I don't want my tool to be detected by Windows Defender.

[raphael123]

Hi
I'm making a simple and light executable program, for an old multiplayer game. (as a fan)
It is intended for managing the official client game program, such as managing non-official updates/patches, like a mini-launcher.

It is intended to be manually installed using a "proposer", where the player could choose if he wants or not to install this mini-launcher.
The proposer is getting download to the player os, when joining a specific public dedicated server, which appears in the servers list just like the others.
Once the proposer.exe is downloaded, it gets automatically opened using the game engine.

I build this file using the Win32 api, C++ and Visual Studio on Windows 11.
I don't have any issue with Windows Defender when building and opening the tool.

___________________

But I have a testing laptop running Windows 10, and when I plug a usb key with the proposer.exe in it, the file gets detected and quarantined.
Same when I make it getting downloaded when joining the game server.

But it seems that this antivirus is not consistent, because when I plug the usb key in the pc where I build the tool, it's not getting detected, I can paste the file on my desktop and open it.
But if I wait some time, then I can't paste the file anymore because of the antivirus.

And also for example, when I compress this file in a zip on the build pc, if I wait some time and then try to extract this zip, now the antivirus detects it.
When I scan it, the antivirus finds no threat, but the one of virustotal does. It gets detect by around 20 antivirus on this website.

___________________

It seems that the time, is a reason about all this.
When I build the file, then I directly take a usb key to copy it and then plug in the test laptop, then it doesn't get detected, I can paste it on the Desktop and open it.

The files gets detected as a "Trojan:Win32/Wacatac.B!ml"

I also got a detection of this name, using .vbs scripts before starting with this Win32 C++, I thought it would help but apparently not.

Could you help me please?

 

Is it related about machine learning?

I heard about the possibility to ask antivirus providers to whitelist your files, I don't understand well how this works.

[DramaKing]

You may be able to report it as a false positive, but you can download the PowerSploit modules and try Find-AVSignature to see where the code being detected as a Trojan is. 

[NoExecute]

You could try to sign the file, or make a wrapper in autohotkey and "sign" it using AHK compiler directives. Sometimes that works, but it depends..
But, for the most part, loading exe from usb, can be a trigger...

/NX

[raphael123]

Thank you very much for your replies

I think I will keep the signing way for if i do something commercial / official someday

I'm very interested about understanding the av signatures though, i found this youtube video that i really enjoy, i'm at the end of it