-
Mar 6th, 2018, 07:56 PM
#1
Thread Starter
Hyperactive Member
-
Mar 6th, 2018, 10:43 PM
#2
Re: Hot to detect why Avira finds an inexistent trojan in my code?
Then you need to talk to them to find out what's going on. But the short of it is that you're doing something that's producing a bytecode signature that just happens to match that of a known virus, causing a false positive situation and tripping the anti-virus. OR, the anti-virus is stupid/lazy, and only looking at bytecode signatures and not doing any further validation and checking to see what it's really looking at.
-tg
-
Mar 7th, 2018, 07:14 AM
#3
Thread Starter
Hyperactive Member
Re: How to detect why Avira finds an inexistent trojan in my code?
I can understand that probably Avira detects a bytecode that seems a trojan.
My question so is: there is a way to detect WHY AND WHERE VB.net generates some bytecode that seems a trojan?
I can't find online some .net list of the type:
If you write this .net code or combination of codes:
- ...
- ...
- ...
This code could be detected as trojan.
Avira (free) is may be the most used antivirus in the world... I doubt that is so stupid/lazy.
Last edited by phil2000; Mar 7th, 2018 at 07:34 AM.
-
Mar 7th, 2018, 08:19 AM
#4
Re: How to detect why Avira finds an inexistent trojan in my code?
AV programs work on pattern recognition, like cruddy online swear filters. Cruddy AV no one's ever heard of can false positive a lot. Cruddy AV people shouldn't pay for, like McAfee, make a business out of false positives (they take a fee to "fix" the problem).
Imagine if you wanted to moderate speech about guns on a forum. You could hire fluent English moderators, but they want $10/hour and complain about "needing a living wage". Your buddy is a Republican senator, so he hooks you up with a handful of illiterate foreign children who will work for free as long as you provide a 4x4 cardboard box for them to sleep on. So you give them a list of words that look like "gun" and show them how to delete posts that contain gun words. You wake up the next morning to angry forum users. Topics about "gun" are gone, but so are topics about "Laguna Beach" and the band "The Sex Pistols". Congratulations, you're Google.
This is how antivirus with heuristics works. Normally, antivirus has a big list of "these are the viruses we know". But that means viruses not in the database can slip through. So it has a list of code patterns that "look sort of suspicious" and if you trigger enough of them your program is considered a virus. Since "revealing the suspicious behaviors would help virus authors get around it" they won't tell you what you did.
Some AV companies (like McAfee) will respond to a report and remove the false positive if you pay them. Others won't listen at all. You have to contact them to find out. It's going to take time, because they make their money fleecing people, not through customer service. If they don't respond well, take the opportunity to educate your users. Windows comes with Windows Defender, which is more than adequate for protecting you unless you visit shady sites on purpose. I've used it since Windows 8 and the only machines I've caught a virus on in those timeframes had turned off Windows Defender to use corporate McAfee. They make their money off "happy Windows users" and I don't hear false-positive horror stories from that product.
This answer is wrong. You should be using TableAdapter and Dictionaries instead.
-
Mar 7th, 2018, 12:56 PM
#5
Thread Starter
Hyperactive Member
Re: How to detect why Avira finds an inexistent trojan in my code?
I agree with you. But the question remains: how is possible that a VB.net program that uses only .net and framework code once compiled could generate a byte sequence that sounds like a trojan?
Lol. I will comment the full code of the zillion of Subs and Functions of the program, until the offending code will not jump out. It has become a matter of principle.
-
Mar 7th, 2018, 02:30 PM
#6
Re: How to detect why Avira finds an inexistent trojan in my code?
Originally Posted by phil2000
I agree with you. But the question remains: how is possible that a VB.net program that uses only .net and framework code once compiled could generate a byte sequence that sounds like a trojan?
Welcome to "heuristics". They aren't smart. Here's how it works.
The people who write the virus scanner know people look at lists on VirusTotal to figure out which virus scanner is "best". Heuristics are supposed to find viruses the scanner doesn't already know about. So VirusTotal has a super-secret suite of "suspicious" and "not suspicious" custom-built programs that it runs to judge. These programs aren't actual viruses, they just "look like" viruses according to VirusTotal. So AV writers spend a lot of time trying to figure out what the super-secret VirusTotal heuristic programs are to ensure they can detect 100% of the super-securet heuristic programs. If they get a high score, people buy their AV preferentially. Eventually they make their heuristics good at detecting the fake viruses at VirusTotal, and they win.
Note this has little to do with actually detecting real viruses in the wild. That's a hard problem that's even harder to judge. It's a lot easier to get a good rating from VirusTotal. Microsoft complained loudly about this when WindowsDefender got a bad rating. Part of the rating was "it doesn't detect viruses from Windows 95 that don't even work on modern Windows". They pointed out that their program uses multiple-daily updates instead of heuristics, and that heuristics are stupid. The rest of the AV community disagreed, because they spent a lot of money figuring out how to win VirusTotal and don't want to have to use a different, harder metric.
So, your program does something VirusTotal decided "looks suspicious". Shoving encrypted strings in random registry keys is definitely something many viruses do: the aim is to hide data and payloads in many places a user isn't going to be able to find. MS asked us to stop using the registry at least 18 years ago for a myriad of reasons including security and obscurity. That's the most likely problem. VirusTotal has some random program that reads some registry keys then writes encrypted data to HKCU. Avira wants a high score so they treat that as a trojan. Now it's your job to pay them money or spend a lot of time in negotiations so your program can get by without hurting their score.
This answer is wrong. You should be using TableAdapter and Dictionaries instead.
-
Mar 7th, 2018, 04:40 PM
#7
Re: How to detect why Avira finds an inexistent trojan in my code?
-
Mar 8th, 2018, 02:08 AM
#8
Re: How to detect why Avira finds an inexistent trojan in my code?
Originally Posted by ident
lets see the code then.
Originally Posted by phil2000
...Lol. I will comment the full code of the zillion of Subs and Functions of the program, until the offending code will not jump out. It has become a matter of principle.
He has " zillion of Subs and Functions ", so probably too much code to post.
Once he has commented out enough code to find a one in a zillion example, perhaps he can post that.
-
Mar 8th, 2018, 07:34 AM
#9
Thread Starter
Hyperactive Member
-
Mar 8th, 2018, 01:12 PM
#10
Re: How to detect why Avira finds an inexistent trojan in my code?
Now THAT's an interesting result. Kind of fits with some of what Sitten was saying, too. However, I have seen enough cases where something can trigger VS to emit different byte code, so I wouldn't care to say whether this was more likely a case of VS now emitting something different from what it was compiling to before, or whether it was Avira.
My usual boring signature: Nothing
-
Mar 8th, 2018, 01:41 PM
#11
Re: How to detect why Avira finds an inexistent trojan in my code?
Originally Posted by phil2000
Well... I post the result of the test.
I have first commented ALL the code contained in the several Subs / Functions, and then uncommented the code Sub by Sub, Function by Function.
After each uncomment I have compiled the code and run the .exe, looking at the Sub containing the offending code.
THE RESULT: uncomment by uncomment I have uncomemnted the whole code.... no Trojans found. Now the "full" exe runs without problems.
Mysteries of Windows and Visual Studio.. and may be of Avira.
Juyst find it a little suspect you wont post any code.
-
Mar 8th, 2018, 01:52 PM
#12
Lively Member
Re: How to detect why Avira finds an inexistent trojan in my code?
I'll bet Avira waits awhile and then changes its mind again. I've seen that happen with Symantec Endpoint which is the program my clients use. The only fix I've found is to sign everything. Otherwise even a "Hello World!" program gets flagged as a Trojan sooner or later. If you don't have a code signing certificate I would get one. It's getting to be a necessity these days.
I went with these guys: http://codesigning.ksoftware.net/
-
Mar 8th, 2018, 06:03 PM
#13
Re: How to detect why Avira finds an inexistent trojan in my code?
Originally Posted by ident
Juyst find it a little suspect you wont post any code.
I can't say that I find it suspect. I think the project is too big, and since the divide and conquer strategy used to figure out which part of the code was causing the problem caused the problem to go away....we really don't even want to see the code. At least I sure don't.
My usual boring signature: Nothing
-
Mar 8th, 2018, 06:05 PM
#14
Re: How to detect why Avira finds an inexistent trojan in my code?
I hate code signing. I agree that it is becoming necessary, but why did MS have to make it such a pain?
My usual boring signature: Nothing
-
Mar 8th, 2018, 06:27 PM
#15
Re: How to detect why Avira finds an inexistent trojan in my code?
Originally Posted by Shaggy Hiker
I hate code signing. I agree that it is becoming necessary, but why did MS have to make it such a pain?
To have my app kill at kernel it costs me £300.To be signed unless in debug mode.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|