Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious binary #5

Closed
Polyterative opened this issue Dec 27, 2016 · 15 comments

Comments

Projects
None yet
5 participants
@Polyterative
Copy link

commented Dec 27, 2016

Current binary is positive on Chrome and has some positives on virustotal.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 27, 2016

The binary is fine, it's a false positive..sigh. I don't know what to do about that. Any ideas?

@paragonie-scott

This comment has been minimized.

Copy link

commented Dec 27, 2016

I left a comment on the Virus Total page showing the output of wget + sha256sum which matches the checksum for that "malicious" entry.

The only effective weapon against the AV industry seems to be loud public shaming. Which is a shame, because so many people believe it helps.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 27, 2016

Thanks Scott. Apparently BitDefender won't even let you compile the source code (!?!?!)

https://twitter.com/formally_eLVis/status/813069990597455872

Unbelievable.

@paragonie-scott

This comment has been minimized.

Copy link

commented Dec 27, 2016

See #6 with an extra dose of
troll-face

@vcsjones

This comment has been minimized.

Copy link

commented Dec 27, 2016

@taviso So I know this probably isn't the answer that you're looking for, but I Authenticode signed hotcorner.exe and the results on VirusTotal are much better: https://virustotal.com/en/file/bf9ebefe294b1f514c7346398ce21c641d5ab33947f3a4be9eeda59b35fca45d/analysis/1482857740/

Authenticode takes a significant role in AV vendors deciding the trustworthiness of an executable.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 27, 2016

I suppose I can sign release builds, even though that makes no sense ;-)

I'm told that some AV products won't even let you compile the code, so that won't help there though. Sigh, we'll have to just do the best we can.

@mugundhan

This comment has been minimized.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 29, 2016

Optimization is enabled by default in the Makefile, but I can see in those links that you've added a whole bunch of imports from VCRUNTIME140.DLL and others.

I think you must be using the GUI, and enabling some checkboxes in the build options?

I suspect that because you're just adding a dependency on the Visual C++ Redistributable but not including it, the antivirus emulators aren't working. If the binary has missing dependencies it can't be emulated, but obviously it won't work when users try to run it either...

(Note that I rather like having absolutely minimal dependencies!)

@mugundhan

This comment has been minimized.

Copy link

commented Dec 29, 2016

my bad Thanks for explaining

@taviso taviso referenced this issue Dec 29, 2016

Closed

False Positives? #9

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 29, 2016

I guess I have no option other than to buy a code signing certificate.

Note that all the big CAs (Comodo, Symantec, etc) are also antivirus vendors, it's like a protection racket 👎

I'm not really thrilled about sending them a copy of my ID, but I'll do it when I get a chance.

@paragonie-scott

This comment has been minimized.

Copy link

commented Dec 29, 2016

Maybe you can get one directly from Microsoft? It's not great, but at least they're not primarily in the infographic and snake oil antivirus business.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 29, 2016

Thanks Scott, I'll look into it.

I noticed that adding VERSIONINFO seems to reduce detections, maybe that will do for now.

https://github.com/taviso/hotcorner/blob/master/version.rc

@vcsjones

This comment has been minimized.

Copy link

commented Dec 29, 2016

@paragonie-scott I don't believe Microsoft has code signing certs available to the general public. They will always defer to their CA partners, even for things like driver and LSA signing.

@taviso Interesting on the version info. It might be possible (but I am not in a position to check myself) that adding an app.manifest with supportedOS elements may improve it further. For what it's worth, if you still decide a signing cert may be beneficial, I have used DigiCert without any trouble. To my knowledge they do not sell AV software, white label or otherwise. They are the CA that I used to sign it in my earlier comment.

@taviso

This comment has been minimized.

Copy link
Owner

commented Dec 29, 2016

Thanks, I'll give it a shot. The problem with the authenticode solution is (apart from getting a certificate) is that it doesn't help anyone who wants to build their own modified version - I'm told BitDefender won't even let you compile the code (?!).

I'm crossing my fingers that it doesn't care about the intermediate object files, so adding the VERSIONINFO is enough to make it shut up?

@vcsjones

This comment has been minimized.

Copy link

commented Dec 29, 2016

I'm told BitDefender won't even let you compile the code (?!).

A long time ago we ran in to a similar situation when working on automation software. We had to get IT to configure our AV (TrendMicro, I think it was) to ignore our source code directories and their bin directories because it quarantined every binary the compiler produced. Glad to see nothing's changed since 2008.

so adding the VERSIONINFO is enough to make it shut up

I hope so.

@taviso taviso closed this May 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.