Add to local avast exclusion (I can’t ask every customer to do this!)
Redo a “Submit file to Avast Lab for scan” for each new build of the .exe. It’s not scalable to have to re-submit the .exe to Avast (and all other antivirus software) for each new build.
have you also uploaded and tested your file at www.virustotal.com ?
if not to big, upload the file inside the zip and make sure you click on rescan for a fresh result if it has been scanned before
Thank you very much for your answer @Pondus, but as mentioned in original post, I can’t send the .exe to Avast (and other antivirus software, there are many!) for every single build… So I think this link is not relevant: https://www.avast.com/faq.php?article=AVKB229#artTitle
About your other link, I followed every step, and it should comply to the guidelines. Just about this:
1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.
Digital signature is always beneficial.
If the file is packed, it should have a Taggant.
Can you give more infos about vendor identifier? I’m using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?
What kind of digital signature? I did use Microsoft SDK “signtool” as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn’t change anything. Any digital signature provider recommendation?
We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.
Indeed I’m a free user. Should I buy 1 license of “every antivirus software in the world” to ask them a way to avoid my customers to have my .exe banned as “might be dangerous”?
To submit a false positive, you do not have to be a paid user: https://www.avast.com/false-positive-file-form.php
I just scanned this thread, but did you post a link to VT, or a hash of the file, or did you submit the file already?
1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.
Digital signature is always beneficial.
If the file is packed, it should have a Taggant.
Can you give more infos about vendor identifier? I’m using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?
What kind of digital signature? I did use Microsoft SDK “signtool” as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn’t change anything. Any digital signature provider recommendation?
Digital signature is the answer (but using a real certificate issued by a common CA, not a self-signed one; could be generally any CA that Windows itself trusts).
Note that it doesn’t start working right away, our systems need to see some samples and gather a “reputation” first.
Could I send you the file in PM to know more about what could be the reason for being detected “positive”? (I already submitted the file as false positive and already tried virustotal, but I can’t find the real reason for triggering a false positive).
Would you have an example a “real certificate” provider? (Unfortunately, more than 50 or 100$ certificates is not an option for small developers.)
I’m not sure what screen exactly you are referring to, but I don’t think the file is detected as “positive”; the deep screen is triggered by the fact that the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher (= a software publisher known to be producing harmless files). In other words, there’s nothing specific inside the file that would be the cause of the scan (not talking about the outcome of the scan, that would depend on the content of course).
The label “might be dangerous” means it’s rare, unknown - and a deeper checking is needed to conclude the file is OK. But an actual false positive should be showing a name of the detected virus (and would remove the file from disk and put it to the Virus Chest - is it the case here?).
As for the Authenticode signature - anything where you (and your users) can rightclick the file and successfully verify the signature from the file’s Properties / Digital Signatures should work. I’m afraid I don’t have any list, but I’d say basically any certification authority should work (unless they explicitly said than you first need to import their root certificate into the Windows store for the signature to validate… I’m not sure if any such CA even exists).
You’re right @Igor, it’s not exactly a false positive, but rather “the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher”, true.
In the case it’s because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?
Or can you send me your email in PM @Igor ?
It would help me a lot for future builds.
About digital signature, does someone have an idea?
As I was trying to say, there is no reason other than that the file is simply new; I wouldn’t see anything inside. There’s nothing to change in the file - a new file will always be new (where “new” means “not previously seen on our userbase”).
The deep scan inspects the content, sure, but it doesn’t find anything wrong and doesn’t call your file malicious, does it?
Whitelisting a specific file may even be unnecessary - if the number of users of the application isn’t really small. As soon as the file starts spreading amongst various users, the file stops being “rare” and stops being deepscreened, automatically.
But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature “trumps” the reputation of the particular file).
This is (see attached screenshot) the popup that was displayed recently. (I’ve had other popups in the past)
After 15 seconds, it says it’s ok. But still it would be bad for reputation if a customer sees this popup.
My app asks for admin privileges, has a systray icon (thus main window hidden by default, like Avast for example ), could this be the reason?
As often, it is the small developers who pay the fees, especially when they often have to modify their programs and the difficulty that they have from their status, to obtain a certificate.
But I also understand that antivirus do this, otherwise it is the door open to the spread of malicious software
@eh.ouais (et oui quoi ) : I do not know the notoriety, the circle (private, public) of the users nor the utility of your tool but can not you prove, to pass the trust/fair to your customers / users?
I am an user of a healthy tool proposed by a “small” developer.
The tool is also often modified (twice a month) and avast shows me the same message of mistrust, but I authorize it with each change without having to wait for the response of the avast verification.
Of course, I do so knowingly and I do not know if in your case your clients can do this. ???
All the 63 antivirus tested say it’s perfectly clean.