Sign in to follow this  

Convincing AntiVirsus, im not a virus

This topic is 823 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello,

 

I have recently wrote a tool which reads in .json files and merges them together, then outputs the result. Unfortunately multiple antivirus' do not like the program writing to a file (Avast and Microsoft Security Essentials). If I disable the antivirus, my program is free to create the output file. 

 

I thought/hoped that in release mode, my program would be free of these restraints, but even after installing the program, it is still being flagged.

 

Is there something I can do to allow my program to write to files?

Share this post


Link to post
Share on other sites


unfortunately I do not determine which Antivirus the user has.



I don't think saying "Incompatible with shitty anti viruses." when the user downloads/buys the program is an option.

 

Ok, I wasn't sure in the original question whether you were referring to your PC, or PCs in general - in the former case, you can just whitelist your application in the antivirus (unless its really so shitty it doesn't even have that option ;) ), but for ALL PCs, its a little more complicated. If, as you said, multiple antiviruses all flagged your application, there has to be some common component triggering that behaviour, so you might be able to find that out and possibly alter it.

Aside from that, maybe contact the manufacturers customer support, and see if they can do anything (like making adjustments to their detection routine, to produce less false-flags like your application; though I can't say how likely that is to happen)?

Share this post


Link to post
Share on other sites

 


unfortunately I do not determine which Antivirus the user has.



I don't think saying "Incompatible with shitty anti viruses." when the user downloads/buys the program is an option.

 

Ok, I wasn't sure in the original question whether you were referring to your PC, or PCs in general - in the former case, you can just whitelist your application in the antivirus (unless its really so shitty it doesn't even have that option ;) ), but for ALL PCs, its a little more complicated. If, as you said, multiple antiviruses all flagged your application, there has to be some common component triggering that behaviour, so you might be able to find that out and possibly alter it.

Aside from that, maybe contact the manufacturers customer support, and see if they can do anything (like making adjustments to their detection routine, to produce less false-flags like your application; though I can't say how likely that is to happen)?

 

It was the latter. (sorry)

 

I have already debugged, The only part of the program which does not run as expected is the writing to a file.

	std::ofstream outfile("Output//Merged.json", std::ofstream::binary);
	int len = json.length();
	char * buff = new char[len];
	memcpy(buff, json.c_str(), sizeof(char) * len);
	outfile.write(buff, len);
	outfile.close();

(I have tried multiple extensions and methods of writing)

:/

 

only library I am using is RapidJson

 

I am running under admin permissions

Edited by dsm1891

Share this post


Link to post
Share on other sites


It was the latter. (sorry)

 

If found this stackoverflow-article, from someone that had the same problem like you:

 

http://stackoverflow.com/questions/14375340/my-programs-are-blocked-by-avast-anti-virus

 

So appearently you can eigther digitally sign your code (costs), or really just contact the anti-virus manufactures and have them whitelist your file (probably only makes sense after a release).

Share this post


Link to post
Share on other sites

I am running under admin permissions


I'm just speculating, but perhaps anti-virus programs act more aggressively against things that are running as administrator vs. those that don't? Does your program require admin permissions? Would it be possible to try without?

Share this post


Link to post
Share on other sites
I wish I knew why my hexeditor/debugger doesn't trip all kinds of antivirus warnings so I could suggest doing what it does. I use it on a grand total of two computers - my home and work computers, and have never distributed it, so it can't be part of any community whitelists. I've never had to manually whitelist it before use. Neither MSE (at home) nor Kaspersky (at work) has blocked it. It uses a lot of the more "dubious" Win32 APIs - DebugActiveProcess, VirtualProtectEx, Read/WriteProcessMemory. It doesn't use admin elevation to do its work, and I have UAC set to its default setting. The program is written in C# for the UI and C++/CLI for the debugging engine (which are separate executables to handle both 32 and 64-bit processes, communicating with the C# app using named pipes).

Surely a virus scanner would take one look at my app and go "WHOA, what is this madness?!"


Does having Visual Studio installed on a computer disable some parts of antivirus apps or something, because they detect you're a developer?

Speaking of which, which compiler are you using you build your app? Maybe that could matter somehow? Edited by Nypyren

Share this post


Link to post
Share on other sites

 

I am running under admin permissions


I'm just speculating, but perhaps anti-virus programs act more aggressively against things that are running as administrator vs. those that don't? Does your program require admin permissions? Would it be possible to try without?

 

I tried both sad.png

 

Interestingly, scanning the file found no threat.

