0

With a program written in C # .NET Core 3.1, I have to manage the download of EXE or DLL file updates. On the client PC there are some files that must be regularly updated through this program, which downloads the new version of the files. Currently these files are not digitally signed (for now it is not possible to sign them, perhaps in the future) and as a result, the download of these files is often blocked by the antivirus software installed on the machine. To allow files to be downloaded, you need to create a rule to exclude these files from antivirus blocks.

I would like to implement a check that verifies that these file updates can pass the antivirus checks or not, before be downloaded, without actually having to download them (the download is quite a complicated procedure).

For now I have done these tests:

  • read the exclusion rules set in the antivirus (perhaps via even software API) to verify that there are those relating to the files to be updated, but given the variety of possible antivirus present on the clients it becomes difficult to create a single solution. Furthermore, there does not seem to be any thing like this in the documentation I found in different of main antivirus product
  • Interface through the AMSI Windows API (Windows 10). In this way I am able to exec a scan of the file existing on the machine, but it seems that the same scan rules applied to the files at the time of download are not applied in this kind of scan.

Any ideas to implement such a feature?

filippocurati
  • 35
  • 5
  • A good and interesting question (and welcome to SO, by the way)! I'm not aware of any "standardized" anti-virus software control interface (for configuration such as excluded directories), so I'm afraid you'll have to separately implement an interface for every single AV software you want to support (and deal with their individual shortcomings). I suspect that AV vendors don't even *want* such a standardized interface, since it would make life easier for malware developers as well. – Heinzi Jul 30 '21 at 13:01
  • That having been said, it looks like [VirusTotal offers API access](https://support.virustotal.com/hc/en-us/articles/115002100149-API), so you might be able to (automatically) submit your EXE/DLLs ahead of time to get informed about potential problems right away. You'll probably need the paid version if you integrate this into commercial software. – Heinzi Jul 30 '21 at 13:05
  • 2
    Do they HAVE to be EXE or DLL files? Can you create & download them as a custom type (e.g. XEX or LLD), and have whatever program runs them, know how to access them? Why are you download .EXE anyway? Wouldn't your programs have an installer (which will ask the user for the correct credentials). The reason your process is being detected as a virus, is because it's doing exactly what a virus would do. – Neil Jul 30 '21 at 13:13
  • The files are both EXE files and DLLs. The files I download are not compiled directly by me and I do not manage them, so I cannot rename them by changing their extension. Unfortunately, at the moment who supplies me the files has not released an installer program – filippocurati Oct 13 '21 at 10:45

0 Answers0