LiEnby / FlashPatcher

.NET program to remove timebomb from Adobe Flash Player
MIT License
128 stars 19 forks source link

Heur.AdvML.C detected: Flash.Patcher.exe removed by Norton #19

Open bobberlin opened 2 years ago

bobberlin commented 2 years ago

Wanted to install your 1.7 flash patcher but Norton removed it due to risk: Heur.AdvML.C. Has a virus got into your exe, or is there another explanation ? thanks, bob

iocmet commented 1 year ago

This patches system files to make flash works like viruses does it to inject payloas so antiviruses gives false positive detects

LiEnby commented 1 year ago

This patches system files to make flash works like viruses does it to inject payloas so antiviruses gives false positive detects

yes, for some reason, flash installs itself to system32 folder, and using highest possible windows permission "TrustedInstaller" .. so this program has got code to change the permissions of the flash player to "administrators" so that it can be edit.

this application also makes use of the scheduled tasks API to disable that 'please uninstall flash' nag message .. which is also something often abused by viruses (i.e to make themselves run as startup, or to elevate privileges)

if you look at that detection, you'll see its got Heur, which is for "heuristics" which is basically a fancy thing to rather than detect already known virus, it try to look at what the code of a program see what it is is doing and determine purely from that if it is malicious or not; so, it makes sense if its seeing those things