Files detected as malware

[babak-f]

I got this report from my malware scanner:

Package.exe is the executable file I created using the Appacker CLI.

Unpacker.exe is the file that Appacker generates in runtime (I guess).

Seems more like it could be a false positive.

[SerGreen]

Yeah, i tripped the Windows Defender alert a few times too when i was testing, it detected it as "Trojan:Win32/Fuerboos.A!cl". That didn't happen before, and it triggered an alert only on the updated PC, my laptop that i didn't update for months didn't have any problems.

I mean, i can see why the package looks shady to the anti-virus: it extracts another binary files from its own binary and then launches that binary while sitting hidden in the background.

Apparently, i used some virus-making techniques in this app. Oh well. ¯\_(ツ)_/¯
I have no idea how i would get around this false detection. At least the code is open, so anyone can check for themselves that it is safe.

[BryanYin]

@SerGreen Hi, firstly, thank you for providing such a good and easy-to-use tool!
Do you have any idea about how to avoid malware warning now?

[SerGreen]

Hi! Not really, to be honest. I added appacker.exe to Windows Defender exclusions, but it still bitches about it sometimes.

Hey, i just realized that i can submit a sample to Microsoft Security Intelligence, maybe this will help to resolve this problem. What anti-malware software do you use? Perhaps it also has a similar option so they can investigate the file and stop detecting it as a virus.

I submitted a ticket now, don't know how long it will take though since it's not an automated check and i'm not a priority client. I will comment when there's a result.

[SerGreen]

@BryanYin Microsoft has already responded. That was quick, i expected it to take days, not just a few hours, wow. False positive detection in Windows Defender should be removed now. You have to update malware definitions for it to work, here's a copy-paste of how to:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

It turns out that pretty much every anti-malware software has a 'report false positive' service. Why didn't i think of it earlier? I also submitted this app for review to Avast and Kaspersky. NOD32 does not detect it as a virus according to VirusTotal.

[BryanYin]

Hi @SerGreen, that's awesome! Microsoft is getting better and better.
We are in China, most of users are using 360 , we will also submit a false positive report today.
Hopefully with Microsoft's confirmation, these anti-virus software will never report your app as malware.

[bitsydoge]

Oh I needed to use this apps today and i'm sad to found that windows defender trigger it as a malware :/ Any news on the sample send to microsoft security ?

[SerGreen]

@Coldragon The last time in September they removed false detection, but yeah, Defender recently got triggered again for me too (this time detected as Woreflint.A!cl). I resubmitted the app to the Microsoft Security on November 26 and they removed false detection once more. Try force updating your malware definitions and see if it helps:

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

The latest malware definitions version is 1.307.33.0. Here's how you can check what version you have: https://www.bleepingcomputer.com/tutorials/how-to-find-windows-defender-version-number-installed-in-windows-10.

You can also add Appacker.exe to Defender's exceptions, though i'm not sure that packed apps won't trigger Defender too.

[bitsydoge]

Thank's.
It's gonna be complicated to share apps with it now if it trigger Windows Def when it decided to :/

[SerGreen]

True. Hopefully Defender won't have another regression. I'll keep resubmitting the app for analysis would that happen again though.

[bitsydoge]

Thank's a lot for your work :)
This app is near perfect, the only thing that not make it perfect is the quick conhost that open when you launch the app ^^

[der-hugo]

Unfortunately it still happens :D
The Appacker.exe itself as well as all exe files created with this are supported as malware!

Besides that it actually is quite cool ^^

[SerGreen]

And unfortunately it will probably keep happening.
Here, for example, i found a description of a real Occamy.AA malware (which is what Appacker gets detected as by antivirus sometimes), and checkmarks are what Appacker does:

• Executable code extraction;
• Creates RWX memory;
• Reads data out of its own binary image;
• A process created a hidden window;
• Drops a binary and executes it;
• Unconventionial language used in binary resources: Russian;
• Uses Windows utilities for basic functionality;
• Steals private information from local Internet browsers;
• Network activity contains more than one unique useragent.;
• Creates a hidden or system file;
• Attempts to modify proxy settings;
• Harvests credentials from local FTP client softwares;
• Harvests information related to installed instant messenger clients;
• Collects information to fingerprint the system;
• Anomalous binary characteristics;
• Ciphering the papers found on the sufferer’s hard drive — so the sufferer can no more utilize the information;
• Preventing routine access to the sufferer’s workstation;

Source: https://howtofix.guide/trojanwin32-occamy-aa/

So yeah, 5 out of first 6 things match, so no wonder antiviruses get suspicious.

P.S. Actually, it may be doing RWX memory too, i just don't know how to check that.

[ghost]

Hey uh, it's cool that the Appacker exe is not recognized as malware, but what can I do if the antivirus detects the created executable as malware?

[SerGreen]

@suleyth, honestly, i'm not sure if there's much to be done. Created executable does all that stuff that antiviruses don't like (namely it extracts another executable from itself and runs it), in fact, it utilizes the same tools as the main Appacker app. I thought antimalware software would treat them all the same way but i guess not. Though for me Windows Defender never triggered on created file yet. What's your antivirus btw?

So, back to the original question: options would be to make a manual exception for the created exe and to report said file to the antivirus provider as false positive, although both options would not have great portability, as it might still trigger antivirus on another PC.

[Tyberkid967]

Hi Uh chrome Detects it as dangerous and wont let me download it help

[SerGreen]

Chrome can do that? o_O
Well, uhh... You can build it from source i guess? But it's not very usable anyways since antiviruses don't really like it. Works as a proof of concept, but i don't know how to make it not suspicious to antimalware soft.

[Stehlampe2020]

@SerGreen I have an idea on how to fix it:
You may know that some EXEs are openable as archives using 7zip. (like the official 7zip installer which just unpacks itself and the official Firefox installer which unpacks itself and even runs an executble that it unpacks)
Maybe you could try to use the same system as the Firefox installer to avoid malware detection, as for me there was never a problem with the Firefox installer.
As for appacker.exe and the EXEs created with it it looks as if you're just putting the other binaries' content into the "packed" exe instead of putting an archive with actual files there. I don't understand the code very well and that's why I tried to figure it out with experimenting.

[SerGreen]

Thanks for the tip, i'll look into that.

[Stehlampe2020]

Just a quick thought for the point above with the unconventional language being used:
You could maybe pack the application only with English in the binary with the possibility to add other languages via a button inside the app (which would download them as extra files packed into appacker.exe on close). This would also allow for easier translation into even more languages (I would happily provide a German and maybe a Swedish translation).