New application being flagged as False-Positive. Help to fix.

Discussion in 'Mixed Languages' started by QuantumBug, Sep 22, 2012.

  1. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    1,488
    1,327
    60
    #1 QuantumBug, Sep 22, 2012
    Last edited: Sep 27, 2012
    [SOLVED]New application being flagged as False-Positive. Help to fix.

    Well my new Fable 3 application is being flagged when dependancy merged+obfuscated or simply scanning the untouched .exe straight from Visual Studio.

    These are the flags on virus total:

    Just the .exe:

    DangerousObject.Multi.bcj

    Merged+Obfuscated:

    Trojan-Downloader.Win32.Dapato!IK
    Trojan-Downloader.Win32.Dapato

    Virustotal links:

    Untouched .exe https://www.virustotal.com/file/3e6...ab8d25408fbe77488569cd7c/analysis/1348311543/

    Merged+Obfuscated .exe: https://www.virustotal.com/file/604...79711a63532a1f3ba6581f94/analysis/1348311318/


    Now the reason I can't fix this is because, I don't get it. There is no sort of code in the .exe at all to download anything or even connect to a network. I know it's nothing to do with SmartAssembly or my dll. Because of this the application is being rejected from Softpedia :(

    Any help is appreciated. Thanks, Dave.






     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
    390
    808
    10
    Hmm is the exe native code or .net?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    1,488
    1,327
    60
    .net framework 2 dependant.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
    390
    808
    10
    Play around with the smart assembly protecion options if that doesn't
    work out pm me the unprotected exe.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    1,488
    1,327
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. master131

    master131 MDL Novice

    Apr 12, 2011
    45
    22
    0
    Jiangmin is a chinese AV and I think it's crap. Emsisoft is a German AV that I don't think alot of people know about but I like them since they often publish reverse engineering stuffs on different threats. As for Ikarus, I got no idea what it is too.

    Anyway, AVs often flag obfuscated .NET assemblies because of a bad signature (eg. they used created a signature for another obfuscated assembly with the same file not realising it'd affect others too) or they were just lazy or wanted to flag any assembly obfuscated with the same software.

    Good thing you've got the detection issues fixed now. God, it's so hard these days to protect your IP (intellectual property) without having AVs make users think your software has some sort of virus, particularly if you put the settings on the highest possible.
     
  7. jcgo16

    jcgo16 MDL Junior Member

    Sep 16, 2010
    74
    2
    0
    this would likely happen when you use confuser or other obscuring application

    but those AV are sucks, so don't mind them

    actually when im making a program, i will look only at avira, avast, eset, security essentials, avg and any other major antivirus on the net

    so its a false alarm <3
     
  8. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    1,488
    1,327
    60
    I always knew it was a false-positive.

    But this didn't happen in WinTK (My other app) and I use the exact same method each time. Add signature > Add Tamper Protection > Embed Dependancies > Obuscate > Compress > Prevent MSIL.

    Until it was fixed Softpedia wouldn't allow it. And is now sorted. I also removed System.IO.File.Delete('file'); and the two stupid AV's don't seem to detect it anymore.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...