I have written a program (Mimer 1.1 -- http://sourceforge.net/projects/mimer/files/) and after 3000 downloads I found out that my own Nod32 Antivirus detects my program as a Win32/Agent.NFIWJLP trojan. My program has a c++ sub program that makes a system hook to watch the keyboard and mouse movements and events in the system (similar to a key logger but that's not what it's made for.) Does anyone recommend anything for me to do so that my program doesn't get deleted by the user's antivirus software. The thing that my program does is that it can mimic the user's interactions with the PC at a scheduled time. Thanks in advance.
+14
A:
Contact ESET and report the false alert. If a new version gets reported, do it again. The only way they'll learn.
As example, the AutoHotkey community has the same problem.
Edit:
I scanned DoNotRun.exe on Scan4You.net, and 9/32 AVs detect it. (see Report)
- ArcaVir
- Avira AntiVir
- COMODO Internet Security
- IKARUS Security
- Kaspersky Antivirus
- ESET NOD32
- A-Squared
- VBA32 Antivirus
It will take ages to contact all of them, but there are less alternatives. You could use a malware crypter to hide the file, but this won't last forever, or you could try changing your C source to omit detected parts.
leoluk
2010-08-20 19:08:32
+7
A:
Your best bet is to write an email to the authors of the antivirus and tell them its a false positive.
Most good antivirus companies react to this kind of emails by removing the detection. However if your program is detected by a signature written for another virus, you might have a difficult time persuading them to change their detection signatures or moving your program into their cleanset.
What you can do immediately is to somehow note to the users that your program might be detected by antiviruses as a virus. That way they will be warned and they can make sure it wont get deleted. If your program is opensource, than anyone can verify it does not do anything bad.
PeterK
2010-08-20 19:08:38
Thanks. Well the sub-program acts alot like a key logger so maybe it's my fault. Do you suggest anything for 'moving the program to their cleanset' as you said?
Auxiliary
2010-08-20 19:27:03
Well if you write them they should be able to resolve the issue somehow. Dunno if they add it to a cleanset or remove the detection. It all depends on how exactly the antivirus works and what detection detects your program. It might as well be a behaviour analysis (which would catch a keylogger easily).
PeterK
2010-08-20 19:31:53
+5
A:
As well as contacting ESET it might be worth contacting some of the other antivirus vendors such as Avast, Kapersky etc.
If one program's picking it up the chances are that others will too.
ChrisF
2010-08-20 19:10:55
+7
A:
You should contact ESET (the company behind NOD32) using their contact form. If you indicate that you are having a problem with Threat/Error Messages, you can specify that you found a Harmless file flagged as threat.
Chris Shouts
2010-08-20 19:13:29
+4
A:
You can also try some methods such as packing your application with UPX or using an application such as Smart Assembly to reshape how the over all EXE is saved. Surely does not hurt to try
Anthony Greco
2010-08-20 19:26:38
Dunno. It was the first time I used such a thing but worked very nicely. you could check it out at http://upx.sourceforge.net/#downloadupx
Auxiliary
2010-08-20 19:50:41
@Shawn, packers such as UPX can be used to hide the contents of an executable. They essentially "wrap" the executable contents (typically compressing them) and decompress them after it is run. This thwarts many heuristic based anti-virus detection techniques anti-viruses utilize when looking at assemblies. So, in this case, it will hide the fact that the assembly is making calls into those low-level keyboard and mouse hooks.
Simucal
2010-08-20 20:01:44
I tested the two versions (with UPX and without) on NoVirusThanks.org and 44% of the AVs detected the one without UPX and 19% with UPX used. I guess leoluk's right.
Auxiliary
2010-08-20 20:03:01
Well that's pretty neat. You'd think that the AV makers would try to overcome that, no?
Shawn
2010-08-20 20:18:33
@Shawn, there isn't too much they can do. You could encrypt the contents of the assembly until runtime and they wouldn't be able to do much about it. However, sometimes having a "packed" assembly can be a red flag to virus software as well. Also, they can detect you ~using~ those low-level hooks during runtime and flag it as a virus after you have run.
Simucal
2010-08-20 20:41:29
Packed assemblies are also easy to unpack, if the AV wishes to spend time to do that for all packed assemblies.
jcao219
2010-08-21 15:16:24
+1
A:
Anti-virus software use heuristics to determine whether a file is a virus or not based on its activities. A system hook on the keyboard and mouse would definitely show up as a flag.
I don't think you should pack your program because that would also raise a flag. Your software is open source, so you should just include a notice in the README telling users that some AVs detect it because of the system hook and give the line/file of where that code is located.
Exception
2010-08-21 15:11:51