| OSDev.org https://forum.osdev.org/ |
|
| PE/COFF executable and antivirus false positives https://forum.osdev.org/viewtopic.php?f=13&t=35328 |
Page 1 of 1 |
| Author: | alexfru [ Sun Oct 13, 2019 1:57 am ] |
| Post subject: | PE/COFF executable and antivirus false positives |
Somehow virustotal's minions dislike my compiler's output. sample files, sample "analysis". I'd like to reduce the likelihood of these false positives as "maliciousness" of ~37% is a bit too high for an absolutely benign program. If anyone battled a similar problem and can share any useful findings, it would be great. In essence, I'm after a recipe to generate least suspicious executables. I know my PEs aren't perfect (I know of a few specific minor issues that Windows lets me get away with) but I also know that any sufficiently fast antivirus program is going to be much much less than perfect and this is what I'm seeing. For example, adjusting the stack/heap reserved/committed sizes is enough to shut up a few of them, which speaks to the quality of their malware detection. Here's one paper detailing the bizarre inner workings of some of the sa(i)d AVs: Attributes of Malicious Files by Joel Yonts. Any help is appreciated. |
|
| Author: | nullplan [ Sun Oct 13, 2019 10:17 am ] |
| Post subject: | Re: PE/COFF executable and antivirus false positives |
Yet another argument against antivirus. I stopped trusting them when one triggered against one of my programs, but did not trigger anymore after turning a condition around. On a RISC architecture, the signature based way might work, but on x86 you can just forget it. Sorry alexfru, this also means I can't help you. Just wanted to vent a little. |
|
| Page 1 of 1 | All times are UTC - 6 hours |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|