![]() Keep in mind that the exe files you generate yourself are unique (as a consequence, the Avast scanner usually returns a message "you have found a rare file, we are doing a quick test", and delays execution for 15 seconds to perform a more thorough test). Avira put that file into quarantine since it was considered potentially dangerous (due to heuristics, which means that some segments look typical for a virus, but no virus is actually found). I had a similar problem with a pyinstaller exe under Windows. exe launcher that it created won't be considered a Trojan? Is there anything else I can do with PyInstaller to make it so that the. Hopefully they will back off on whatever it is that they thought they were trying to detect. exe file in question to AVG for their analysis. but still I'm concerned that it is not just AVG giving a false positive. Now I can't say that these other scanners are ones that I have heard of before. Rising Malware.Generic.5!tfe (thunder:5:ujHAaqkyw6C)ĬrowdStrike Falcon (ML) malicious_confidence_93% (D)Įndgame malicious (high confidence) 20170503 SentinelOne (Static ML) static engine - malicious Which shows that 11 out of 61 scanners detect a problem: TheHacker Trojan/Agent.am exe file to VirusTotal I get this analysis: At first I just thought it was a false positive in AVG, but submitting the. exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main. ![]() In any event, as I mentioned in the beginning, all developers suffer from this problem, which, I believe, demonstrates how challenging it is to develop and anti-malware product.About a month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. The consequences of false positives can be serious: If an antivirus erroneously deletes a file which is vital to the functioning of the computer, the system could be rendered unusable, and this does actually happen, with grave repercussions.įortunately, false positives are not frequent (particularly in relation to the immense amount of files that anti-viruses have to scan) and security companies implement strict quality control to avoid them. The same thing occurs with behavior analysis: The process that generates an executable file, which later writes a registry entry referring to the executable, could be an intruder inserting a rootkit on the system, but also the installer of a bona fide application. Moreover, a sequence of instructions classified as suspicious could easily be contained in a legitimate file, as after all, we are talking about executable code. The problem is that neither of these methods is infallible: the hash of a file is useless, for example, against polymorphic viruses, or expackers. In the case of behavior analysis, actions are detected which, although on their own may not be malicious, when they are correlated with others represent a symptom of malicious activity. In the first instance, the scanner looks for a specific pattern of bytes, which has been previously catalogued as malicious, or at least suspicious, and may correspond to a sequence of malware commands, a univocal value that identifies the file (known as a hash) or other values that may be used for identification. ![]() This can happen with signature-based scans as well as behavior analysis.Īn antivirus identifies malware basically using one of two methods: signature-based scanning or analysis of behavior. False positivesĪnd so now, I’d like to talk about a problem that affects all malware detection software: false positives… So what are they?Ī false positive occurs when an antivirus erroneously identifies a legitimate file or process as malware. Specifically, I like to stress the difficulty involved in certain aspects of developing anti-malware products I think it’s an interesting subject, and one that is not widely understood. Sometimes when writing my posts, I get the urge to forget about malware for a while and talk about the other “side”: antivirus software. Posted by Javier Guerrero, September 8th, 2010 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |