New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Virus Detection #17

Closed
ashokgelal opened this Issue Jun 1, 2014 · 5 comments

Comments

Projects
None yet
4 participants
@ashokgelal

ashokgelal commented Jun 1, 2014

Confuser has worked great for us except that anti-virus software flagging our apps as malware. There have been many tickets open for this on codeplex: #8900, #8899, #8645, and esp. #8899 one where you (@yck1509) mentioned that it will be hard to fix. Has this been taken care of or any way for us to fix it compiling from the source? One way that I can think of is to allow to pass some guids or unique signatures in *.crproj that can be used during obfuscation (sorry if this doesn't make sense; I wish I knew more about obfuscation processes).

@XenocodeRCE

This comment has been minimized.

Contributor

XenocodeRCE commented Jun 1, 2014

«Has this been taken care of or any way for us to fix it compiling from the source?»
lol...
AV detections are made because silly fuckin' user are obfuscating their malware with confuser(ex). So it's not due to yck1509 at all. So yck1509 can't do anything.

@ashokgelal

This comment has been minimized.

ashokgelal commented Jun 1, 2014

I understand that. But is there any way to change signature or something to "fool" AV? May be downloading source code, changing few things so that we have our own unique signature?

@XenocodeRCE

This comment has been minimized.

Contributor

XenocodeRCE commented Jun 1, 2014

Maybe the Watemark. But I don't think so. I doubt you can do something about that; you can send your sample to the anti virus though

@yck1509

This comment has been minimized.

Owner

yck1509 commented Jun 2, 2014

I just use VirusTotal to scan a protected sample and got 3/52, and the detections are the generic one. Also, modifying it to avoid detection is not trivial, and once such method is known, malware authors would also use it to avoid detection, render this method useless. For now, the best way is to request anti-virus vender to whitelist your application. Sorry for inconvenience! :P

@yck1509 yck1509 added the enhancement label Jul 5, 2014

@augiem

This comment has been minimized.

augiem commented Aug 4, 2014

I get frequent virus detections with BitDefender while I'm trying to obfuscate files. I've had much better luck by excluding all the "exotic" protections -- the ones that say "Incompatible with OS other than Windows" or "Produces unverifiable modules". So far I haven't seen any false positives just using this stack: ctrl flow, anti ildasm, constants, ref proxy, resources, rename

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment