3

The .exe I'm building is currently recognized by Avast as "File might be dangerous". It is not a false positive because the antivirus software finally doesn't find any virus in it, but just an alarm saying that this file has been "rarely downloaded".

I've contacted Avast but they don't seem to offer a solution except sending them the .exe for whitelisting.

Things I have tried, but that didn't solve the problem:

Things that won't work:

  • Add to local avast exclusion (I can't ask every customer to do this!)

  • Redo a "Submit file to Avast Lab for scan" for each new build of the .exe. It's not scalable to have to re-submit the .exe to Avast (and all other 50+ antivirus software!) for each new build.

  • Paying $200 per year for code-signing (it might work, but I don't find it fair to have to give a $xxx ransom per year just for being whitelisted)

Are there common solutions that can help to avoid "Rarely downloaded file / File might be suspicious" antivirus alarms?

Note: I've read How to prevent my .exe to be recognized as malware?, how can I make my software not to be discovered by antivirus?, but it did not really cover the topic here.

Note2: I've read these guidelines, etc. but it did not currently help.

Basj
  • 41,386
  • 99
  • 383
  • 673
  • 3
    I would like to mention that code-signing does not make your application automatically whitelisted, it only makes it less suspicious. – user7860670 Jul 29 '17 at 14:44
  • Can't you use [virus total](https://www.virustotal.com/en/documentation/desktop-applications/)? The program also has cli and you can easily integrate it in the build process. – Oleg Jul 29 '17 at 15:43
  • @Oleg will the fact of sending an .exe to virus total automatically whitelist it in nearly all antivirus databases, provided it is clean ? – Basj Jul 29 '17 at 16:02
  • No, it will not, my bad. I found a very good [blog post](http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/) from freaking **2009** describing the problem in detail, nothing has changed since then. I'm surprised that a service that will help you whitelist in all antiviruses doesn't exist (startup idea?). Until things will change (if they ever will) all you can do is explain the problem in your download page and add a link to a virus total scan (an [example](http://www.easy2boot.com/download/)). – Oleg Jul 29 '17 at 18:19

1 Answers1

0

It depends of what this exe going to do. I've seen these av balloons two times.

First when I've add some compiled assembler code into (signed?) exe file and another one happens when I'd deploy system wide hook to catch all keystrokes in the system while app is inactive (exe were not enough for it and there were own dll).

help-info.de
  • 6,695
  • 16
  • 39
  • 41
  • Indeed my .exe asks for admin privilege, uses icon systray (and therefore has main window hidden by default with ShowWindow (hWnd, WS_HIDE)). I understand this can trigger antivirus general purpose tests. But I really need these features. – Basj Jul 29 '17 at 16:12
  • 2
    This doesn't address the question. The question is asking, how to avoid getting flagged as potential malware for a **specific reason** (low download rate). Your proposed answer outlines two unrelated scenarios, where an executable can get flagged as malware. This is your 5th contribution I needed to down-vote. Please stop dumping unrelated/low-quality/not-an-answer answers. It does cost *me* reputation, while down-votes are completely free for your account. – IInspectable Jul 29 '17 at 16:40