1

I created/updated an installation application with C#, which installs files into the AppData/Roaming folders of the user. This installer loads and reads an XML file from a server, then copies file from this server to the local computer via HTTP protocol.

Since the latest modification, which was just minimal (only the address of the server where XML and files to copy are located has been changed / its just a string constant), several virus scanners report different trojans when a user tries to download the executable installer. The URL inside the installer points to a recently registered .de domain which is surely not listet on any blacklist or something like this.

And of course, the development environment is clean and the executable installer is NOT infected at all. This warning from scanners, such as "Windows Defender", "Kaspersky" etc. only occur during the download process, some other scanners report nothing but a clean file anyway. After the executable is stored in quarantine by these scanners and re-scanned, none of them finds any trojan or virus in this file as well.

How can I avoid this false-message, anyone an idea?

Mike
  • 4,041
  • 6
  • 20
  • 37
Doerk
  • 71
  • 8
  • 2
    Did you sign your installer? – Lasse V. Karlsen Sep 18 '18 at 06:47
  • 3
    One first step would be check with virustotal what engines do give you false positives. Second step would be getting in conctact with the AV's so they can whitelist it. Unsigned exes are usually marked as suspicious by the heuristics and could be false positives if other factors sum up like those http requests. Looks like it is being flagged in the behavioral analysis. – Cleptus Sep 18 '18 at 07:06
  • Thank you. The problem with whitelisting is, that the executable is renamed for different installation purposes, means, it´s always the same exe, but with currently >20 names. About signing, no. Is there tutorial or something like this which describes how this can be done? I never cared about such issues, cause before the last update, no scanner recognized it as dangerous or suspicious. – Doerk Sep 18 '18 at 08:45
  • If you meant, if the data is set in assembly.cs, yes, this is done, But there is no certificate and Windows reports it as executable of an unknown publisher. – Doerk Sep 18 '18 at 08:56

1 Answers1

2

In the meanwhile i figured out, that the type of the trojan which is found by virustotal.com depends of the content of AssemblyInfo.cs, especially of [assembly: Guid("...")]. As soon as I vary this string, different trojans with different names are found.

I also tried to remove some functions, especially those which use any file accesses, directory searches etc., but this has no effect at all.

The code also contains a hard wired domain name, which is "http://". When I change this to "https://", less scanners detect malware code.

And of course, I scanned my system with several antivirus apps, none of them reported anything.

Doerk
  • 71
  • 8