# Convincing AntiVirsus, im not a virus

This topic is 823 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

Hello,

I have recently wrote a tool which reads in .json files and merges them together, then outputs the result. Unfortunately multiple antivirus' do not like the program writing to a file (Avast and Microsoft Security Essentials). If I disable the antivirus, my program is free to create the output file.

I thought/hoped that in release mode, my program would be free of these restraints, but even after installing the program, it is still being flagged.

Is there something I can do to allow my program to write to files?

##### Share on other sites

Edited by Blazart

##### Share on other sites
I had the same problem with Avast. I had to turn off part of the program to make it stop flagging my programs.

##### Share on other sites

unfortunately I do not determine which Antivirus the user has.

I don't think saying "Incompatible with shitty anti viruses." when the user downloads/buys the program is an option.

Ok, I wasn't sure in the original question whether you were referring to your PC, or PCs in general - in the former case, you can just whitelist your application in the antivirus (unless its really so shitty it doesn't even have that option ;) ), but for ALL PCs, its a little more complicated. If, as you said, multiple antiviruses all flagged your application, there has to be some common component triggering that behaviour, so you might be able to find that out and possibly alter it.

Aside from that, maybe contact the manufacturers customer support, and see if they can do anything (like making adjustments to their detection routine, to produce less false-flags like your application; though I can't say how likely that is to happen)?

##### Share on other sites

unfortunately I do not determine which Antivirus the user has.

I don't think saying "Incompatible with shitty anti viruses." when the user downloads/buys the program is an option.

Ok, I wasn't sure in the original question whether you were referring to your PC, or PCs in general - in the former case, you can just whitelist your application in the antivirus (unless its really so shitty it doesn't even have that option ;) ), but for ALL PCs, its a little more complicated. If, as you said, multiple antiviruses all flagged your application, there has to be some common component triggering that behaviour, so you might be able to find that out and possibly alter it.

Aside from that, maybe contact the manufacturers customer support, and see if they can do anything (like making adjustments to their detection routine, to produce less false-flags like your application; though I can't say how likely that is to happen)?

It was the latter. (sorry)

I have already debugged, The only part of the program which does not run as expected is the writing to a file.

	std::ofstream outfile("Output//Merged.json", std::ofstream::binary);
int len = json.length();
char * buff = new char[len];
memcpy(buff, json.c_str(), sizeof(char) * len);
outfile.write(buff, len);
outfile.close();


(I have tried multiple extensions and methods of writing)

:/

only library I am using is RapidJson

I am running under admin permissions

Edited by dsm1891

##### Share on other sites
You're using two forward slashes - try using one forward slash OR two backslashes, but not two forward slashes. Edited by Nypyren

##### Share on other sites

It was the latter. (sorry)

If found this stackoverflow-article, from someone that had the same problem like you:

http://stackoverflow.com/questions/14375340/my-programs-are-blocked-by-avast-anti-virus

So appearently you can eigther digitally sign your code (costs), or really just contact the anti-virus manufactures and have them whitelist your file (probably only makes sense after a release).

##### Share on other sites

You're using two forward slashes - try using one forward slash OR two backslashes, but not two forward slashes.

sorry, that was a typo in the code

##### Share on other sites

I am running under admin permissions

I'm just speculating, but perhaps anti-virus programs act more aggressively against things that are running as administrator vs. those that don't? Does your program require admin permissions? Would it be possible to try without?

##### Share on other sites
I wish I knew why my hexeditor/debugger doesn't trip all kinds of antivirus warnings so I could suggest doing what it does. I use it on a grand total of two computers - my home and work computers, and have never distributed it, so it can't be part of any community whitelists. I've never had to manually whitelist it before use. Neither MSE (at home) nor Kaspersky (at work) has blocked it. It uses a lot of the more "dubious" Win32 APIs - DebugActiveProcess, VirtualProtectEx, Read/WriteProcessMemory. It doesn't use admin elevation to do its work, and I have UAC set to its default setting. The program is written in C# for the UI and C++/CLI for the debugging engine (which are separate executables to handle both 32 and 64-bit processes, communicating with the C# app using named pipes).

Surely a virus scanner would take one look at my app and go "WHOA, what is this madness?!"

Does having Visual Studio installed on a computer disable some parts of antivirus apps or something, because they detect you're a developer?

Speaking of which, which compiler are you using you build your app? Maybe that could matter somehow? Edited by Nypyren

##### Share on other sites

I am running under admin permissions

I'm just speculating, but perhaps anti-virus programs act more aggressively against things that are running as administrator vs. those that don't? Does your program require admin permissions? Would it be possible to try without?

I tried both

Interestingly, scanning the file found no threat.

--

I am using visual Studio 2013

Edited by dsm1891

##### Share on other sites

I have already debugged, The only part of the program which does not run as expected is the writing to a file.


std::ofstream outfile("Output//Merged.json", std::ofstream::binary);
int len = json.length();
char * buff = new char[len];
memcpy(buff, json.c_str(), sizeof(char) * len);
outfile.write(buff, len);
outfile.close();

(I have tried multiple extensions and methods of writing)
:/

only library I am using is RapidJson

I am running under admin permissions

That looks like you're writing to your current working directory, which could be in program files or another protected location. Doing that may trigger AV alerts, especially if your code is unsigned.

Have you tried writing to a different location that allows you to write without admin privileges? Like the user's documents or temp folder?

I wish I knew why my hexeditor/debugger doesn't trip all kinds of antivirus warnings so I could suggest doing what it does. I use it on a grand total of two computers - my home and work computers, and have never distributed it, so it can't be part of any community whitelists. I've never had to manually whitelist it before use. Neither MSE (at home) nor Kaspersky (at work) has blocked it. It uses a lot of the more "dubious" Win32 APIs - DebugActiveProcess, VirtualProtectEx, Read/WriteProcessMemory. It doesn't use admin elevation to do its work, and I have UAC set to its default setting. The program is written in C# for the UI and C++/CLI for the debugging engine (which are separate executables to handle both 32 and 64-bit processes, communicating with the C# app using named pipes).

Surely a virus scanner would take one look at my app and go "WHOA, what is this madness?!"

Does having Visual Studio installed on a computer disable some parts of antivirus apps or something, because they detect you're a developer?

Speaking of which, which compiler are you using you build your app? Maybe that could matter somehow?

Visual Studio is signed with a known certificate from a known developer that your AV is probably trained to allow. Otherwise your AV would trigger on all sorts of OS components Edited by SmkViper

##### Share on other sites

First, test your binary on the VirusTotal site:

http://www.virustotal.com/

It will analyze with more or less all known anti-virus engines. This will tell you if there might actually be a virus in it, but mostly it helps to reassure the user that there's no virus and the file is safe.

Then go to the anti-virus program's website and post it as a false positive. They usually have some way of doing that. It will help prevent future detections.

Finally, consider code signing your binaries, as has been suggested here. I'm not sure of any "cheap" solutions for this, but it will probably be more important with every year that goes by.

##### Share on other sites

Visual Studio is signed with a known certificate from a known developer that your AV is probably trained to allow. Otherwise your AV would trigger on all sorts of OS components

Visual Studio is, but my own app (which is a debugger) isn't. I don't have any signing (or even strong naming). Now that I look at the standalone debugging exes, those are C# with C++/CLI dlls. Maybe virus scanners are less suspicious of .Net bytecode?

##### Share on other sites

Writing to desktop / c:/tmp  does not work.

I wonder if it has to do with I used the VS's wizard to make my project. I.e. made a console application?

--

just tried

even top a int main() with code above fails to write.

Edited by dsm1891

##### Share on other sites

It sounds like the virus scanner possibly doesn't like the name or content of the file you're writing out.

Try writing it out with a different file name, and then renaming / copying it to the one you really want.

You could also try submitting that output file to VirusTotal, just in case.

##### Share on other sites

If you search the articles in this site you'll find how to do this cheaply and easily.

I've yet to find any AV that flags up signed code as malicious ...for obvious reasons.

##### Share on other sites

"Output//Merged.json"

Where is this file being written?

I don't recall how windows defines the working directory, but isn't this trying to write to the C:\Program Files\<AppName>\Output directory?

##### Share on other sites

"Output//Merged.json"

Where is this file being written?

I don't recall how windows defines the working directory, but isn't this trying to write to the C:\Program Files\<AppName>\Output directory?

It is on instillation, but even in debug it writes to my documents. As per previous posts, I have tried writing to the users documents, tmp directory and desktop. All yield no results.

I think it is ridiculous to expect a small developer who wishes to release some software to pay to sign the code if it outputs something.

##### Share on other sites

Sooo, if I use Visual studio 2008, I can write to files, But if I use Visual Studio 2013 (CE) I have to disable the antivirus??

##### Share on other sites

OS

compiler

a library, framework, or engine you're using

file permissions

weird antivirus settings

directory structure

something...

try even simpler tests. just open a text file and write an int and close it. then, one step at a time - work your way back up to turning the json code back on. when you find that point where adding the next step blows up, it may give you a clue as to the cause of the overall problem.

##### Share on other sites

There is the point where it gets futile to try to appease the antivirus with broken heuristics.

Finding a competing antivirus, which does not needlessly cry wolf when doing harmless things, will most likely save you time in the long run.

##### Share on other sites

This topic is 823 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Create an account

Register a new account

• ### Forum Statistics

• Total Topics
628702
• Total Posts
2984300

• 23
• 10
• 9
• 13
• 13