1

I develop an open source ship simulator program. Recently, the Windows binaries (built myself on Visual Studio Communitity, both 2017 and a clean installation of 2019) are being flagged as trojans, including by a number of the scanners on virustotal. I'm pretty sure that this is a false positive, but I'm not sure how to be sure of this.

I've scanned my own computer, both online and offline with Windows Defender, with nothing found. I have opened the binary files in a hex editor, and can't see anything immediately suspicious, but I'm not familar enough to be sure.

Is there any way of identifying firstly if it is a false positive, instead of a compromised compiler, or some other mechanism where they are actually becoming infected. If false positive, why are the binaries being flagged?

Examples of the binaries: https://github.com/bridgecommand/bc/blob/ad2161fd382c037a71e1c529c48b92342c727bef/bridgecommand-bc.exe (The main simulator program)

James
  • 27
  • 2
  • 1
    Anti virus software are not perfect at all. (e.g. for a cardinality argument close to [pigeonhole principle](https://en.wikipedia.org/wiki/Pigeonhole_principle) and because of [Rice's theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem)...) – Basile Starynkevitch Feb 02 '20 at 20:06
  • Add a digital signature to the app. – Michael Chourdakis Feb 02 '20 at 20:07
  • It is my experience that the anti-virus software can be just plan wrong. At that, are you just providing the .exe or shipping in deployment package? – lakeweb Feb 02 '20 at 20:07
  • 6
    How can we possibly tell you how all possible antivirus / anti-malware software detect bad actors? If we could, I guess we'd have a great career in the malware business. The only people who can tell you why their software flagged your software are the people who make said detection software - so why don't you ask them? Also remember that antivirus software is *far* from perfect, has loads of false positives and relies to a great extent on heuristics. – Jesper Juhl Feb 02 '20 at 20:09
  • I followed your link, it is a bare executable. I would think this is expected from the anti-virus software. How can it possibly know if your software is safe? – lakeweb Feb 02 '20 at 20:17
  • To follow up on my own question, the antivirus vendors don't give any useful information about why a binary might be flagged. It seems that small Visual Studio binaries (including trivial 'Hello World' ones are often flagged up, see for example https://www.csoonline.com/article/3216765/heres-why-the-scanners-on-virustotal-flagged-hello-world-as-harmful.html). Secondly, I was statically linking network code (enet networking library). Changing compiler to MinGW, and changing to dynamic linking of Enet, the false positives dropped to near zero. – James Jun 15 '20 at 20:41

0 Answers0