Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
False Positive Trojan warning major problems
#1
I have several Free programs out for Search and Rescue , which keep showing up a "false positive" for some kind of virus.

As a result, in the last 6 months or so, it has become nearly impossible for people to install my programs.
Firefox blocks the installation package on download.
Microsoft windows 10 tries to block it with both an anti-virus system followed by a Certifcate problem (I have no certificate as I cannot afford the huge yearly fees).

Yesterday I got a panic call from a New Zealand Search and Rescue organisation, that suddenly on all their computers the main program litterally dissapeared while they where using it, including the Icon of the desktop. Right in the middle of a life-and-death Operation.

So, somewhere in my 250,000 lines of source code is something which generates a sequence of bytes in the Executable which triggens some anti-virus programs.

- How can I locate the exact position of this sequence in the executable?
- How can I somehow reverse engineer (de-compille) the executable to the point that I can then locate where in the Source code the problem is?

Bart
---
Bart Kindt
CEO and Developer
SARTrack Limited
New Zealand
www.sartrack.nz
Reply
#2
(10-02-2023, 07:02 PM)BartKindt Wrote: So, somewhere in my 250,000 lines of source code is something which generates a sequence of bytes in the Executable which triggens some anti-virus programs.

More likely, it is simply your use of the Delphi RTL in general. There are plenty of malicious virus/malware in the wild that are written in Delphi, and so it is not uncommon for ordinary Delphi programs to sometimes get flagged as false positives because they share common RTL code.

(10-02-2023, 07:02 PM)BartKindt Wrote: - How can I locate the exact position of this sequence in the executable?

You can't, because you don't know what definitions are being used to trigger the alert in the first place. All you can do is submit your app to the anti-virus/malware companies for review and hope they stop flagging it.

(10-02-2023, 07:02 PM)BartKindt Wrote: - How can I somehow reverse engineer (de-compille) the executable to the point that I can then locate where in the Source code the problem is?

There are plenty of decompiler tools available (IDA, etc), but you can't recover source code from decompiling, and that won't help you in this situation anyway.

Your best bet is to get yourself a code signing certificate. There are cheap options available.

Reply
#3
I run one of the main programs through virustotal.com. of the 65 anti-virus companies, two showed a problem, and one showed:
Trojan.Generic@AI.94 (RDML:KYUAkVKwu...
Where I assume the "KYUAkVKwu" is the first part of the signature they found. I tried to find the full signature of this "Trojan.Generic@AI.94" but can't find a database anywhere which shows this.

I have tried to write a program to read all readable text from the executable and locate this string of characters, but nothing showed up.

I am looking at an' EV Code Signing Certificate' but I don't think USD $500 every year can be considered to be 'cheap' for a Free software package...
---
Bart Kindt
CEO and Developer
SARTrack Limited
New Zealand
www.sartrack.nz
Reply
#4
(10-03-2023, 07:56 PM)BartKindt Wrote: I run one of the main programs through virustotal.com. of the 65 anti-virus companies, two showed a problem, and one showed:
Trojan.Generic@AI.94 (RDML:KYUAkVKwu...
Where I assume the "KYUAkVKwu" is the first part of the signature they found.

That is a pretty broad assumption to make.

(10-03-2023, 07:56 PM)BartKindt Wrote: I tried to find the full signature of this "Trojan.Generic@AI.94" but can't find a database anywhere which shows this.

Makes sense that anti-virus/malware companies would not make their definitions/signatures public.

(10-03-2023, 07:56 PM)BartKindt Wrote: I have tried to write a program to read all readable text from the executable and locate this string of characters, but nothing showed up.

Of course, because that is not machine code or even app data, so you will not find it in your executable.

(10-03-2023, 07:56 PM)BartKindt Wrote: I am looking at an' EV Code Signing Certificate'  but I don't think USD $500 every year can be considered to be 'cheap' for a Free software package...

There are plenty of certificate services available that are a fraction of that price. The cheapest ones I can find with a quick online search are $119/yr, $129/yr, $199/yr, $219/yr, etc. That's less than $20/mo.

Reply
#5
(10-04-2023, 04:08 PM)rlebeau Wrote: There are plenty of certificate services available that are a fraction of that price.  The cheapest ones I can find with a quick online search are $119/yr, $129/yr, $199/yr, $219/yr, etc.  That's less than $20/mo.

Not an "EV" one. And even then you have to buy 3 years at the time. And pay for the hardware and shipping. The very cheapest one is $856 for a 3-year period. But it looks like developers have no longer a choice in the matter.
---
Bart Kindt
CEO and Developer
SARTrack Limited
New Zealand
www.sartrack.nz
Reply
#6
(10-05-2023, 07:40 AM)BartKindt Wrote: Not an "EV" one. And even then you have to buy 3 years at the time. And pay for the hardware and shipping. The very cheapest one is $856 for a 3-year period.

A quick online search finds several EV certificates that are less than $300/yr without multi-year commitments.

Reply
#7
(10-05-2023, 08:02 PM)rlebeau Wrote: A quick online search finds several EV certificates that are less than $300/yr without multi-year commitments.

Why can I not find these then?
Please shoot me of a link of one of these to info@sartrack.nz.
Thanks, Bart
---
Bart Kindt
CEO and Developer
SARTrack Limited
New Zealand
www.sartrack.nz
Reply
#8
(10-05-2023, 08:08 PM)BartKindt Wrote: Why can I not find these then?

Weak searching kung-fu skills? Tongue

(10-05-2023, 08:08 PM)BartKindt Wrote: Please shoot me of a link of one of these to info@sartrack.nz.

All I did was search for things like "cheap code signing certificate ev" and "cheap code signing ev certificate" and go down the list looking at each site whose description was below $500.  Not hard to find.

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)