Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-02-2024, 17:39
argie argie is offline
Family
 
Join Date: Oct 2010
Posts: 253
Rept. Given: 84
Rept. Rcvd 86 Times in 38 Posts
Thanks Given: 231
Thanks Rcvd at 356 Times in 120 Posts
argie Reputation: 88
Packers and Microsoft Defender

Heya!

I recently have lot of issues with MSDefender deleting packed files. Packer is not pirated and there is no malware inside.

I literally wrote a "Hello World" program, packed it and immediately Defender flagged it as "Win32:Trojan-[pseudovariant] with threat level SEVERE.

This is quite annoying and I tried tons of different stuff to make it not detect but it is persistent like crazy. I even submitted the file to Microsoft and they marked it clean and removed from detection but after packing again and new 'pseudovariant' is detected. It's crazy.

Does anyone have any advice or atleast something to attempt to escape the Defender detection?

I tried the packed file on VirusTotal and it has like 13 detections (false postives) but nobody uses those AVs. But Defender is a bit different, it is used quite a lot.

Anyway, any tips would be welcome.
Reply With Quote
  #2  
Old 02-02-2024, 21:48
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,054
Rept. Given: 575
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 721
Thanks Rcvd at 583 Times in 346 Posts
user1 Reputation: 41
do you own legal rights copyright for that files ?

if so make complain to whom cares links to remove as false positives from AV list,

else NOTHING to be done.
Reply With Quote
  #3  
Old 02-03-2024, 12:53
Vladimir Vladimir is offline
Friend
 
Join Date: Aug 2019
Location: Earth
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 17
Thanks Rcvd at 25 Times in 4 Posts
Vladimir Reputation: 0
Have you tried with different packer, if it is so obvious to packer the file then go with
Virtualization technologies such as Vmware thin app, Spoon studio a.k.a Turbo Studio.
I hope it helps.
Reply With Quote
  #4  
Old 02-03-2024, 16:34
tofu-sensei tofu-sensei is offline
Friend
 
Join Date: Jul 2004
Posts: 113
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 13 Posts
tofu-sensei Reputation: 15
Buy a code signing cert. It's no panacea, but it helps.
Reply With Quote
The Following User Says Thank You to tofu-sensei For This Useful Post:
argie (02-07-2024)
  #5  
Old 02-04-2024, 06:03
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 172
Rept. Given: 41
Rept. Rcvd 22 Times in 12 Posts
Thanks Given: 53
Thanks Rcvd at 73 Times in 53 Posts
nulli Reputation: 22
I have the same issue and the only way to avoid it is to make sure the security software on your machine doesn't scan the packaged file until it has been signed with a code signing certificate.

If the binary is still being flagged you have to report it as a false/positive to the security software company. It sucks but that's the way to do it.
Reply With Quote
The Following User Says Thank You to nulli For This Useful Post:
argie (02-07-2024)
  #6  
Old 02-04-2024, 07:24
morgot morgot is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 11 Times in 8 Posts
morgot Reputation: 0
Windef is terrible, it blocks any new executable file..You must buy an OV certificate if you want someone else to use the program.
Reply With Quote
The Following User Says Thank You to morgot For This Useful Post:
argie (02-07-2024)
  #7  
Old 02-04-2024, 11:32
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 773
Rept. Given: 42
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 690
Thanks Rcvd at 1,090 Times in 498 Posts
chants Reputation: 50
I could imagine that a Python script or VBScript or any scripting language could have a packed binary embedded in it which could be loaded into virtual allocated memory and executed with packed contents.

It's not an executable file, but it doesn't need code signing and certain scripts would basically be runnable through default shell open actions on many systems. There is also the issue of how to embed the binary data. Obviously base64 or the like would work but it increases the size. Not to mention resolving relocations and imports and such manually is a bit of work. But any script language that can invoke the Windows API is technically sufficient.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
argie (02-07-2024)
  #8  
Old 02-04-2024, 13:17
NON NON is offline
Banned User
 
Join Date: Sep 2023
Posts: 77
Rept. Given: 3
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 33
Thanks Rcvd at 21 Times in 16 Posts
NON Reputation: 2
Quote:
Originally Posted by argie View Post
Heya!

I recently have lot of issues with MSDefender deleting packed files. Packer is not pirated and there is no malware inside.

I literally wrote a "Hello World" program, packed it and immediately Defender flagged it as "Win32:Trojan-[pseudovariant] with threat level SEVERE.

This is quite annoying and I tried tons of different stuff to make it not detect but it is persistent like crazy. I even submitted the file to Microsoft and they marked it clean and removed from detection but after packing again and new 'pseudovariant' is detected. It's crazy.

Does anyone have any advice or atleast something to attempt to escape the Defender detection?

I tried the packed file on VirusTotal and it has like 13 detections (false postives) but nobody uses those AVs. But Defender is a bit different, it is used quite a lot.

Anyway, any tips would be welcome.
Simple... I just turn off Microsoft Defender. Problem solved.
There are many ways to do it. Just google...
Other than that, I agree with @user1 that there is nothing that can be done.
Reply With Quote
  #9  
Old 02-05-2024, 00:46
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 773
Rept. Given: 42
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 690
Thanks Rcvd at 1,090 Times in 498 Posts
chants Reputation: 50
Quote:
Originally Posted by Gregory Morse View Post
Simple... I just turn off Microsoft Defender. Problem solved.
There are many ways to do it. Just google...
Other than that, I agree with @user1 that there is nothing that can be done.
TechLord, you were banished to the shadow realm long ago. Your crybaby blog shows you are involved in militant homosexual recruitment as well, not that we are surprised by that. Maybe you should stop impersonating people and go post more nonsense there. The usual post burying garbage snd style thst is the hallmark of this crook.

I hope you are broke. Otherwise when the subpoenas hit and unmask you for a lawsuit, that will be an interesting day. Given that you can afford this hosting, I'd gather you might have enough to make it worth it. The last I checked defamation has a low bar with non public figures.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
argie (02-07-2024)
  #10  
Old 02-06-2024, 23:12
0xc3 0xc3 is offline
Friend
 
Join Date: Sep 2023
Posts: 19
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 21 Times in 4 Posts
0xc3 Reputation: 0
Many antivirus software are incorrect, but signing cert is more useful.
Reply With Quote
The Following User Says Thank You to 0xc3 For This Useful Post:
argie (02-07-2024)
  #11  
Old 02-07-2024, 16:53
argie argie is offline
Family
 
Join Date: Oct 2010
Posts: 253
Rept. Given: 84
Rept. Rcvd 86 Times in 38 Posts
Thanks Given: 231
Thanks Rcvd at 356 Times in 120 Posts
argie Reputation: 88
Thanks all for the advice.

I of course considered signing the files but that as a last resort. Also a quick answer to someone who asked: of course I have legal rights on the software, I made it.

Basically as said in OP, detection rate is extremely low. 12-13 out of all vendors on VT. But one of detections is MS Defender.

Also I have submitted my files to Microsoft to remove the detection and they did it. But... once a new file is packed (soft update or whatever) new generic detection occurs.

So there are 2 options:

- Sign to avoid all the hassle
- Submit to Microsoft to remove the detection before publishing the file

Cheers.
Reply With Quote
The Following User Says Thank You to argie For This Useful Post:
chants (02-07-2024)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 08:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )