Window Portable Client is being flagged as malware

[chucklingalong]

Firefox is complaining that the Windows Portable contains a malware or virus.

[Logicman111]

My 2 cents here is that the app should be signed with a certificate; I think it should fixed this problem.

[bitbound]

I'm aware of the false positives that have started, and I'm starting to think there's nothing I can do about it. From what I've read, even if I paid for a code signing cert from a trusted CA, it won't fix it. The cert only helps with "unknown publisher" warnings, not virus warnings. It simply verifies that I created the file and that it wasn't altered since I created it.

In fact, I think it'd just tarnish the reputation score of the cert and make it even more pointless.

Even the "unknown publisher" warning wouldn't go away immediately with a cert. It takes a certain threshold of downloads and uses (a number that Microsoft doesn't document anywhere) before the cert becomes trusted by SmartScreen. Still, that's unrelated to virus detection.

The problem is that, to a virus detection algorithm (all of them now use machine learning), my code looks exactly like a virus. It attempts to install as a service, control the mouse/keyboard, capture the screen, and run arbitrary commands received from a websocket connection. It'd take a human to look at the overall solution to understand that it's legit.

I've found that I can reduce the number of detections by removing the "run as admin" requirement (which would mean you can't control windows launched with "Run as admin"), obfuscating the source code, or creating an installer instead of a self-contained EXE. None of them are 100%, though. And as soon as another virus starts using code that looks similar to this new "signature", it'd start getting flagged again.

From my limited searching, it sounds like I'd need to contact each antivirus directly and get whitelisted. I'd imagine I'd have to do this every time I release a new version as well. And I wouldn't be surprised if they made me pay them.

If anyone has more insight into this, I'd appreciate it.

[leighharro]

Would it be worth creating a Portable Client that is simply used as a means to download the full portable client to temp files? Similar to the way the Chrome installer works

[Logicman111]

I found the following text by Microsoft on signing the executable; I don't mean that Jay-Rad should sign it, bit if someone want to use it, he should consider it:

One of the most effective ways for developers to reduce the chances of their software being detected as malware is to digitally sign files with a reputable certificate, Microsoft said.

This should verify the identity of the software publisher, and help reassure users that the software has not been tampered with. It doesn't mean the software is without flaws, however.

Microsoft uses the reputation of digital certificates to help determine the reputation of files signed by them, and also the reverse, using the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with.
Going a step further, extended validation (EV) code signing requires a more comprehensive identity verification and authentication process for each developer, and also requires the use of hardware to sign applications. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP, even if no prior reputation exists for that file or publisher.

But then again, I never tried it so maybe it wont help...Sorry about he bold text, seem my pasting didn't go well..

[bitbound]

I agree that signing would be ideal. If this were a product I were selling and supporting, I'd definitely have a code signing cert.

However, since this is mainly a prototype/demo at this point, I don't think it'd be worth the money. I don't gain anything from it. And honestly, I can't really afford any extra expenses right now. If someone did want to use and distribute this, they could just as easily buy their own cert and sign the files.

That said, I did find a combination of changes that seems to remove all false positives on VirusTotal. Whether it will stay that way or not, I don't know.

I'll begin working on the changes, but it's going to take a while. The desktop app will be an installer instead of a single EXE, and the unattended client will no longer be a single EXE. So I have to change a lot of the workflow, updating, etc.

I'll keep this issue open and comment again when changes are done.

[Logicman111]

I just want to clarify (after reading back what I wrote) that I meant that if someone want to use it other than Jay, that someone should sign the application, not Jay.

[bitbound]

It's no longer "portable," but the desktop client isn't being flagged now in my tests. I'm not sure if this is a permanent fix, or if it'll start being flagged again once more people use it. I guess we'll see!

[bitbound]

I haven't seen this come back up since creating the MSI installer. I'll reopen if it returns.

[Allram]

This is starting to show now on Windows 10/11 since the publisher is unknown. Anyone have any other solution than to pay for the digital certificate? :)