2

I've written a small C++ program which checks if Windows clipboard content has changed and prints a type of that content. I compiled the program to .exe file using Windows Visual Studio 2019 and it was blocked by the Windows Defender (file was removed). Why is that happened and how to prevent it?

Of course, if I open the Windows Defender and mark my file as "not a virus" then all works fine, but how to prevent blocking on customers computers? Do I need to create some "manifest" file..?

Sorry if the question is dumb, I'm new in C++ world

#include <iostream>
#include <io.h>
#include <fcntl.h>
#include <Windows.h>
#include <conio.h>

int main()
{
    DWORD m_lastClipboardSequenceNumber = GetClipboardSequenceNumber();

    while (1) {
        Sleep(100);
        const DWORD newClipboardSequenceNumber = GetClipboardSequenceNumber();

        if (newClipboardSequenceNumber == m_lastClipboardSequenceNumber)
            continue;

        if (IsClipboardFormatAvailable(CF_UNICODETEXT)) {
            std::wcout << "CF_UNICODETEXT\n";
        }

        if (IsClipboardFormatAvailable(CF_HDROP)) {
            std::wcout << "CF_HDROP\n";
        }

        if (IsClipboardFormatAvailable(CF_BITMAP)) {
            std::wcout << "CF_BITMAP\n";
        }

        m_lastClipboardSequenceNumber = newClipboardSequenceNumber;
    }

    return 0;
}
Denis Povarov
  • 21
  • 1
  • 3
  • 2
    If you could block Windows Defender by writing a manifest file then every virus under the sun would do the same thing. Clearly Windows Defender thinks monitoring the clipboard is a suspicious thing to do, so I think you're just going to have to live with that. – john Aug 08 '19 at 07:18
  • But I'm not getting the clipboard content, just watching if it's content has been changed. Also, GetClipboardSequenceNumber is a Windows API, so it is open to use it and it is used exactly for watching the Windows clipboard. – Denis Povarov Aug 08 '19 at 07:20
  • Your method of watching clipboard is too abusive, so maybe that's why windows defender is blocking your code. – Afshin Aug 08 '19 at 07:22
  • Looks like you wrote some kind of logger. I'm not surprised that virusscanner thinks it's suspicious. Chain this with another program that reads the clipboard on std input and you can see everything that's copied. Sounds like a receipt for a virus. However, it is strange that Microsoft blocks something they suggest themselves: https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard – JVApen Aug 08 '19 at 07:27

2 Answers2

2

Sounds like your issue isn't with C++ at all and more just with Windows, more precisely, Windows Defender. The issue here, to my knowledge, is that Windows Defender started by default not allowing .exe files from unknown sources to be run on the computer without Admin privileges. This is an issue you cannot fix remotely, otherwise that would massively undermine the existing usefulness of Windows Defender, as malicious actors could just use that to run their exploits.

Steps you could take to possibly fix this for your use case: if you have access to the computers you want to run this on, try adding your distribution method to trusted sources. Alternatively, try signing it with a key and adding that signature to trusted.

NightDice
  • 116
  • 7
2

I personally think since your method for watching clipboard is too abusive, windows defender is blocking your code.

Try monitoring clipboard section and register listeners for clipboard changes to see if same thing happens or not. Your code will be much more complex, since you will need to create a window loop for receiving messages, but I think it will OK that way.

Afshin
  • 8,839
  • 1
  • 18
  • 53