Packers and Microsoft Defender

[argie]

Heya!

I recently have lot of issues with MSDefender deleting packed files. Packer is not pirated and there is no malware inside.

I literally wrote a "Hello World" program, packed it and immediately Defender flagged it as "Win32:Trojan-[pseudovariant] with threat level SEVERE.

This is quite annoying and I tried tons of different stuff to make it not detect but it is persistent like crazy. I even submitted the file to Microsoft and they marked it clean and removed from detection but after packing again and new 'pseudovariant' is detected. It's crazy.

Does anyone have any advice or atleast something to attempt to escape the Defender detection?

I tried the packed file on VirusTotal and it has like 13 detections (false postives) but nobody uses those AVs. But Defender is a bit different, it is used quite a lot.

Anyway, any tips would be welcome.

[user1]

do you own legal rights copyright for that files ?

if so make complain to whom cares links to remove as false positives from AV list,

else NOTHING to be done.

[Vladimir]

Have you tried with different packer, if it is so obvious to packer the file then go with
Virtualization technologies such as Vmware thin app, Spoon studio a.k.a Turbo Studio.
I hope it helps.

[tofu-sensei]

Buy a code signing cert. It's no panacea, but it helps.

[nulli]

I have the same issue and the only way to avoid it is to make sure the security software on your machine doesn't scan the packaged file until it has been signed with a code signing certificate.

If the binary is still being flagged you have to report it as a false/positive to the security software company. It sucks but that's the way to do it.

[morgot]

Windef is terrible, it blocks any new executable file..You must buy an OV certificate if you want someone else to use the program.

[chants]

I could imagine that a Python script or VBScript or any scripting language could have a packed binary embedded in it which could be loaded into virtual allocated memory and executed with packed contents.

It's not an executable file, but it doesn't need code signing and certain scripts would basically be runnable through default shell open actions on many systems. There is also the issue of how to embed the binary data. Obviously base64 or the like would work but it increases the size. Not to mention resolving relocations and imports and such manually is a bit of work. But any script language that can invoke the Windows API is technically sufficient.

[NON]

Quote:

Originally Posted by argie

Heya!

I recently have lot of issues with MSDefender deleting packed files. Packer is not pirated and there is no malware inside.

I literally wrote a "Hello World" program, packed it and immediately Defender flagged it as "Win32:Trojan-[pseudovariant] with threat level SEVERE.

This is quite annoying and I tried tons of different stuff to make it not detect but it is persistent like crazy. I even submitted the file to Microsoft and they marked it clean and removed from detection but after packing again and new 'pseudovariant' is detected. It's crazy.

Does anyone have any advice or atleast something to attempt to escape the Defender detection?

I tried the packed file on VirusTotal and it has like 13 detections (false postives) but nobody uses those AVs. But Defender is a bit different, it is used quite a lot.

Anyway, any tips would be welcome.

Simple... I just turn off Microsoft Defender. Problem solved.
There are many ways to do it. Just google...
Other than that, I agree with @user1 that there is nothing that can be done.

[chants]

Quote:

Originally Posted by Gregory Morse

Simple... I just turn off Microsoft Defender. Problem solved.
There are many ways to do it. Just google...
Other than that, I agree with @user1 that there is nothing that can be done.

TechLord, you were banished to the shadow realm long ago. Your crybaby blog shows you are involved in militant homosexual recruitment as well, not that we are surprised by that. Maybe you should stop impersonating people and go post more nonsense there. The usual post burying garbage snd style thst is the hallmark of this crook.

I hope you are broke. Otherwise when the subpoenas hit and unmask you for a lawsuit, that will be an interesting day. Given that you can afford this hosting, I'd gather you might have enough to make it worth it. The last I checked defamation has a low bar with non public figures.

[0xc3]

Many antivirus software are incorrect, but signing cert is more useful.

[argie]

Thanks all for the advice.

I of course considered signing the files but that as a last resort. Also a quick answer to someone who asked: of course I have legal rights on the software, I made it.

Basically as said in OP, detection rate is extremely low. 12-13 out of all vendors on VT. But one of detections is MS Defender.

Also I have submitted my files to Microsoft to remove the detection and they did it. But... once a new file is packed (soft update or whatever) new generic detection occurs.

So there are 2 options:

- Sign to avoid all the hassle
- Submit to Microsoft to remove the detection before publishing the file

Cheers.