What to change if an exe is flagged as a virus?

Hi,

I recently re-built an app using the latest Xojo release, after having added features to it. When I checked under Windows, on a computer I don’t own, my app was flagged as a trojan; I couldn’t even move the exe as the move was prevented and the antivirus (defender) deleted the file.

Since I know it’s a false positive, I’d like to rebuild the app. The exe being the culprit, I have to change something in the project in order to change its signature.
But I’m wondering: what’s the smallest change I can do so that the signature gets right against the antivirus?
For example, if I just move a push button by 1 pixel to the left (silly idea, but wondering for the principle) and compile again, is it going to change the signature enough?
Or perhaps just changing the build date, by building again without any change, is enough? Or just changing the file name?
What are the rules here?

P.S.: I’m also asking because the computer is 15 Km away and I can’t manage to test…

There’s nothing you can change. Heuristic antivirus is stupid. Pretty much if your app does work, it could be flagged as malicious. Read files and make HTTP requests? Could be randomware. Shell use, HTTP, and file access are the leading causes of heuristic AV flagging something.

Your best bet is to submit the installer to the AV vendor. Let them whitelist it.

2 Likes

Thom is right.
AV software is infuriating in its need to justify its existence.
If the message says anything like heuristic, they are just guessing/playing safe.
Make sure it is codesigned, and send copies to the AV makers.

And if I ever meet the idiot who came up with the message
‘{appname} is not commonly downloaded so it may be dangerous’ , I swear I will not be held accountable for the damage.
No court in the land would convict.

5 Likes

Well, this happens all the time.
Could be certain combination of bytes generated by compiler for some instructions.
Swapping two lines could change that.

Previously in MBS Plugins code parts from our CURL and Encryption plugins matched some code used in viruses as they also do stuff like encryption and network, but that just went away.

What I added between the previous version (which worked fine, like older ones) is just a setting to change time format (i.e. a popup menu, an extra label and a few lines of code to compute the time in another way), so there’s something beyond OS access, actually.

Thanks anyway.

I don’t have an installer. This is the only computer where the app is used (but it’s an important part). I just put the folder at some place and the user can use it.
Anyway, since it worked before, it’s not hard to make it working again; I was just wondering what did enough changes in my coding for the app to become flagged (and how to do the reverse).

It didn’t say that explicitly. It occurred while I copied the whole folder from an USB disk; the copy aborted and I saw a Defender’s popup at the bottom right corner informing me about that. I clicked on it and, in the window that showed, despite the fact I clicked on “Launch anyway” (text may differ, it was a french system), the file was deleted.
I’m not a Windows guy, so antivirus are things I don’t fully master.

That’d be a lot for this app. In the worse case, I’ll just add a “dummy” function, or come back to the previous version.

Granted 100%
Thank you.

That’s around what I think about my issue.

Ah, the fix (and cause) should rather be a change in code (rather than UI)? Or both?

Thank you.

Oh this is Defender? Defender is not heuristic, it uses frequently-updated blacklists, so it’d only stop something if it was confirmed malware. Your description sounds like you ran into Windows SmartScreen, which is something else entirely. This is where software that is not frequently downloaded will be blocked from running, just in case. It’s rather annoying, but code signing is the solution. An EV certificate is a total pain in the ■■■, but will stop the warning entirely. A regular certificate will stop the warning after an unknown number of downloads, and keep it away for future builds as long as the same certificate is used. For that reason, buying the longest certificate you can afford is what I recommend.

But for one-off programs like you describe, just live with it. Use the “run anyway” option and understand that this is just how Windows security is.

You could also try, under Build Settings > Shared, to play with the Optimization Level…

Yes. I recognise it was a bit hidden and not capitalised in my original post (re-reading, I had hard time checking I wrote it :wink:).

To me, SmartScreen is the ribbon that appears on screen, taking the whole width of the screen, and a smaller height, informing the app one is trying to open is not signed and can’t be open (and there’s a hidden button to “open anyway”), indeed, when the app is not well-known. Is that only a sub-part of SmartScreen? (I didn’t get the ribbon at all).

It’s not the first time I think about code signing. It’s already expensive for me on the Mac side (I’m not a professional programmer), that I had to convince myself to make the step on Mac, but every time I consider doing the same on Windows, I recall how it’s way more(too much) expensive. I even tried once, but never got an answer (don’t recall the website right now); discouraging.

And I’ve always (almost) made my apps running on Windows without code signing, so I’m looking for a more easier way, as I did until now.

It’s rare I provide Windows apps by downloads, actually. Again, if it was cheaper, in my budget, I’d do it.

That’s actually what I did, since the beginning of this issue (sorry if my original post wasn’t clear). But copying to the hard disk wouldn’t ever proceed and Windows kept removing the Exe in both my USB drives, even after clicked “run anyway”; that’s something I’ve not understood.

Thank you.

A good idea as well.
For starting, I’ll try shortest things, however.

Thanks.

Your description of the events - such as the copy itself being blocked - doesn’t seem to line up with expected behaviors. As far as I’m aware, Defender doesn’t do that. It sounds like there is some other AV running on the system, but it’s hard for us to be certain.

When I clicked on the popup, the window that showed was the one I’m “familiar” with (like we can access from inside the “Settings” virtual folder of Windows).
But I’ll re-check, for the sake of clearing out this possibility.

Still, if I modify the app in Xojo, it should probably be allowed again, as it did since last June.
Thanks.

Insert the USB drive, go into the AV settings and whitelist the directory in the USB. That should allow you to copy the files. Then whitelist the folder you copied them to.

1 Like

Go to the antivirus publisher site. Most of them have a procedure to submit executables to prevent false positives.

1 Like

Good idea, thanks. I’ll try this evening, when I go there.

Also a good idea, thanks.

It’s a long time (this year) that I checked, but an USB Stick allows to avoid signing, etc. buzz when you copy the application on a WIndows 10 (and lower) machine.

Not tested on a Windows 11 machine.

At run time the windows machine may complain (I forgot) once about unknow developer, but no more after that.

Copy into a web server and download in the target computer is a different matter (and off this topic).

I’d like to kill whoever is responsible in Microsoft for the “Microsoft Word may be malicious.” warnings in Windows.

Even though they’re right, it still is, after 30 years…