Avast

[ibmua]

I'm getting Avast antivirus detecting my script as false positive virus threat.

my config used to be:

      	rotateUnicodeArray: true
		,
	compact: true,
	controlFlowFlattening: false,
	deadCodeInjection: false,
	debugProtection: false,
	debugProtectionInterval: false,
	disableConsoleOutput: true,
	rotateStringArray: true,
	selfDefending: true,
	stringArray: true,
	stringArrayEncoding: 'base64',
	stringArrayThreshold: 0.75,
	unicodeEscapeSequence: false

I also tried "lowest" settings, but it still detected as false positive. Forgone the obfuscation altogether and it stopped complaining.

[sanex3339]

It's bad. In a few days i'll try to contact with Avast and describe this problem.

Can you attach working sample with obfuscated code that trigger Avast antivirus?
I'll attach this code to this page
https://www.avast.ru/false-positive-file-form.php

[ibmua]

http://fsymbols.com/tell/main.fda15551.js

[ibmua]

Mind that it is highly unlikely that it only has to do with Avast. I'm guessing that many more antiviruses see that code as a threat. It's just that I only tried on Avast.

[sanex3339]

How i can reproduce this on Mac? It's Avast extension for browser?

Can you try to run Uglify.js over obfuscated code and check with Avast again? Still detecting as virus threat?

[sanex3339]

Got it on your file with https://www.virustotal.com/ru/
Currently only one or two antiviruses detecting this code as threat.

[sanex3339]

Please try to run Uglify.js over obfuscated code or try latest beta with mangle: true option

[ibmua]

Of course, the result isn't any different than it would be if you ran Uglify over that script. Ran it uglified on VirusTotal and got a
NANO-Antivirus Trojan.Script.Agent.enqons
detection https://www.virustotal.com/ru/file/f31dfbb30d1536fff0b6f6701c705ea4b2111bfc7e79cb6bd587b93681f7f8bf/analysis/1494891276/

[NeXTs]

same here 😞

[sanex3339]

I should do research. if anyone have information - why some antiviruses mark obfuscated code as threat - i will very happy.

[NeXTs]

@sanex3339
Hey Timofey, have you contacted Avast?

Actually this issue is critical blocker for production use :/

[sanex3339]

Hi, no. But please try to use latest beta: 0.10.0-beta.8.
I removed all evals from obfuscated code, so maybe it won't detect your script as the virus threat.

[sanex3339]

Hi. Please try new 0.10.0 version. Avast still triggering on your code?

[sanex3339]

ping

[ibmua]

My code's changed a bit, but if it still has the same features that brought up the warnings you can experiment converting http://fsymbols.com/tell/main.a51a389b.js at any time with settings you're interested about and checking with VT to see how the antiviruses react. No need for waiting.

If this code doesn't trigger errors even with an earlier obfuscatior, I'll try to find you an earlier version that may.

[sanex3339]

Hi. After some tests i noticed that Avast triggered when string literals are moving to the string array from objects keys that had computed property with false value.

Obfuscator doing transformation of object keys:

var foo = {
    bar: 'baz'
};

into this form:

var foo = {
    'bar': 'baz'
};

And then moving this string literal 'bar' to the string array.
So, on your code after moving object keys to string array - avast will detect your code as the threat.

Solution - enable stringArrayEncoding: 'base64'
With this option enabled - all antivirus checks are negative. Tested on 0.10.2 version.

[sanex3339]

Ping. Any news?

[ibmua]

No news here. =)

[NeXTs]

Hey, sorry for long silence from my side. I haven't tested new release on production since we've refused obfuscation on production because of complaints from users about antivirus notification. This was critical for our product. Anyway I'll try to find a minute to test it on stage server in nearest days.

[sanex3339]

Please, check 0.13.0 version with hexadecimal and mangled values of identifierNamesGenerator option.

