1

I'm trying to protect my programs against cracking and reverse engineering. I wrote programs in C++ (Visual Studio 2010) and I also wrote easy encryption algorithms in assembler. Algorithm is added to EXE file and make it harder to cracking, because is loaded before main program. This wasn't hard job. But... now, I have a lot of false positives cca 50% on virustotal.com. I have also same problem when I'm trying use only upx packer :( ...Every time. I modified algorithms many times but without success.

Can you help me someone, please? Thank you.

Juraj Kušnier
  • 45
  • 5
  • 3
    I don't think there's any way around this. If you could encrypt an executable without triggering AV software, then so could the people writing malware. – Harry Johnston Jul 23 '12 at 03:24
  • See comment below - the IEEE malware-wg has been working on this, and the solution is now here (waiting on CA contract). The security vendors are under an NDA, but I'm not, being an SPV (software protection vendor) - author of the classic PECompact. – dyasta Jul 23 '12 at 12:42

1 Answers1

2

A new project called the Taggant is being developed (done now). This embeds a signed marker into the file that identifies the licensee of the packer, as well as the packer vendor. This will help to alleviate false positives, once it is done. Right now we are waiting for the CA agreement to be finalized, then for everyone to implement it (on both sides), so it will be a while.

To get any REAL action taken, you must join this group. If you are a legitimate vendor, I can help you join, but you must be a legitimate vendor. If this is to protect your malware or cracks, then obviously they wouldn't qualify you.

In the meantime, you can report false positives (or find where to report them) at the site dedicated to such - http://falsepositivereport.org

You can also MAKE SURE your files are Digitally Signed after compression/protection. The history of your digital cert will say a lot about how likely false positives might be.

dyasta
  • 2,056
  • 17
  • 23
  • I hope there's a plan in place for detecting malware that uses a certificate stolen from a legitimate vendor to flag itself as a false positive? – Harry Johnston Jul 24 '12 at 00:14
  • There is. I can not comment much more for two reasons. One, every company behaves differently, and two, I don't know their full 'classified' plans. However, I have expressed every conceivable concern to them, trust me. Right now we continue to wait for this CA agreement to be signed, which is making me wonder what's going on. They contracted the library be developed, got it all done, and now we're just sitting - waiting on a stupid CA agreement. The bad news is there will be a charge for the cert, but it shouldn't be but a few dollars (like <$5). The details remain to be revealed though :o. – dyasta Jul 28 '12 at 20:30