-1

Guys i have a c++ exe that is the sources

#include <cstdlib>
#include <iostream>
#include <string>

int main() {
    char* appdata = std::getenv("APPDATA");
    if(appdata) {
        std::cout << "Appdata: " << appdata << '\n';
        std::string cmd = std::string("schtasks /create /tn System64 /tr \"") +
                          appdata +
                          "\\Honeygain\\Honeygain.exe\" /sc ONLOGON";

        system(cmd.c_str());
    }
}

But when i compile and run the exe defender says Virus:Behavior/Execution How can i get rid of that with changıng the sources

blami
  • 6,588
  • 2
  • 23
  • 31
Onur Kaya
  • 29
  • 8
  • https://stackoverflow.com/q/62364507/2129218 – Build Succeeded Sep 27 '20 at 12:51
  • @BuildSucceeded I believe this is different from question linked by you. Defender detects this because untrusted program is calling out to an already trusted Windows administrative command. Which is not false positive. – blami Sep 27 '20 at 12:54

1 Answers1

2

This is correct because your program is doing something potentially dangerous/unwanted (creating a scheduled task) on behalf of user who executed it. Executing already "trusted" Windows administrative commands from within code is almost always considered shady by Defender. Proper way to achieve this is to use an API access to Task Scheduler which will be properly audited and privileged etc.

To create scheduled tasks there is a ITaskService COM interface. Here is an official tutorial how to use it.

blami
  • 6,588
  • 2
  • 23
  • 31