2

I wasn't terribly sure what website to ask this question on, but since it primarily deals with the development/distribution process I chose to ask it here.

I'm in the process of creating a company that deals with RMM/MMS for clients. I have a service set up that allows remote connections to client PCs so that we may perform any number of tasks to manage said PCs. Everything was going swimmingly during setup and tests for distributing endpoint software to remote PCs until I started labing distribution on windows machines. This is where the problem lies and where I'm not sure how to approach this.

Windows Defender flags the installers as malware. Now before you start explaining that it's AI detection and the intricacies of how that works, I've already read many stack overflow and MSDN articles detailing that part of the problem. What I'm asking is: is there a build process or general practice that will make installation binaries more appealing to Windows Defender. Keep in mind, these installers are generated dynamically when a client signs up for the service, and get emailed to the client for execution on the remote machines. Do I need to apply for some kind of certificate to embed in the installers to validate that though yes it is a small C program compiled with mingw, that it is in fact NOT malware and is only installing endpoint management software?

I've only had this issue on windows machines and have distributed these binaries on several linux machines.

Azrael
  • 87
  • 5
  • 1
    [Please skim this old answer](https://stackoverflow.com/a/72338445/129130). You should definitely get a proper certificate and sign your installer. With the right certificate (EV-level) you "buy trust outright" rather than via actual downloads and installs. However, one more thing: it would be better to have a single installer executable (that is signed) and just parameterize the installation with values passed to the executable via command line. This ensures your executable will be "well-known" to malware scanners and not a new encounter for every customer. – Stein Åsmul Sep 22 '22 at 09:44
  • I know that parameterizing the installer would be easier, but I don't exactly expect the end user to even know what the command line is. Some of the people this will go to barely know enough to open Outlook and click links. I know I could potentially use a batch script or even powershell but that feels and looks pretty unprofessional. Most of the world is used to clicking download, then double clicking the installer, then clicking yes on the UAC prompt. Anything other than that and they gloss over or lose their minds, – Azrael Sep 22 '22 at 18:30

1 Answers1

1

It is challenging for software to avoid antivirus quarantine when it behaves like a virus. Signed installation packages that have been successfully installed many times (or have been submitted for whitelisting) build a reputation that antivirus software will eventually trust.

Dynamically generated installation packages will struggle because each one looks new. You certainly could submit one of your packages for whitelisting. The hope would be that the antivirus software recognizes a pattern, so it trusts the other dynamically generated replicas.

I understand why you are doing what you are doing. The problem is virus developers have the same goal as you.

Rob Mensching
  • 33,834
  • 5
  • 90
  • 130