Windows Defender false positives

Hello,

Our company produces software protection solutions. One of our technologies protects *.exe and *.dll files by making the program code encryption (obfuscating). Such solutions are called "packers". The problem is: Windows Defender on Windows 10 (embedded, home etc.) marks the protected software as a virus (Trojan). And of course there are no any maleware inside the application. So how is it possible to avoid false positives. We have already use IEEE software taggant system but, as I see, it does not work with Windows Defender.
May 4, 2018: I won't participate anymore in MC. Enough is enough.

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

You've perfectly described the behavior within your product that will never truly harmonize with the way that Windows Defender and the other Microsoft security products within Windows operate to protect their customers.

Though your product is using this encryption and obfuscation via packers in an attempt to protect the executable code from malware, there's simply no way that the behavioral and other security product detection modules can know this, so it will of course be treated exactly like any unknown, potentially malicious piece of software.

The additional problem is that virtually all software that obfuscates or uses otherwise questionable practices for whatever possibly valid reason, has later been abused by malware purveyors in an attempt to circumvent the Microsoft and other security product detection systems.  This is part of the reason that Microsoft indicates in its resources for developers, Software Developers FAQ that they don't accept files for a known list (e.g. whitelist) or false-positive prevention program.

If you think logically about this situation, you quickly realize that it's not possible for Microsoft to scale the operation of a whitelist for the large numbers of individual software applications that are created in order to remain vigilant against the much larger numbers of individual malware now created daily.  The automation of this malware creation and packaging means that such a whitelist would quickly become unmanageable no matter how efficient the system operating it might seem initially.

So the only system that truly makes sense is something like the Authenticode certificate based system that Microsoft has already had in place for more than a decade, since this allows the signing and so identification and integrity validation of the executable code itself, as well as the application's developer in the case of an Extended Validation certificate.

Creating any alternative system which subverts this Authenticode system in any way is simply asking for a false-positive detection.

Please note that I'm not an official Microsoft representative.  I'm simply a consumer user of their products with a security background who's been involved in the use and online support of these products since their initial beta and release phases in the mid-2000's.  I just try and explain to developers my own understanding when I see such questions, since that's about the best response they're likely to receive from Microsoft itself, albeit with a typically longer delay.

Rob

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

It seems like the thing to do, then, would be to add your applications to the Windows Defender exclusion list.

https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-defender-antivirus

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Read the OP carefully Michael and you'll see that the problem isn't with the developer's own application, but rather with the (potentially many) individual *.exe and *.dll files that their app is being used to obfuscate.

That's where the true problem is occurring, since at that point every single one of these obfuscated executable files looks suspicious to Windows Defender, since once it's been encrypted there's simply no way for Defender to know whether it's an otherwise well known executable from a major vendor or possible malware.

That's why obfuscation as a security practice can simply never work, since it subverts the very certificate based identity and integrity validation system that Microsoft put in place with Authenticode in the first place.

In other words, it's not possible to get there from here, so the entire idea of obfuscation is flawed from the beginning and simply can't be successfully used with any Microsoft security product or in fact many 3rd-party security applications that use this now standardized certificate based Authenticode system as well.

So the entire request is nonsensical and unable to be accomplished in any reasonable manner.

Rob

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

 
 

Question Info


Last updated August 13, 2020 Views 9,839 Applies to: