I'm developer. How to NOT have the app I sell (.exe) "File might be dangerous"

eh.ouais · 2017-07-18T16:45:01.000Z

Thanks.

I did a ticket. But I got a “template” answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I’m a free user. Should I buy 1 license of “every antivirus software in the world” to ask them a way to avoid my customers to have my .exe banned as “might be dangerous”?

bob3160 · 2017-07-18T16:56:15.000Z

eh.ouais post:6:

Thanks.

I did a ticket. But I got a “template” answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I’m a free user. Should I buy 1 license of “every antivirus software in the world” to ask them a way to avoid my customers to have my .exe banned as “might be dangerous”?

Reported to Avast. Let’s see if that helps.

HonzaZ · 2017-07-18T18:27:18.000Z

To submit a false positive, you do not have to be a paid user: https://www.avast.com/false-positive-file-form.php
I just scanned this thread, but did you post a link to VT, or a hash of the file, or did you submit the file already?

eh.ouais · 2017-07-28T10:40:03.000Z

Dear @HonzaZ,

Thank you for your answer.

My question was : is there a permanent way to avoid the “File might be dangerous” message ?

As I’m making new builds of the .exe quite often, I don’t have time to re-submit the .exe to Avast, Avira, and 10+ other antivirus software each week…

I already looked at “Avast Clean Guidelines” : https://www.avast.com/faq.php?article=AVKB228
but it didn’t help me, because this is unclear:

1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.

Digital signature is always beneficial.

If the file is packed, it should have a Taggant.

Can you give more infos about vendor identifier? I’m using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?

What kind of digital signature? I did use Microsoft SDK “signtool” as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn’t change anything. Any digital signature provider recommendation?

What is a Taggant in this context?

Thank you in advance @HonzaZ.

igor0 · 2017-07-28T10:48:27.000Z

Digital signature is the answer (but using a real certificate issued by a common CA, not a self-signed one; could be generally any CA that Windows itself trusts).
Note that it doesn’t start working right away, our systems need to see some samples and gather a “reputation” first.

eh.ouais · 2017-07-28T14:08:54.000Z

Thanks @igor for your answer.

Could I send you the file in PM to know more about what could be the reason for being detected “positive”? (I already submitted the file as false positive and already tried virustotal, but I can’t find the real reason for triggering a false positive).

Would you have an example a “real certificate” provider? (Unfortunately, more than 50 or 100$ certificates is not an option for small developers.)

Thanks in advance @igor.

Pondus · 2017-07-28T14:15:36.000Z

If you post link to virustotal scan result here, then they can fetch the file from virustotal
alternative post file MD5 here

igor0 · 2017-07-28T15:24:13.000Z

I’m not sure what screen exactly you are referring to, but I don’t think the file is detected as “positive”; the deep screen is triggered by the fact that the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher (= a software publisher known to be producing harmless files). In other words, there’s nothing specific inside the file that would be the cause of the scan (not talking about the outcome of the scan, that would depend on the content of course).

The label “might be dangerous” means it’s rare, unknown - and a deeper checking is needed to conclude the file is OK. But an actual false positive should be showing a name of the detected virus (and would remove the file from disk and put it to the Virus Chest - is it the case here?).

As for the Authenticode signature - anything where you (and your users) can rightclick the file and successfully verify the signature from the file’s Properties / Digital Signatures should work. I’m afraid I don’t have any list, but I’d say basically any certification authority should work (unless they explicitly said than you first need to import their root certificate into the Windows store for the signature to validate… I’m not sure if any such CA even exists).

eh.ouais · 2017-07-29T13:21:17.000Z

You’re right @Igor, it’s not exactly a false positive, but rather “the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher”, true.

In the case it’s because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?
Or can you send me your email in PM @Igor ?
It would help me a lot for future builds.

About digital signature, does someone have an idea?

Thank you very much.

Asyn · 2017-07-29T14:07:16.000Z

eh.ouais post:14:

In the case it’s because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?

See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php

eh.ouais · 2017-07-29T14:35:52.000Z

See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php

Thanks but this won’t tell me 1. what is the reason, 2. how to improve my code / .exe to avoid this in the future.

This will only help to whitelist my .exe, right? (I can’t do this manual submission to 50+ antivirus software for each new build…)

Asyn · 2017-07-29T14:45:37.000Z

eh.ouais post:16:

This will only help to whitelist my .exe, right?

Yep.

igor0 · 2017-07-29T15:55:13.000Z

As I was trying to say, there is no reason other than that the file is simply new; I wouldn’t see anything inside. There’s nothing to change in the file - a new file will always be new (where “new” means “not previously seen on our userbase”).
The deep scan inspects the content, sure, but it doesn’t find anything wrong and doesn’t call your file malicious, does it?

Whitelisting a specific file may even be unnecessary - if the number of users of the application isn’t really small. As soon as the file starts spreading amongst various users, the file stops being “rare” and stops being deepscreened, automatically.

But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature “trumps” the reputation of the particular file).

eh.ouais · 2017-07-30T10:06:08.000Z

This is (see attached screenshot) the popup that was displayed recently. (I’ve had other popups in the past)
After 15 seconds, it says it’s ok. But still it would be bad for reputation if a customer sees this popup.

My app asks for admin privileges, has a systray icon (thus main window hidden by default, like Avast for example ), could this be the reason?

chris... · 2017-07-30T12:09:43.000Z

igor post:18:

But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature “trumps” the reputation of the particular file).

As often, it is the small developers who pay the fees, especially when they often have to modify their programs and the difficulty that they have from their status, to obtain a certificate.

But I also understand that antivirus do this, otherwise it is the door open to the spread of malicious software

@eh.ouais (et oui quoi ) : I do not know the notoriety, the circle (private, public) of the users nor the utility of your tool but can not you prove, to pass the trust/fair to your customers / users?

I am an user of a healthy tool proposed by a “small” developer.
The tool is also often modified (twice a month) and avast shows me the same message of mistrust, but I authorize it with each change without having to wait for the response of the avast verification.

Of course, I do so knowingly and I do not know if in your case your clients can do this. ???

eh.ouais · 2017-08-05T01:37:45.000Z

When I send the file to customers, here is what they get.

First this popup “Warning this file might be dangerous”

https://forum.avast.com/index.php?action=dlattach;topic=205767.0;attach=194336;image

but then even worse

“You have discovered a very rare file” (See attachment image)

And then the customer cannot open the file at all. The file is blocked. He has to wait 2 hours or more to get an approval from Avast

This totally ruins my customers’ user experience.

How to solve that?

I still haven’t found a solution… except paying a 200$ ransom to DigiCert (and many people said that it’s possible that it doesn’t solve the problem ???)

HonzaZ · 2017-08-07T10:20:23.000Z

This is all intended. Of course a new file can contain malicious parts, and therefore must be analyzed before running, and of course new files might be sent over to us for even further analysis (this is called CyberCapture: https://blog.avast.com/cybercapture-protection-against-zero-second-attacks)
As we pointed out numerous times, you have two options:

Either you send us the new file every time you create it, so we can manually “set the reputation” of the file before the first user tries to run it (and a “this file is new” dialog appears);
Or you let others know in advance that this file is to be trusted. This can be done (you guessed it) by attaching a digital signature.

There is literally no other possibility. If the file is new, we will ALWAYS tell the user the file is new (obviously), with the sole exception that we recognize the digital signature (then Avast thinks something along the way of “I do not know this file, so it is suspicious, but according to the signature, it comes from this dev, and this dev has never signed a malicious file, so I do not need to perform additional scanning and I need not alert the user”).

eh.ouais · 2017-08-12T00:05:45.000Z

Thanks @HonzaZ for your answer.

To cut this long story short, the answer is that I have to pay a 200$-per-year ransom (or maybe even more for a “good” signature: 500$ or even 1000$ to be sure that the signature is good quality? ).

The small and medium-size developers thank you very much.

HonzaZ · 2017-08-12T05:11:04.000Z

To cut this long story short, unless someone lets us know a certain file is to be trusted, we WILL tell the user that the file is new. This is hardly something unexpected. You can let us know by sending the file to us, or by digitally signing the file and let us know the signature.

I am not aware of the pricing models of signatures, nor what the benefits of more expensive signatures are. From my point of view, unless there in malware signed with that signature, our systems will automatically hide all warnings about low prevalence of a signed file.

Small and medium developers either have digital signatures, or send the files to us prior to release, or don’t care about a couple of users getting a warning about a new file.

igor0 · 2017-08-14T06:41:50.000Z

I don’t think the price is right… now I admit I’m also not familiar with the exact prices and conditions, but a quick google search suggests that you should be able to find a certificate for half that amount or less.
As I was saying previously, any CA should do (just a self-signed certificate, i.e. one that you generate yourself, won’t).

Announcements