2

A data file used by one of my applications was recently quarantined by Symantec Antivirus (signature triggered was 'Nightfall.5815'). The file is written and read dynamically, and the content is arbitrary data.

Is there any way for my application to avoid these files triggering AV scans?

I am aware of other questions on SO concerning false positives, but they mostly appear to be concerned with executable files and Delphi. Many of the answers to this type of question involve contacting the AV vendors to report the false positive. In my case this is an arbitrary data file that I need to protect from quarantine, so I'm not sure a single report and resolution would prevent me from triggering again in the future. I am interested if there are any general approaches to avoiding this from the application perspective (different file permissions, altering file format), or if there is a way to address this by possibly excluding a directory from the scan.

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
Adam Holmberg
  • 7,245
  • 3
  • 30
  • 53
  • 2
    Antivirus packages are the worst infection of all. The effects on system stability leave one wondering if the cure isn't worse than the disease. – Mark Ransom May 02 '11 at 18:33

2 Answers2

0

If you can consistently get the Antivirus(es) to trigger on a file, try padding the beginning x-number-of-bytes of the file with all 0's (for example). Am wondering whether antiviruses pick up on particular sequences of bytes at particular positions or whether a certainly sequence of bytes would always be considered bad.

Otherwise, excluding the directory from the virus scan would be the best option.

Will A
  • 24,780
  • 5
  • 50
  • 61
  • Thanks Will. Padding was one of the things I was considering, but I'm not sure what about the file triggered this false positive. I'm still not sure if that will protect me from latent triggers given that my data is arbitrary. I'm now pursuing exclusion, although I'm not sure my organization allows for that. – Adam Holmberg May 02 '11 at 23:55
0

According to kaspersky's terminology (Virus.DOS.NightFall.5815) this virus seems to be an old timer dos file infector. AV companies often signed old viruses in order to improve their scores in AV certifications processes such as AV-Comparatives or ICSA.

They use pattern-matching technics in order to detect a defined sequence of bytes. Unfortunately sometimes the sequence is weak and create too much false positives. I think you just had real bad luck with your dat file.

You can try to change the file encoding, then the sequence will change and won't be captured by the weak signature. In order to check if your file is now doing ok, run it through AV cross-scanner like Jotti.

Roubachof
  • 3,351
  • 3
  • 23
  • 34