 

--

I am using visual Studio 2013 

Edited by dsm1891

Share this post


Link to post
Share on other sites

I have already debugged, The only part of the program which does not run as expected is the writing to a file.




	std::ofstream outfile("Output//Merged.json", std::ofstream::binary);
	int len = json.length();
	char * buff = new char[len];
	memcpy(buff, json.c_str(), sizeof(char) * len);
	outfile.write(buff, len);
	outfile.close();
(I have tried multiple extensions and methods of writing)
:/
 
only library I am using is RapidJson
 
I am running under admin permissions


That looks like you're writing to your current working directory, which could be in program files or another protected location. Doing that may trigger AV alerts, especially if your code is unsigned.

Have you tried writing to a different location that allows you to write without admin privileges? Like the user's documents or temp folder?

I wish I knew why my hexeditor/debugger doesn't trip all kinds of antivirus warnings so I could suggest doing what it does. I use it on a grand total of two computers - my home and work computers, and have never distributed it, so it can't be part of any community whitelists. I've never had to manually whitelist it before use. Neither MSE (at home) nor Kaspersky (at work) has blocked it. It uses a lot of the more "dubious" Win32 APIs - DebugActiveProcess, VirtualProtectEx, Read/WriteProcessMemory. It doesn't use admin elevation to do its work, and I have UAC set to its default setting. The program is written in C# for the UI and C++/CLI for the debugging engine (which are separate executables to handle both 32 and 64-bit processes, communicating with the C# app using named pipes).

Surely a virus scanner would take one look at my app and go "WHOA, what is this madness?!"


Does having Visual Studio installed on a computer disable some parts of antivirus apps or something, because they detect you're a developer?

Speaking of which, which compiler are you using you build your app? Maybe that could matter somehow?


Visual Studio is signed with a known certificate from a known developer that your AV is probably trained to allow. Otherwise your AV would trigger on all sorts of OS components smile.png Edited by SmkViper

Share this post


Link to post
Share on other sites

First, test your binary on the VirusTotal site:

http://www.virustotal.com/

 

It will analyze with more or less all known anti-virus engines. This will tell you if there might actually be a virus in it, but mostly it helps to reassure the user that there's no virus and the file is safe.

 

Then go to the anti-virus program's website and post it as a false positive. They usually have some way of doing that. It will help prevent future detections.

 

Finally, consider code signing your binaries, as has been suggested here. I'm not sure of any "cheap" solutions for this, but it will probably be more important with every year that goes by.

Share this post


Link to post
Share on other sites

Visual Studio is signed with a known certificate from a known developer that your AV is probably trained to allow. Otherwise your AV would trigger on all sorts of OS components smile.png


Visual Studio is, but my own app (which is a debugger) isn't. I don't have any signing (or even strong naming). Now that I look at the standalone debugging exes, those are C# with C++/CLI dlls. Maybe virus scanners are less suspicious of .Net bytecode?

Share this post


Link to post
Share on other sites

Writing to desktop / c:/tmp  does not work.

 

I wonder if it has to do with I used the VS's wizard to make my project. I.e. made a console application?

 

--

just tried

 

as per: http://www.gamedev.net/topic/671184-outputting-to-a-file/

 

even top a int main() with code above fails to write.

Edited by dsm1891

Share this post


Link to post
Share on other sites

It sounds like the virus scanner possibly doesn't like the name or content of the file you're writing out.

 

Try writing it out with a different file name, and then renaming / copying it to the one you really want.

 

You could also try submitting that output file to VirusTotal, just in case.

Share this post


Link to post
Share on other sites

 

"Output//Merged.json"

Where is this file being written?

I don't recall how windows defines the working directory, but isn't this trying to write to the C:\Program Files\<AppName>\Output directory?

 

 

It is on instillation, but even in debug it writes to my documents. As per previous posts, I have tried writing to the users documents, tmp directory and desktop. All yield no results.

 

I think it is ridiculous to expect a small developer who wishes to release some software to pay to sign the code if it outputs something.

Share this post


Link to post
Share on other sites

keep digging, it's got to be something about your setup:

 

OS

compiler

a library, framework, or engine you're using

file permissions

weird antivirus settings

directory structure

 

something...

 

try even simpler tests. just open a text file and write an int and close it. then, one step at a time - work your way back up to turning the json code back on. when you find that point where adding the next step blows up, it may give you a clue as to the cause of the overall problem.

Share this post


Link to post
Share on other sites

There is the point where it gets futile to try to appease the antivirus with broken heuristics.

Finding a competing antivirus, which does not needlessly cry wolf when doing harmless things, will most likely save you time in the long run.

Share this post


Link to post
Share on other sites

This topic is 823 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this