Skip to content
This repository has been archived by the owner. It is now read-only.

Virus Detection #17

Closed
ashokgelal opened this issue Jun 1, 2014 · 5 comments
Closed

Virus Detection #17

ashokgelal opened this issue Jun 1, 2014 · 5 comments

Comments

@ashokgelal
Copy link

@ashokgelal ashokgelal commented Jun 1, 2014

Confuser has worked great for us except that anti-virus software flagging our apps as malware. There have been many tickets open for this on codeplex: #8900, #8899, #8645, and esp. #8899 one where you (@yck1509) mentioned that it will be hard to fix. Has this been taken care of or any way for us to fix it compiling from the source? One way that I can think of is to allow to pass some guids or unique signatures in *.crproj that can be used during obfuscation (sorry if this doesn't make sense; I wish I knew more about obfuscation processes).

@XenocodeRCE
Copy link
Contributor

@XenocodeRCE XenocodeRCE commented Jun 1, 2014

«Has this been taken care of or any way for us to fix it compiling from the source?»
lol...
AV detections are made because silly fuckin' user are obfuscating their malware with confuser(ex). So it's not due to yck1509 at all. So yck1509 can't do anything.

@ashokgelal
Copy link
Author

@ashokgelal ashokgelal commented Jun 1, 2014

I understand that. But is there any way to change signature or something to "fool" AV? May be downloading source code, changing few things so that we have our own unique signature?

@XenocodeRCE
Copy link
Contributor

@XenocodeRCE XenocodeRCE commented Jun 1, 2014

Maybe the Watemark. But I don't think so. I doubt you can do something about that; you can send your sample to the anti virus though

@yck1509
Copy link
Owner

@yck1509 yck1509 commented Jun 2, 2014

I just use VirusTotal to scan a protected sample and got 3/52, and the detections are the generic one. Also, modifying it to avoid detection is not trivial, and once such method is known, malware authors would also use it to avoid detection, render this method useless. For now, the best way is to request anti-virus vender to whitelist your application. Sorry for inconvenience! :P

@augiem
Copy link

@augiem augiem commented Aug 4, 2014

I get frequent virus detections with BitDefender while I'm trying to obfuscate files. I've had much better luck by excluding all the "exotic" protections -- the ones that say "Incompatible with OS other than Windows" or "Produces unverifiable modules". So far I haven't seen any false positives just using this stack: ctrl flow, anti ildasm, constants, ref proxy, resources, rename

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants