I'm developer. How to NOT have the app I sell (.exe) "File might be dangerous"

eh.ouais · 2017-07-18T11:15:02.000Z

I’m a developer. I sell an application, that people download from my website, in a zip. They unzip it, and run the .exe.

Then Avast does a deep scan of the file and an alert “This file might be dangerous”. :-[

How to avoid this?

Things I have tried, that don’t solve the problem:

Have proper resource.rc file in Visual C++, with details about the .exe: BLOCK “StringFileInfo”, VALUE “CompanyName”, “MyCompany\0”, etc.
Use makecert, certutil, signtool as detailed here

Things that won’t work:

Add to local avast exclusion (I can’t ask every customer to do this!)
Redo a “Submit file to Avast Lab for scan” for each new build of the .exe. It’s not scalable to have to re-submit the .exe to Avast (and all other antivirus software) for each new build.

Pondus · 2017-07-18T11:19:11.000Z

https://www.avast.com/faq.php?article=AVKB228#artTitle

https://www.avast.com/faq.php?article=AVKB229#artTitle

have you also uploaded and tested your file at www.virustotal.com ?
if not to big, upload the file inside the zip and make sure you click on rescan for a fresh result if it has been scanned before

you may post link to scan result here

eh.ouais · 2017-07-18T11:30:56.000Z

Thank you very much for your answer @Pondus, but as mentioned in original post, I can’t send the .exe to Avast (and other antivirus software, there are many!) for every single build… So I think this link is not relevant: https://www.avast.com/faq.php?article=AVKB229#artTitle

About your other link, I followed every step, and it should comply to the guidelines. Just about this:

1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.

Digital signature is always beneficial.

If the file is packed, it should have a Taggant.

Can you give more infos about vendor identifier? I’m using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?

What kind of digital signature? I did use Microsoft SDK “signtool” as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn’t change anything. Any digital signature provider recommendation?

What is a Taggant in this context?

eh.ouais · 2017-07-18T11:36:20.000Z

have you also uploaded and tested your file at www.virustotal.com ?

Thanks @Pondus. I tried it and everything is green, perfect All the 63 antivirus tested say it’s perfectly clean.

Now how to avoid the .exe file to be scanned and marked as “This file might be dangerous” for this build, and all future builds?

Sometimes I make 100 builds a year, and I cannot send the .exe 100 times per year to every antivirus software

Pondus · 2017-07-18T11:57:24.000Z

you may contact avast and ask >> https://support.avast.com/support/tickets/new?form=3

Ticket system work according to first in / first out meaning if you create a new ticket you are put back in line

eh.ouais · 2017-07-18T16:45:01.000Z

Thanks.

I did a ticket. But I got a “template” answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I’m a free user. Should I buy 1 license of “every antivirus software in the world” to ask them a way to avoid my customers to have my .exe banned as “might be dangerous”?

bob3160 · 2017-07-18T16:56:15.000Z

eh.ouais post:6:

Thanks.

I did a ticket. But I got a “template” answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I’m a free user. Should I buy 1 license of “every antivirus software in the world” to ask them a way to avoid my customers to have my .exe banned as “might be dangerous”?

Reported to Avast. Let’s see if that helps.

HonzaZ · 2017-07-18T18:27:18.000Z

To submit a false positive, you do not have to be a paid user: https://www.avast.com/false-positive-file-form.php
I just scanned this thread, but did you post a link to VT, or a hash of the file, or did you submit the file already?

eh.ouais · 2017-07-28T10:40:03.000Z

Dear @HonzaZ,

Thank you for your answer.

My question was : is there a permanent way to avoid the “File might be dangerous” message ?

As I’m making new builds of the .exe quite often, I don’t have time to re-submit the .exe to Avast, Avira, and 10+ other antivirus software each week…

I already looked at “Avast Clean Guidelines” : https://www.avast.com/faq.php?article=AVKB228
but it didn’t help me, because this is unclear:

1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.

Digital signature is always beneficial.

If the file is packed, it should have a Taggant.

Can you give more infos about vendor identifier? I’m using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?

What kind of digital signature? I did use Microsoft SDK “signtool” as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn’t change anything. Any digital signature provider recommendation?

What is a Taggant in this context?

Thank you in advance @HonzaZ.

igor0 · 2017-07-28T10:48:27.000Z

Digital signature is the answer (but using a real certificate issued by a common CA, not a self-signed one; could be generally any CA that Windows itself trusts).
Note that it doesn’t start working right away, our systems need to see some samples and gather a “reputation” first.

eh.ouais · 2017-07-28T14:08:54.000Z

Thanks @igor for your answer.

Could I send you the file in PM to know more about what could be the reason for being detected “positive”? (I already submitted the file as false positive and already tried virustotal, but I can’t find the real reason for triggering a false positive).

Would you have an example a “real certificate” provider? (Unfortunately, more than 50 or 100$ certificates is not an option for small developers.)

Thanks in advance @igor.

Pondus · 2017-07-28T14:15:36.000Z

If you post link to virustotal scan result here, then they can fetch the file from virustotal
alternative post file MD5 here

igor0 · 2017-07-28T15:24:13.000Z

I’m not sure what screen exactly you are referring to, but I don’t think the file is detected as “positive”; the deep screen is triggered by the fact that the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher (= a software publisher known to be producing harmless files). In other words, there’s nothing specific inside the file that would be the cause of the scan (not talking about the outcome of the scan, that would depend on the content of course).

The label “might be dangerous” means it’s rare, unknown - and a deeper checking is needed to conclude the file is OK. But an actual false positive should be showing a name of the detected virus (and would remove the file from disk and put it to the Virus Chest - is it the case here?).

As for the Authenticode signature - anything where you (and your users) can rightclick the file and successfully verify the signature from the file’s Properties / Digital Signatures should work. I’m afraid I don’t have any list, but I’d say basically any certification authority should work (unless they explicitly said than you first need to import their root certificate into the Windows store for the signature to validate… I’m not sure if any such CA even exists).

eh.ouais · 2017-07-29T13:21:17.000Z

You’re right @Igor, it’s not exactly a false positive, but rather “the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher”, true.

In the case it’s because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?
Or can you send me your email in PM @Igor ?
It would help me a lot for future builds.

About digital signature, does someone have an idea?

Thank you very much.

Asyn · 2017-07-29T14:07:16.000Z

eh.ouais post:14:

In the case it’s because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?

See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php

eh.ouais · 2017-07-29T14:35:52.000Z

See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php

Thanks but this won’t tell me 1. what is the reason, 2. how to improve my code / .exe to avoid this in the future.

This will only help to whitelist my .exe, right? (I can’t do this manual submission to 50+ antivirus software for each new build…)

Asyn · 2017-07-29T14:45:37.000Z

eh.ouais post:16:

This will only help to whitelist my .exe, right?

Yep.

igor0 · 2017-07-29T15:55:13.000Z

As I was trying to say, there is no reason other than that the file is simply new; I wouldn’t see anything inside. There’s nothing to change in the file - a new file will always be new (where “new” means “not previously seen on our userbase”).
The deep scan inspects the content, sure, but it doesn’t find anything wrong and doesn’t call your file malicious, does it?

Whitelisting a specific file may even be unnecessary - if the number of users of the application isn’t really small. As soon as the file starts spreading amongst various users, the file stops being “rare” and stops being deepscreened, automatically.

But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature “trumps” the reputation of the particular file).

eh.ouais · 2017-07-30T10:06:08.000Z

This is (see attached screenshot) the popup that was displayed recently. (I’ve had other popups in the past)
After 15 seconds, it says it’s ok. But still it would be bad for reputation if a customer sees this popup.

My app asks for admin privileges, has a systray icon (thus main window hidden by default, like Avast for example ), could this be the reason?

chris... · 2017-07-30T12:09:43.000Z

igor post:18:

But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature “trumps” the reputation of the particular file).

As often, it is the small developers who pay the fees, especially when they often have to modify their programs and the difficulty that they have from their status, to obtain a certificate.

But I also understand that antivirus do this, otherwise it is the door open to the spread of malicious software

@eh.ouais (et oui quoi ) : I do not know the notoriety, the circle (private, public) of the users nor the utility of your tool but can not you prove, to pass the trust/fair to your customers / users?

I am an user of a healthy tool proposed by a “small” developer.
The tool is also often modified (twice a month) and avast shows me the same message of mistrust, but I authorize it with each change without having to wait for the response of the avast verification.

Of course, I do so knowingly and I do not know if in your case your clients can do this. ???

Announcements