viruses are detected in VirusTotal.

[nicekon]

We developed an application using WinDivert. But viruses are detected in VirusTotal. Why is that?

[TechnikEmpire]

Because people have obviously flagged windivert as a potentially unwanted program.

[basil00]

Why is that?

Recently it was reported that WinDivert is being used by a new class of malware (Nodersok/Divergent). I think what has happened is that some lazy/incompetent anti-virus writers have then associated the WinDivert.dll/WinDivert64.sys files with the malware and thus flag anything that uses these files, legitimate or not. All of the virustotal flags are false detections, WinDivert itself is not a virus/malware.

Unfortunately, since WinDivert is an free/open tool, there is not much we can do to prevent WinDivert being used by malicious programs as well as legitimate programs, and I have already consulted with experts on the subject.

However, one thing that we can do is make WinDivert more easy to detect, which is why I implemented the REFLECT layer, system events, and the WinDivertTool.exe to find all programs that are using WinDivert. It is easy to find what (if any) programs are using WinDivert, and in more recent versions of WinDivert, additional information such as layer, flags and the filter string. Anti-virus writers ought to analyze this information to target the actual application using WinDivert and not WinDivert itself. The problem is that a blanket ban also blocks legitimate applications, meaning that people may disable the AV.

One final thought is that WinDivert needs Administrator access to use. This is the same security model as similar tools such as divert sockets (BSD) and netfilter_queue (Linux) of which inspired WinDivert. This also means that if a malicious program is using WinDivert then the malicious program already has Administrator access, which basically means your system is already pwned and WinDivert is the least of your worries.

Sorry for the rant.

[TechnikEmpire]

A thought I had here is, what happens if you digitally sign the windivert DLL and the app or DLL linking to it? I mean, I wonder if an EV attached to the broader executable would atop these av's from flagging it.

[basil00]

Signing may help, depending on how the AV score these things. I am not sure.

[TechnikEmpire]

Yeah that was my thought, either the SIG changes or it gets a pass for having an EV cert applied.

[basil00]

I've tried the latest release (version 2.2.0) with VirusTotal and it comes up clean (0/71 detections). Lets see how long that lasts.

[nicekon]

2020/03/17

It is displayed as a coin miner in Microsoft.

[basil00]

@nicekon That image is for UnicornHTTPS.exe? I don't know about that program, but it is not part of WinDivert.

[nicekon]

@basil00 The program was developed using windivert. When the windivert was updated to the latest, the problem disappeared, but the problem is occurring again now.

[basil00]

It is not clear to me that WinDivert is the problem here. When I upload the latest release to VirusTotal I only get two detections from some smaller/unknown AVs.

Also, the best way to deal with the problem is to file a false detection report with the AV vendor.