Anti-Virus Detection on a legitimate program

2.9k views Asked by At

Basically, my program runs along side another jar file. Here is the code for the download function:

public void saveUrl(final String filename, final String urlString) throws MalformedURLException, IOException {
    BufferedInputStream in = null;
    FileOutputStream fout = null;
    try {
        in = new BufferedInputStream(new URL(urlString).openStream());
        fout = new FileOutputStream(filename);

        final byte data[] = new byte[1024];
        int count;
        while ((count = in.read(data, 0, 1024)) != -1) {
            fout.write(data, 0, count);
        }

    } catch (Exception e) {
        return;
    } finally {
        if (in != null) {
            in.close();
        }
        if (fout != null) {
            fout.close();
        }
    }
}

And the to start the new process

public void runUpdate() throws IOException{
    String folder = fileLocation;
    ProcessBuilder p = new ProcessBuilder();
    p.command(folder);
    p.start();
}

However, even with user prompts and having to approve the download, when I tested it outside of the eclipse environment, my anti-virus picked it up right away.

It was detected as a "trojan.downloader". I'm thinking it has something to do with the download function? I'm not really trying to beat an anti-virus program. I'm not attempting to do any illegitimate.

Perhaps some obfuscation would do the trick?

5

There are 5 answers

6
Alan On BEST ANSWER

The bytecode generated by your compiler matches some specific code pattern/signature the AV is looking for, meaning some malware they had found/reversed in the past had code similar to this that they could reliably find.

The best option would be to identify and rewrite whichever method is triggering the detection until it no longer matches whatever the AV is looking for, obfuscation would not be a good idea (but can be done, if the obfuscator does control flow obfuscation) for fixing this problem as there's no guarantee it would produce bytecode different enough from the original (some obfuscators, like ProGuard, also do not even do control flow obfuscation).

0
Jayan On

Anti-Virus vendors look for patterns in bits; if anything matches with known ones in database, they will flag it as bad. Ofcourse this has created problems to developers/companies (small/big)

Some vendors have an automated mechanism to flag "false-detection". Please use appropriate channel to report such cases.

For starters, here are some.symantec or avg

For some you have to contact the vendor by other means:For example http://www.avast.com/contact-form.php?subject=VIRUS-FILE

VirusTotal is working on an easier way to flag -Not yet in production, I guess

In any case options mentioned in other answers does not work always. We created updated executables with newer compiler and recent APIs. Also tried with signing the executable. All these improves the chance of program being a good one for "anti-virus" program. However, most appropriate way is to check with the vendor. Th

2
Thomas Weller On

You can try to sign your JAR with a code signing certificate, e.g. from Digicert.

This adds your company name to the JAR in a trusted way and thus could also be trusted by the Antivirus program. However, there's no guarantee that every Antivirus program will do so.

Note that there is also some impact of doing so:

  • CRL (certificate revocation list) checks might be done. This will download data from the Internet. In case the PC has a physical network connection (local) but no Internet connection, this may run into a significant timeout.
  • You need to become familiar with timestamping, otherwise the signature becomes invalid when the certificate expires.
1
Ben On

I'm going to add this as an answer. Having your program legitimately signed will fix this issue for you. You can also fake a signature, but anti-viruses such as ESET will pick this up pretty much instantly.

The best work around for this is honestly just try to cheat the anti-virus. Change all of your string names... Add a bunch of fake strings that do nothing such as

int asdgsal = 1 + 2; 

And also add a few looping method calls that do pretty much nothing.

Works for me. It's sketchy and can be abused by people trying to do actual harm, but it works.

Also, don't download to temp or appdata. Throw it in %userprofile% or my documents and you will be fine.

0
simple On

I think that you can use many files to test, find out whether all files can't be download. If all files return same. I think that the reason is your code. Then you can refer to other person's code.