[sanex3339]

ping

[sanex3339]

Tested it now with command
javascript-obfuscator test.js --identifier-names-generator mangled --compact true --disable-console-output true --self-defending true --dead-code-injection true --control-flow-flattening true

No false positive alerts.
https://www.virustotal.com/ru/file/53af005143ac8cfd2eea82c0d05ba2ccf77d2ddd49182aa37632f42dfdec89c9/analysis/1514820105/

But enabling of stringArrayEncoding: base64 will trigger false positive alert.
So current status - if you will got this error - firstly try to play with stringArrayEncoding option and disable it or change it on rc4. And secondary - try to change identifierNamesGenerator option value from hexadecimal on mangled.

I think, i should add some information about this into readme

[sanex3339]

Just added some clarification about antiviruses
https://github.com/javascript-obfuscator/javascript-obfuscator#antiviruses-false-positive-virus-alerts

[sanex3339]

Also you can attach all files with false positive in Avast here:
https://www.avast.ru/false-positive-file-form.php

[sanex3339]

Also i wrote letter to Avast about false positive alerts. Will waiting for response.

[datio]

I got this same issue back in 2011 with an obfuscated, using Jscrambler, MooTools library I'd written.

I've long lost the source code of that lib (was using the obfuscated version in a CodeCanyon demo), but I vividly remember an issue where my hosting provider got quite concerned because of a virus report they received due to that obfuscated javascript file.

Googling the name of the library returned a forum post [1] listing the MD5 hash of that file, along with the false-positive virus name: unknown_html_RFI_eval

Looking it up with VirusTotal results that it's clean [2].

[1] https://www.malwaredomainlist.com/forums/index.php?topic=3190.2280
[2] https://www.virustotal.com/#/file/ed59d45cab198d6f751f2207f1f07182d2c129fd015249c1e5203b155c3f1371/detection

[simpleplana]

hi, please look, i try install this version 0.14.0 today but is not possible in npm(windows visual studio 2017 npm native).

[sanex3339]

Hi, please make separate issue and describe all your steps and errors (if they was)

[ghost]

I can't install it now:

$ npm install javascript-obfuscator

> javascript-obfuscator@0.14.3
...

Avast 13.4 with virus definitions(18030400) steps in and puts in quarantine:

File: node_modules/.staging/javascript-obfuscator-f8cb28e3/dist/index.js
Infection: JS:Agent-EEE [Trj]

[ghost]

Uploading the index.js file to virus total shows the same issue with Avast & AVG:

https://www.virustotal.com/#/file-analysis/YzdjMmI1ZTZjYmMyZTlhOWQzNTM3YmI3MGVlOGFmNDk6MTUyMDIzMjE1MA==

[sanex3339]

Interesting. Avast and AVG is triggering on this lines:
https://github.com/javascript-obfuscator/javascript-obfuscator/blob/master/src/templates/string-array-nodes/string-array-rotate-function-node/StringArrayRotateFunctionTemplate.ts#L8-L10

When i removed this lines, all checks are passed.
So, i'll think how to fix this.

[sanex3339]

When i changed this lines on this

var firstElement;
while (--times) {
    firstElement = array.shift();
    array.push(firstElement);
}

All checks are passed, so today or tomorrow i'll release 0.14.4 with this fix.

[sanex3339]

@Tech1e

Hello, 

Thank you for reporting this false positive.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

For future reference you might also find the following article to be useful: Avast Clean Guidelines.

Looks like new version is redundant. So, we should wait until tomorrow.

[sanex3339]

@Tech1e Please, check again. Looks like avast fixed false-positive alert.

[sanex3339]

Looks like no more problems with it. Reopen issue if you will have problems with avast.

[sanex3339]

Anyone runs into this issue this week?

[davidroze]

@sanex3339 Yes for some reason Avast and Bitdefender detects the obfuscated code as malicious again.

[sanex3339]

Can you test with 0.16.0 version please?

[dani3lL]

Hi, for some reason the detection occurs when either mangled or hexadecimal options selected and a prefix is used , if you will use only hexadecimal no detection will occur.

[voxsoftware]

Is this false positive alert ocurred if output file looks like this?:

1. convert to base64
2. use something like eval(atob("xxxx"))

[cliqer]

This is still a problem in ES3 where var is being used.
If replaced by const/let it is not flagged as a false positive but then it doesn't work in ie. windows JScript engine that requires ES3.

[JanMakur]

@cliqer is right , i've made a program based on mshta and i'm fasing the same problem