raphael123 Posted July 3, 2023 Posted July 3, 2023 Hi I'm making a simple and light executable program, for an old multiplayer game. (as a fan) It is intended for managing the official client game program, such as managing non-official updates/patches, like a mini-launcher. It is intended to be manually installed using a "proposer", where the player could choose if he wants or not to install this mini-launcher. The proposer is getting download to the player os, when joining a specific public dedicated server, which appears in the servers list just like the others. Once the proposer.exe is downloaded, it gets automatically opened using the game engine. I build this file using the Win32 api, C++ and Visual Studio on Windows 11. I don't have any issue with Windows Defender when building and opening the tool. ___________________ But I have a testing laptop running Windows 10, and when I plug a usb key with the proposer.exe in it, the file gets detected and quarantined. Same when I make it getting downloaded when joining the game server. But it seems that this antivirus is not consistent, because when I plug the usb key in the pc where I build the tool, it's not getting detected, I can paste the file on my desktop and open it. But if I wait some time, then I can't paste the file anymore because of the antivirus. And also for example, when I compress this file in a zip on the build pc, if I wait some time and then try to extract this zip, now the antivirus detects it. When I scan it, the antivirus finds no threat, but the one of virustotal does. It gets detect by around 20 antivirus on this website. ___________________ It seems that the time, is a reason about all this. When I build the file, then I directly take a usb key to copy it and then plug in the test laptop, then it doesn't get detected, I can paste it on the Desktop and open it. The files gets detected as a "Trojan:Win32/Wacatac.B!ml" I also got a detection of this name, using .vbs scripts before starting with this Win32 C++, I thought it would help but apparently not. Could you help me please? Is it related about machine learning? I heard about the possibility to ask antivirus providers to whitelist your files, I don't understand well how this works.
DramaKing Posted July 3, 2023 Posted July 3, 2023 You may be able to report it as a false positive, but you can download the PowerSploit modules and try Find-AVSignature to see where the code being detected as a Trojan is.
NoExecute Posted July 4, 2023 Posted July 4, 2023 You could try to sign the file, or make a wrapper in autohotkey and "sign" it using AHK compiler directives. Sometimes that works, but it depends.. But, for the most part, loading exe from usb, can be a trigger... /NX
raphael123 Posted July 5, 2023 Author Posted July 5, 2023 Thank you very much for your replies I think I will keep the signing way for if i do something commercial / official someday I'm very interested about understanding the av signatures though, i found this youtube video that i really enjoy, i'm at the end of it
Recommended Posts
Archived
This topic is now archived and is closed to further replies.