6

Let's say I created a file compression library, and this library was used in 1000 (non malicious) programs. But now a malware developer has decided to create a malware and use my library to compress some files.

Based on my little knowledge on how an Antivirus works, it selects a group of strings of bytes from the malware and store it in its database. Now when the Antivirus scans a program that has these strings of bytes, it alerts the user that this is a malware.

But what if the Antivirus selected a string of bytes that corresponds to a portion of my library's code, wouldn't this mean that my library is now detected as a malware (and hence the 1000 non malicious programs are now detected as a malware)?

user6088487
  • 189
  • 6

3 Answers3

4

There are two kinds of techniques to detect malwares, The first is by the file signature, for example Kaspersky receive every day a huge ammount of malicious code that will be analysed by its experts and then generate a signature for each one of them. So, when a file is analysed by an antivirus, it compare signature with all the signatures in its database. and then return the result to the user. The second way to determin is a software is malicious, is by using data mining techniques. which is take as an input the static & dynamic analysis results of the software, and then return a result. In this case, it can return a false positive result, depending on the antivirus.

Mohamed Kamel Bouzekria
  • 804
  • 8
  • 27
2

If an antivirus program flagged a widely-used piece of code as malicious, then yes, it would (incorrectly) detect lots of programs as being malware. But malware signatures aren't chosen at random; they're developed by human analysts who study the malware to learn what it does and how it works. Those analysts are careful to build the signature based on something that's actually specific to the malware, not a piece of non-malicious library code that happens to be included within it.

Wyzard
  • 33,849
  • 3
  • 67
  • 87
1

If you are the author of the legit lib, and some malware guys use your lib, then AVs start to detect the clean programs using your lib, the only way to deal with it is to contact AV companies and tell them to remove detection from your lib. They can make detection over the malicious code rather the libraries code. Check every AV company website for complaining forms or contact their support department.

haya
  • 11
  • 3