc. (Missing) Digital signing usually is not the reason to be flagged by AV. – Jan Doggen Mar 18 '13 at 11:35
  • @JanDoggen Submitted and it found none. Look, I updated question with link. – Deele Mar 18 '13 at 11:40
  • 4
    You could start removing functionality from your code, until AV is satisfied, or no code is left (whichever comes first). The part, whose removal made AV happy, should be checked. – ugoren Mar 18 '13 at 11:46
  • The Virustotal version of Avast with update 18 Mar does not flag your file. Are your local Avast signatures up-to-date (may have been a fluke)? – Jan Doggen Mar 18 '13 at 11:59
  • I have found that the best solution for this issue is to uninstall all anti-virus programs from your computer. After 20 years of using internet-attached computers, without any anti-virus installed, I have yet to encounter a harmful computer virus. Even though I do sporadic scans with online anti-virus programs, they find nothing. Anti-virus programs however, cause a lot of computer damage. –  Mar 18 '13 at 12:03
  • 1
    @Lundin: that's not really a solution if he's planning to distribute the files. It's nice that he won't see the problem, but his customers will. – Joachim Sauer Mar 18 '13 at 12:04
  • @Lundin Yeah, tell that to potential customers, not me :) – Deele Mar 18 '13 at 12:05
  • 1
    Does the problem occur during development only? I've had that problem at work plenty of times myself, when the compiler generates the executables. If so, the solution is indeed to uninstall the anti-program software. –  Mar 18 '13 at 12:07
  • @Lundin What do you mean "during development"? Compiled it and sent it to another PC, and that PC shows "suggestion to sandobx". – Deele Mar 18 '13 at 12:16
  • @Deele Whether the problem exists only on your dev computer or on the distribution to random, generic clients. That is not clear in the question as it stands. –  Mar 18 '13 at 12:29
  • "File prevalence/reputation is low". That message should've been in your question from the start. – Jan Doggen Mar 18 '13 at 12:30
  • @JanDoggen ok, I will know next time. – Deele Mar 18 '13 at 13:34

2 Answers2

25

"File prevalence/reputation is low" means Avast uses a reputation system based on the usage of the program. Only if your program has been installed and 'marked as benevolent' by enough users will it develop a good reputation and will this suggestion go away. Avast calls this the FileRep cloud feature and says "All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore". This is a PITA for small software companies (and Avast is not the only one doing this, note e.g. Symantec's Suspicious Insight"). One thing Avast suggests is "you can accelerate the process if you digitally sign the files."

Locally (on your computer) you can go to autosandbox expert settings and disable autosandboxing files with a low reputation, or maybe use a self-signed certificate, but that won't help you with your end users. For those I suggest you do use a real certificate (costs money, but Windows likes it too), and update your documentation with this info.
Maybe there's more suggestions at the Avast forums as well.

Jan Doggen
  • 1,140
  • 4
  • 16
  • 22
  • 1
    I am using EV Code Signing certificate to sign my exe, still Avast is detecting it as thread under category of *IDP Generic virus* What else can I improve? – Aniket Bhansali Jun 26 '20 at 08:14
2

To add to what Jan Doggen said, other anti viruse softwares also do heuristic scans.

Anti Virus scanning is not just looking whether a specific executable is the exact copy of a known virus. That can and has been easily circumvented. Now AV tools check for specific behaviour, like does the tool use net libraries, does it do file access/modification, does it encrypt/decrypt itself at runtime and so on and depending on the internal algorithm (the heuristic), it spits out danger.

One way to combat various AV's false detections, is what is known by signature obfuscation. Basically, one other technique is that an AV tool will look whether there is a specific stream of bytes (signature) included in an executable. If it finds it, it knows its a virus. You may end up producing (executable) code that may include one of the many billions signatures an AV software utilizes. To remove that specific part, you need to do a binary search on your executable by dividing it into two parts, first half, other half and rescanning those again and repeating the process until you locate the part that contains the signature. Once found, you flip some bits and see if it is still detected. A safer way would be to just change the source code and see if it spits out another byte stream at that location.

You will run into this problem 100% with the type of software you are developing.

Just a thought...
  • 91
  • 1