Malicious binary

[Polyterative]

Current binary is positive on Chrome and has some positives on virustotal.

[taviso]

The binary is fine, it's a false positive..sigh. I don't know what to do about that. Any ideas?

[paragonie-scott]

I left a comment on the Virus Total page showing the output of wget + sha256sum which matches the checksum for that "malicious" entry.

The only effective weapon against the AV industry seems to be loud public shaming. Which is a shame, because so many people believe it helps.

[taviso]

Thanks Scott. Apparently BitDefender won't even let you compile the source code (!?!?!)

https://twitter.com/formally_eLVis/status/813069990597455872

Unbelievable.

[paragonie-scott]

See #6 with an extra dose of

[vcsjones]

@taviso So I know this probably isn't the answer that you're looking for, but I Authenticode signed hotcorner.exe and the results on VirusTotal are much better: https://virustotal.com/en/file/bf9ebefe294b1f514c7346398ce21c641d5ab33947f3a4be9eeda59b35fca45d/analysis/1482857740/

Authenticode takes a significant role in AV vendors deciding the trustworthiness of an executable.

[taviso]

I suppose I can sign release builds, even though that makes no sense ;-)

I'm told that some AV products won't even let you compile the code, so that won't help there though. Sigh, we'll have to just do the best we can.

[mugundhan]

Compiled with VS2015 . 2/56 https://www.virustotal.com/en/file/96fafa1eb476d4fa8c77dbe68ac42c80896e9b014ee6ddd54d3732c2a2003d0f/analysis/

EDIT: I just turned on optimization LOL it made into 2/56 X64 release is 0/56 https://www.virustotal.com/en/file/ebb354dfe45558b405de606af868e197bc94f41d00424f0cbfb584a70304a45c/analysis/1482970190/

[taviso]

Optimization is enabled by default in the Makefile, but I can see in those links that you've added a whole bunch of imports from VCRUNTIME140.DLL and others.

I think you must be using the GUI, and enabling some checkboxes in the build options?

I suspect that because you're just adding a dependency on the Visual C++ Redistributable but not including it, the antivirus emulators aren't working. If the binary has missing dependencies it can't be emulated, but obviously it won't work when users try to run it either...

(Note that I rather like having absolutely minimal dependencies!)

[mugundhan]

my bad Thanks for explaining

[taviso]

I guess I have no option other than to buy a code signing certificate.

Note that all the big CAs (Comodo, Symantec, etc) are also antivirus vendors, it's like a protection racket 👎

I'm not really thrilled about sending them a copy of my ID, but I'll do it when I get a chance.

[paragonie-scott]

Maybe you can get one directly from Microsoft? It's not great, but at least they're not primarily in the ~infographic and snake oil~ antivirus business.

[taviso]

Thanks Scott, I'll look into it.

I noticed that adding VERSIONINFO seems to reduce detections, maybe that will do for now.

https://github.com/taviso/hotcorner/blob/master/version.rc

[vcsjones]

@paragonie-scott I don't believe Microsoft has code signing certs available to the general public. They will always defer to their CA partners, even for things like driver and LSA signing.

@taviso Interesting on the version info. It might be possible (but I am not in a position to check myself) that adding an app.manifest with supportedOS elements may improve it further. For what it's worth, if you still decide a signing cert may be beneficial, I have used DigiCert without any trouble. To my knowledge they do not sell AV software, white label or otherwise. They are the CA that I used to sign it in my earlier comment.

[taviso]

Thanks, I'll give it a shot. The problem with the authenticode solution is (apart from getting a certificate) is that it doesn't help anyone who wants to build their own modified version - I'm told BitDefender won't even let you compile the code (?!).

I'm crossing my fingers that it doesn't care about the intermediate object files, so adding the VERSIONINFO is enough to make it shut up?

[vcsjones]

I'm told BitDefender won't even let you compile the code (?!).

A long time ago we ran in to a similar situation when working on automation software. We had to get IT to configure our AV (TrendMicro, I think it was) to ignore our source code directories and their bin directories because it quarantined every binary the compiler produced. Glad to see nothing's changed since 2008.

so adding the VERSIONINFO is enough to make it shut up

I hope so.