New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The launcher ("y-cruncher.exe") gets flagged by some virus scanners. #1

Open
Mysticial opened this Issue Oct 24, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@Mysticial
Owner

Mysticial commented Oct 24, 2017

For some reason, the launcher ("y-cruncher.exe") manages to trip up a small number of virus scanners including a recent version of Windows Defender definitions.

Case in Point (v0.7.4.9477):

To reproduce from source code only:

  1. Open up the Launcher Visual Studio project: "trunk/VSS - Launcher/Launcher.sln"
  2. Change the build mode to "Release" and "Win32".
  3. Compile the program. (F7)
  4. The resulting binary in "VSS - Launcher/Release/Launcher.exe" will get flagged some AVs.

After investigating a bit, I found:

  • The launcher links in y-cruncher's entire hardware detection library which has lots of low level system calls including the WMI. Removing this dependency gets it passed 2 of the AVs that flagged it before.
  • Dynamically linking the run-time library gets it passed the remaining AVs that flagged it.

So some combination of these things seems to be tripping the AV heuristics:

  • The launcher executes another binary.
  • The launcher pulls in the hardware library. (this has been fixed)
  • Statically linking in the Windows run-time libraries.
@Mysticial

This comment has been minimized.

Show comment
Hide comment
@Mysticial

Mysticial Oct 25, 2017

Owner

I'm not sure this can be fixed. These AVs seem to be flagging almost everything with /MT (static-linking).

Even this gets flagged:

int wmain(int argc, wchar_t* argv[]){}

https://www.virustotal.com/#/file/b1359be0db290767eab464a21629950370859dd96364e56787b22296724562ff/detection

Owner

Mysticial commented Oct 25, 2017

I'm not sure this can be fixed. These AVs seem to be flagging almost everything with /MT (static-linking).

Even this gets flagged:

int wmain(int argc, wchar_t* argv[]){}

https://www.virustotal.com/#/file/b1359be0db290767eab464a21629950370859dd96364e56787b22296724562ff/detection

@Mysticial Mysticial added the bug label Oct 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment