Results 1 to 15 of 15

Thread: How to detect why Avira finds an inexistent trojan in my code?

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    May 2009
    Posts
    459

    How to detect why Avira finds an inexistent trojan in my code?

    A little utility that:

    1. Don't writes in the HKLM registry
    2. Dont't writes in Windows\System or C:\....

    once compiled Avira finds a HEUR/APC trojan. Scanned with VirusTotal only Baidu and Cylance find a trojan.

    Obviously there is NOT a troyan. I READ something in HKLM and I WRITE some encripted strings in HKCU and some text in User\Local\Temp, but if I comment the code Avira finds anyway a trojan.

    There is a VB.net .dll added to the project (as embedded resource), but if I take off it Avira finds anyway the trojan.

    All the code is in Try Catch blocks and I have NOT exceptions. If I run the code by F5 from the IDE there are NOT problems. If I run the compiled .exe Avira stops the program.
    Last edited by phil2000; Mar 7th, 2018 at 07:06 AM.

  2. #2
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,522

    Re: Hot to detect why Avira finds an inexistent trojan in my code?

    Then you need to talk to them to find out what's going on. But the short of it is that you're doing something that's producing a bytecode signature that just happens to match that of a known virus, causing a false positive situation and tripping the anti-virus. OR, the anti-virus is stupid/lazy, and only looking at bytecode signatures and not doing any further validation and checking to see what it's really looking at.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    May 2009
    Posts
    459

    Re: How to detect why Avira finds an inexistent trojan in my code?

    I can understand that probably Avira detects a bytecode that seems a trojan.

    My question so is: there is a way to detect WHY AND WHERE VB.net generates some bytecode that seems a trojan?

    I can't find online some .net list of the type:

    If you write this .net code or combination of codes:
    - ...
    - ...
    - ...
    This code could be detected as trojan.

    Avira (free) is may be the most used antivirus in the world... I doubt that is so stupid/lazy.
    Last edited by phil2000; Mar 7th, 2018 at 07:34 AM.

  4. #4
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: How to detect why Avira finds an inexistent trojan in my code?

    AV programs work on pattern recognition, like cruddy online swear filters. Cruddy AV no one's ever heard of can false positive a lot. Cruddy AV people shouldn't pay for, like McAfee, make a business out of false positives (they take a fee to "fix" the problem).

    Imagine if you wanted to moderate speech about guns on a forum. You could hire fluent English moderators, but they want $10/hour and complain about "needing a living wage". Your buddy is a Republican senator, so he hooks you up with a handful of illiterate foreign children who will work for free as long as you provide a 4x4 cardboard box for them to sleep on. So you give them a list of words that look like "gun" and show them how to delete posts that contain gun words. You wake up the next morning to angry forum users. Topics about "gun" are gone, but so are topics about "Laguna Beach" and the band "The Sex Pistols". Congratulations, you're Google.

    This is how antivirus with heuristics works. Normally, antivirus has a big list of "these are the viruses we know". But that means viruses not in the database can slip through. So it has a list of code patterns that "look sort of suspicious" and if you trigger enough of them your program is considered a virus. Since "revealing the suspicious behaviors would help virus authors get around it" they won't tell you what you did.

    Some AV companies (like McAfee) will respond to a report and remove the false positive if you pay them. Others won't listen at all. You have to contact them to find out. It's going to take time, because they make their money fleecing people, not through customer service. If they don't respond well, take the opportunity to educate your users. Windows comes with Windows Defender, which is more than adequate for protecting you unless you visit shady sites on purpose. I've used it since Windows 8 and the only machines I've caught a virus on in those timeframes had turned off Windows Defender to use corporate McAfee. They make their money off "happy Windows users" and I don't hear false-positive horror stories from that product.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

  5. #5

    Thread Starter
    Hyperactive Member
    Join Date
    May 2009
    Posts
    459

    Re: How to detect why Avira finds an inexistent trojan in my code?

    I agree with you. But the question remains: how is possible that a VB.net program that uses only .net and framework code once compiled could generate a byte sequence that sounds like a trojan?

    Lol. I will comment the full code of the zillion of Subs and Functions of the program, until the offending code will not jump out. It has become a matter of principle.

  6. #6
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Quote Originally Posted by phil2000 View Post
    I agree with you. But the question remains: how is possible that a VB.net program that uses only .net and framework code once compiled could generate a byte sequence that sounds like a trojan?
    Welcome to "heuristics". They aren't smart. Here's how it works.

    The people who write the virus scanner know people look at lists on VirusTotal to figure out which virus scanner is "best". Heuristics are supposed to find viruses the scanner doesn't already know about. So VirusTotal has a super-secret suite of "suspicious" and "not suspicious" custom-built programs that it runs to judge. These programs aren't actual viruses, they just "look like" viruses according to VirusTotal. So AV writers spend a lot of time trying to figure out what the super-secret VirusTotal heuristic programs are to ensure they can detect 100% of the super-securet heuristic programs. If they get a high score, people buy their AV preferentially. Eventually they make their heuristics good at detecting the fake viruses at VirusTotal, and they win.

