raphael123 Posted July 3, 2023 Share Posted July 3, 2023 Hi I'm making a simple and light executable program, for an old multiplayer game. (as a fan) It is intended for managing the official client game program, such as managing non-official updates/patches, like a mini-launcher. It is intended to be manually installed using a "proposer", where the player could choose if he wants or not to install this mini-launcher. The proposer is getting download to the player os, when joining a specific public dedicated server, which appears in the servers list just like the others. Once the proposer.exe is downloaded, it gets automatically opened using the game engine. I build this file using the Win32 api, C++ and Visual Studio on Windows 11. I don't have any issue with Windows Defender when building and opening the tool. ___________________ But I have a testing laptop running Windows 10, and when I plug a usb key with the proposer.exe in it, the file gets detected and quarantined. Same when I make it getting downloaded when joining the game server. But it seems that this antivirus is not consistent, because when I plug the usb key in the pc where I build the tool, it's not getting detected, I can paste the file on my desktop and open it. But if I wait some time, then I can't paste the file anymore because of the antivirus. And also for example, when I compress this file in a zip on the build pc, if I wait some time and then try to extract this zip, now the antivirus detects it. When I scan it, the antivirus finds no threat, but the one of virustotal does. It gets detect by around 20 antivirus on this website. ___________________ It seems that the time, is a reason about all this. When I build the file, then I directly take a usb key to copy it and then plug in the test laptop, then it doesn't get detected, I can paste it on the Desktop and open it. The files gets detected as a "Trojan:Win32/Wacatac.B!ml" I also got a detection of this name, using .vbs scripts before starting with this Win32 C++, I thought it would help but apparently not. Could you help me please? Is it related about machine learning? I heard about the possibility to ask antivirus providers to whitelist your files, I don't understand well how this works. Quote Link to comment Share on other sites More sharing options...
DramaKing Posted July 3, 2023 Share Posted July 3, 2023 You may be able to report it as a false positive, but you can download the PowerSploit modules and try Find-AVSignature to see where the code being detected as a Trojan is. 1 Quote Link to comment Share on other sites More sharing options...
NoExecute Posted July 4, 2023 Share Posted July 4, 2023 You could try to sign the file, or make a wrapper in autohotkey and "sign" it using AHK compiler directives. Sometimes that works, but it depends.. But, for the most part, loading exe from usb, can be a trigger... /NX 1 Quote Link to comment Share on other sites More sharing options...
raphael123 Posted July 5, 2023 Author Share Posted July 5, 2023 Thank you very much for your replies I think I will keep the signing way for if i do something commercial / official someday I'm very interested about understanding the av signatures though, i found this youtube video that i really enjoy, i'm at the end of it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.