Causes False Positive Windows 10 #19
Comments
|
Found out something else is triggering it. for no reason. |
|
Okay So for context. Without DLGS |
|
Hi, is your antivirus Jiangmin or Microsoft? I am writing a tool with this library, but possibly compiling with another version of Go (1.12 in my case). When I compile a tool that has a false positive, I usually try to compile it with other versions of Go, it usually resolves. Just a tip. |
|
Windows Defender on Windows 10, defender sees the compiled binary and promptly deletes it because of how serious it thinks the malware is |
|
The same is true with my antivirus, I use Jiangmin / Kasper. This is quite common. So I have three directories with three different versions of Go (and respectively three binaries in the bin folder). When this happens with some compilation, just rename the folders and compile with another version of Go, it always works. Test a later version or an earlier version. On Windows, programs written in Go always result in false positives with one or the other antivirus, but it always does. I have a few alternatives to prevent or at least reduce the incidence of false positives by adding version information, digitally signing it with signtool, or even adding an icon to the binary. VersionInfo: To avoid false positives -- VirusTotal -- Look for SignTool and SignGUI (the GUI needs the CLI), it just needs a PFX file, which you generate with OpenSSL. Any doubt I am available. |
|
My tool also results in false positives in several antivirus brands (especially mine and yours). Today I did some tests. Very simple: When I compile with version 1.11.13, I get the following result (even adding version information): When I sign digitally with SignTool, I get this result (just conflicts with Jiangmin): However, when I switch to version 1.15.3, just adding version information (a lot of AVs): But if I digitally sign the binary (It reduces drastically): I believe it is the only way to "circumvent" false positives. So I believe that it is not enough to just add the version info, but it is essential: SignTool: To generate a PFX file you need a private DSA key and the certificate in crt. (Updated) openssl dsaparam -out params.pem 1024 openssl gendsa -out privDSA.pem params.pem openssl req -sha1 -x509 -new -days 3651 -key privDSA.pem -out certDSA.crt [-config openssl.cnf] so: openssl pkcs12 -export -inkey privDSA.pem -in certDSA.crt -out CertDSA.pfx The more information you add to the certificate, the less the antivirus will detect it as a virus. Try not to use url nor add a website in the SignGUI tool (this usually confuses the mechanisms). |
|
I was having trouble finding a version that would not conflict with my antivirus. After downloading about three different versions, I only managed with version 1.12.1 of Go. This is the result of the compilation with only version info: And this is a result after binary authentication (digital signature) through steps that I have described. I needed it to be with a version that still runs on WindowsXP, i.e. 1.12 or lower. But you will have several possibilities, each version will result in different false positives, different brands of antivirus (Wacatac & Wacapew for M$). Try to do all the steps, in all possible* versions. One will have no or almost no false positives (only for unknown brands) |
This is the program built iwth dlgs "error" and "warning" pop ups
https://www.virustotal.com/gui/file/c6ecfb6dcf7b610f1ead08e38c17797be28486ef4c77b3293d02ed71b374bdd2/behavior/VirusTotal%20Sysmon
Detected by 7 engines
and writes to
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dlland
HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\A70D59A1-8EAD-4F40-AAAB-FBFC460800A4\FriendlyNamethis is the same code, built in the same way, just without
dlgshttps://www.virustotal.com/gui/file/9cb0cb053f58b92ad71eb50e531b802ddd01d5eb6164a391ea982b6325b328b3/behavior/VirusTotal%20Sysmon
Detected by 5 Engines
and proceeds to function as intended
The text was updated successfully, but these errors were encountered: