How to stop antivirus false positives everytime we re-release software?

Question

Windows Defender and AVG/Avast pickup our software application as a virus/false positive everytime we release. We have a code signing certificate and add taggant as well.

Every time we release the software we have to go through the process of doing a false positive form on multiple AV vendors sites.

How can we get our company code signing cert marked as safe or avoid this time consuming false positive report process on each release?

Edit: Is there any premiere support we can pay for to have this done automatically?

Edit2: we actually had our certificate revoked due to "malware distribution" as a result of these false positives. It seems there is no recourse other than to buy another one.

Not what you're looking for, but: upload your executable to virustotal.com, check which products you are getting flagged by and what (if any) heuristics match. Next, try removing parts of your code and re-uploading. Divide and conquer your way to the bits triggering the AV. Thats the malware authors' workflow and it works pretty damn well for them ;) — vzwick, Dec 04 '18 at 01:18
That is what we do, but every single new release all of them get reflagged again.So we have to submit a false positive every time we do an update. Our application is obfuscated and packed, so that is what triggers the false positive, we have too much entropy so it looks like encryption. We added a heuristic stub (basically a very simple notepad.exe like program to the header which dropped off 50% of the false positives (as they only scan the first 4kb or so of files) however quite a few still scan the whole file and flag it. — rollsch, Dec 05 '18 at 02:43
I see. In that case I'm afraid you'll either have to live with the situation, automate the false positive submission process or ditch the obfuscation/packing. Just out of curiosity: is there such non-trivial IP in your product that obfuscation makes sense from a business perspective? Could you possibly switch to a DRM scheme? — vzwick, Dec 05 '18 at 03:17
We have phone home code that tells us when people try to hafk our software. It happens weekly. I wonder how game manafacturers handle this, they use obfuscation and packers. — rollsch, Dec 06 '18 at 09:15

score 0 · Answer 1 · answered Sep 17 '18 at 02:30

0

Signing cert doesn't help most of the time, it's probably a coding pattern which is similar to a virus listed in them, best you can do is contacting the AV to whitelist you to get past through that.

answered Sep 17 '18 at 02:30

Ashton

174
11

1

The issue is the whitelist is per hash. So every release we have to go through the process again. What do big companies do in this scenario? – rollsch Sep 17 '18 at 05:43

score 0 · Answer 2 · answered Jun 03 '19 at 20:21

0

My recommendation is to contact with the AV vendors and told them your problem. Probably your software have some strings or patters defined that potentially trigger the heuristics of the AV. You can try to find that strings easily in your base code and base64/xor/encrypt them and see what happens with the AV, that may help to solve your problem

answered Jun 03 '19 at 20:21

camp0

372
1
5

We already do this. The problem is it is per hash and we have to do it every single release. – rollsch Jun 04 '19 at 02:03

score 0 · Answer 3 · answered Jun 03 '19 at 20:53

0

While it is certainly possible that your software shares some characteristics with know malware, I would guess that it is a "cloud" detection.

Cutting through the marketing speak, it basically means that (among other possible caues) your file is flagged as suspicious if it has not been seen on many other PCs.

answered Jun 03 '19 at 20:53

user45891

780
6
17

We use an encrypted packer so the analyser engine cant analyse anything. – rollsch Jun 04 '19 at 02:43

Anic17 · Answer 4 · 2020-06-05T07:31:44.603

0

Try removing any thing that could activate antivirus flags, like self-extracting, UPX, file encryption, suspicious website requests, or suspicious behaviour.

Why to remove these?

self-extracting is triggered because it's a suspicious behaviour (not really normal to do)
UPX is detected as some malwares try to hide the malware by being compressed by UPX, as antiviruses need to decompress it.
File encryption may be easily detected as Riskware / EncoderTool / Ransomware
Suspicious websites: Evit downloading files from strange URL.

I had this problem with a program auto-update, an antivirus detected it as a TrojanDownloader.

If your program doesn't do any of these things, I can't help you more, as that is a problem that the programmer community has.

I wish that could help

edited Jun 05 '20 at 07:31

answered Jun 04 '20 at 13:26

Anic17

712
5
18

This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/26322015) – Abhijith Sasikumar Jun 05 '20 at 00:02
I have edited the comment to clarify, sorry, I'm new at Stack Overflow. Now I explain hwy antiviruses detect them. – Anic17 Jun 05 '20 at 07:32

How to stop antivirus false positives everytime we re-release software?

4 Answers4