    Note this has little to do with actually detecting real viruses in the wild. That's a hard problem that's even harder to judge. It's a lot easier to get a good rating from VirusTotal. Microsoft complained loudly about this when WindowsDefender got a bad rating. Part of the rating was "it doesn't detect viruses from Windows 95 that don't even work on modern Windows". They pointed out that their program uses multiple-daily updates instead of heuristics, and that heuristics are stupid. The rest of the AV community disagreed, because they spent a lot of money figuring out how to win VirusTotal and don't want to have to use a different, harder metric.

    So, your program does something VirusTotal decided "looks suspicious". Shoving encrypted strings in random registry keys is definitely something many viruses do: the aim is to hide data and payloads in many places a user isn't going to be able to find. MS asked us to stop using the registry at least 18 years ago for a myriad of reasons including security and obscurity. That's the most likely problem. VirusTotal has some random program that reads some registry keys then writes encrypted data to HKCU. Avira wants a high score so they treat that as a trojan. Now it's your job to pay them money or spend a lot of time in negotiations so your program can get by without hurting their score.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

  7. #7
    Bad man! ident's Avatar
    Join Date
    Mar 2009
    Location
    Cambridge
    Posts
    5,398

    Re: How to detect why Avira finds an inexistent trojan in my code?

    lets see the code then.

  8. #8
    Sinecure devotee
    Join Date
    Aug 2013
    Location
    Southern Tier NY
    Posts
    6,582

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Quote Originally Posted by ident View Post
    lets see the code then.
    Quote Originally Posted by phil2000 View Post
    ...Lol. I will comment the full code of the zillion of Subs and Functions of the program, until the offending code will not jump out. It has become a matter of principle.
    He has " zillion of Subs and Functions ", so probably too much code to post.
    Once he has commented out enough code to find a one in a zillion example, perhaps he can post that.

  9. #9

    Thread Starter
    Hyperactive Member
    Join Date
    May 2009
    Posts
    459

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Well... I post the result of the test.

    I have first commented ALL the code contained in the several Subs / Functions, and then uncommented the code Sub by Sub, Function by Function.

    After each uncomment I have compiled the code and run the .exe, looking at the Sub containing the offending code.

    THE RESULT: uncomment by uncomment I have uncomemnted the whole code.... no Trojans found. Now the "full" exe runs without problems.

    Mysteries of Windows and Visual Studio.. and may be of Avira.
    Last edited by phil2000; Mar 8th, 2018 at 07:38 AM.

  10. #10
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,943

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Now THAT's an interesting result. Kind of fits with some of what Sitten was saying, too. However, I have seen enough cases where something can trigger VS to emit different byte code, so I wouldn't care to say whether this was more likely a case of VS now emitting something different from what it was compiling to before, or whether it was Avira.
    My usual boring signature: Nothing

  11. #11
    Bad man! ident's Avatar
    Join Date
    Mar 2009
    Location
    Cambridge
    Posts
    5,398

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Quote Originally Posted by phil2000 View Post
    Well... I post the result of the test.

    I have first commented ALL the code contained in the several Subs / Functions, and then uncommented the code Sub by Sub, Function by Function.

    After each uncomment I have compiled the code and run the .exe, looking at the Sub containing the offending code.

    THE RESULT: uncomment by uncomment I have uncomemnted the whole code.... no Trojans found. Now the "full" exe runs without problems.

    Mysteries of Windows and Visual Studio.. and may be of Avira.

    Juyst find it a little suspect you wont post any code.

  12. #12
    Lively Member Grant Swinger's Avatar
    Join Date
    Jul 2015
    Posts
    71

    Re: How to detect why Avira finds an inexistent trojan in my code?

    I'll bet Avira waits awhile and then changes its mind again. I've seen that happen with Symantec Endpoint which is the program my clients use. The only fix I've found is to sign everything. Otherwise even a "Hello World!" program gets flagged as a Trojan sooner or later. If you don't have a code signing certificate I would get one. It's getting to be a necessity these days.

    I went with these guys: http://codesigning.ksoftware.net/

  13. #13
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,943

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Quote Originally Posted by ident View Post
    Juyst find it a little suspect you wont post any code.
    I can't say that I find it suspect. I think the project is too big, and since the divide and conquer strategy used to figure out which part of the code was causing the problem caused the problem to go away....we really don't even want to see the code. At least I sure don't.
    My usual boring signature: Nothing

  14. #14
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,943

    Re: How to detect why Avira finds an inexistent trojan in my code?

    I hate code signing. I agree that it is becoming necessary, but why did MS have to make it such a pain?
    My usual boring signature: Nothing

  15. #15
    Bad man! ident's Avatar
    Join Date
    Mar 2009
    Location
    Cambridge
    Posts
    5,398

    Re: How to detect why Avira finds an inexistent trojan in my code?

    Quote Originally Posted by Shaggy Hiker View Post
    I hate code signing. I agree that it is becoming necessary, but why did MS have to make it such a pain?

    To have my app kill at kernel it costs me £300.To be signed unless in debug mode.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width