EmsiSoft AntiMalware showing Firewall modification attempt and isolating program when installing latest

[astinson]

I have been using this software without issue for a while up until I installed the latest update. EmsiSoft (which I heavily rely on a believe) issued the following warning after installing and then running your latest software:

10/4/2020 1:37:18 AM Behavior Blocker detected suspicious behavior "FirewallModification" of C:\Program Files\VidCoder-Beta\VidCoder.exe (SHA1: 83344A68527381F57D389A60DDCAC1EF1ED54C98)

10/4/2020 1:37:20 AM A notification message "Suspicious behavior has been found in the following program: C:\Program Files\VidCoder-Beta\VidCoder.exe" has been shown

10/4/2020 1:37:29 AM User "DESKTOP-Oxxxxx\xxx" clicked "Wait, I think this is safe"

[RandomEngy]

I periodically get anti-malware false positives on VidCoder. Some day I may cough up the $80 per year that's needed to do code signing, which may reduce these incidents.

VidCoder doesn't do any firewall modification, so not sure why this particular rule was tripped.

[sr55]

Signing doesn't actually prevent false positives. They still happen. About the only thing it does is charge you money to get rid of an annoying user prompt.

The irony is, it's easier for scammers to get a certificate than it is for you and there is nothing stopping cloning your code, adding a malicious payload and signing it.

[RandomEngy]

I assume that a certificate associated with a malicious payload would not be well trusted in terms of AV or Smartscreen. I suppose that not all AV makers are going to have trust ratings for different code signing certificates, as evidenced by HandBrake still running into those issues.

[sr55]

AV vendors shouldn't be trusting a certificate. Top-tier certificates, often stolen reputable ones or purchased new are attainable if you are on the wrong side of the law. As such, you still need file level reputation to build up. This means in all likelihood, you'll still see false positives post signing in the first weeks of a file being available still being an issue.

I believe smart screen can also take a few days to recognise a newly signed file unless you do the very expensive extended validation certs.

There is a nice benefit in that they can revoke the certificate and windows will (hopefully, I've never checked) bork if you try open the file. Regardless of any AV issues.

[RandomEngy]

I have a friend that worked on SmartScreen and he informs me that a normal cert will allow signed files to share reputation/download counts with other files signed by the same cert. So in that case new files can be immediately trusted. The special extended validation certs are for if you want to skip the normal process of building reputation.

Though he's no longer on the team and it's possible they've changed it. Do you have some more up to date information you can point me to?

[sr55]

Nope. Just going on experience. Next time I issue a signed update, I'll double check the behaviour. It's not something I follow to closely as it honestly hasn't been a problem on the smart screen side.