I’m creating a piece of software, that will run on windows and will act like launcher for the game, to serve as an auto-updater and file verifier in client side PC.
One thing I don’t understand, why my antivirus software (Avast) is considering my exe file as dangerous and won’t start it without asking to put it into sandbox, for safe use.
Is there any rules that my software should obey, to be treated as good, or should I pay hundreds of dollars for some sort of digital signing and other stuff?
I’m using C# with MS Visual Studio 2010.
VirusTotal report. No DLL injections, working as remote file downloader, using WebClient() class.
It is not like it warns about virus, but it “suggests” to sandbox it. Look at screenshot:
15
“File prevalence/reputation is low” means Avast uses a reputation system based on the usage of the program. Only if your program has been installed and ‘marked as benevolent’ by enough users will it develop a good reputation and will this suggestion go away. Avast calls this the FileRep cloud feature and says “All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore”. This is a PITA for small software companies (and Avast is not the only one doing this, note e.g. Symantec’s Suspicious Insight”). One thing Avast suggests is “you can accelerate the process if you digitally sign the files.”
Locally (on your computer) you can go to autosandbox expert settings and disable autosandboxing files with a low reputation, or maybe use a self-signed certificate, but that won’t help you with your end users.
For those I suggest you do use a real certificate (costs money, but Windows likes it too), and update your documentation with this info.
Maybe there’s more suggestions at the Avast forums as well.
1
To add to what Jan Doggen said, other anti viruse softwares also do heuristic scans.
Anti Virus scanning is not just looking whether a specific executable is the exact copy of a known virus.
That can and has been easily circumvented.
Now AV tools check for specific behaviour, like does the tool use net libraries, does it do file access/modification, does it encrypt/decrypt itself at runtime and so on and depending on the internal algorithm (the heuristic), it spits out danger.
One way to combat various AV’s false detections, is what is known by signature obfuscation.
Basically, one other technique is that an AV tool will look whether there is a specific stream of bytes (signature) included in an executable. If it finds it, it knows its a virus.
You may end up producing (executable) code that may include one of the many billions signatures an AV software utilizes. To remove that specific part, you need to do a binary search on your executable by dividing it into two parts, first half, other half and rescanning those again and repeating the process until you locate the part that contains the signature.
Once found, you flip some bits and see if it is still detected.
A safer way would be to just change the source code and see if it spits out another byte stream at that location.
You will run into this problem 100% with the type of software you are developing.