0

I develop software in net framework 4.8. I want to ship another harmless executable within my software. To do so, I declared it as a resource in Visual Studio and during runtime, I write all bytes to a file. However, anti-virus systems do not seem to like this. I did the following tests, which have some interesting results:

  1. Creating an empty .net-framework project with 0 lines codes executed (main is empty). But packing another executable (.exe) as a resource. Result on Virus Total: 10/68 say it's malicious (often saying malicious PE). Scanning the packed executable by itself results in 0/68 malicious. Keep in mind the packed executable never even gets touched or written to the disk or whatsoever.

  2. Creating an empty .net-framework project with 0 lines codes executed (main is empty). Packing an image as a resource. Result on Virus Total: 6/68 say it's malicious (often saying malicious PE).

  3. Creating an empty .net-framework project with 0 lines codes executed (main is empty). Packing no resources to the project. But adding an icon. Result on Virus Total: 2/68 say it's malicious

In my opinion, this is ridiculous. Why does it have such a high false-positive rate? I really would like to hear some opinions from other c# developers. The way to go is probably just to download any required resources, right?

TBA
  • 1,921
  • 4
  • 13
  • 26
ex6tenCe
  • 11
  • 1
  • 2
    "High"? Are any of those 10, 6, and 2 AV are even known? It doesn't matter if there are 10 AVs with barely existing market share. – Martheen Jan 09 '22 at 08:06
  • Probably you should also look at what AntiVirus program is marking your software as positive. IMHO not all VirusTotal programs are top tier in the antivirus category – Steve Jan 09 '22 at 08:07
  • yeah, those are kinda unknown or seem to be experimental with a lot of machine learning. Still feels odd. – ex6tenCe Jan 09 '22 at 08:31
  • There is nothing odd about it, any random dev can slap together an ML app with a couple of virus samples *without* enough clean app as control, and they'll just end up like when [rulers in lesion image made AI mark it as malignant](https://www.sciencedirect.com/science/article/pii/S0022202X18322930?via%3Dihub). Perhaps the onus is on VirusTotal to not accept scanners with a high false-positive rate, but they're already swamped as it is. – Martheen Jan 09 '22 at 22:05
  • Could you not use a dll for what the executable does? That'd probably get past most antivirus systems – Andrew Corrigan Jan 14 '22 at 15:07

0 Answers0