dlgs
dlgs copied to clipboard
gen2brain
Causes False Positive Windows 10
This is the program built iwth dlgs "error" and "warning" pop ups https://www.virustotal.com/gui/file/c6ecfb6dcf7b610f1ead08e38c17797be28486ef4c77b3293d02ed71b374bdd2/behavior/VirusTotal%20Sysmon Detected by 7 engines
and writes to
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
and
HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\A70D59A1-8EAD-4F40-AAAB-FBFC460800A4\FriendlyName
this is the same code, built in the same way, just without dlgs
https://www.virustotal.com/gui/file/9cb0cb053f58b92ad71eb50e531b802ddd01d5eb6164a391ea982b6325b328b3/behavior/VirusTotal%20Sysmon
Detected by 5 Engines
and proceeds to function as intended
Found out something else is triggering it. for no reason. the source code https://git.merith.tk/merith-tk/minecraft.portable
Okay So for context. I found out that using rcedit causes the trojan to pop up as well, With dlgs disabled, i used rsrc to make a syso file for the programs icon, was not detected built with dlgs, detected With DLGS https://www.virustotal.com/gui/file/c8a1b5ef3a67dd646a2818eb8e14194dd8143633345887e1064c1a4050c8d161/detection
Without DLGS https://www.virustotal.com/gui/file/95e19eacd3ea4224ec9b1c18ce6088d79bf304b4e2133ee35163353ccf6e1467/detection
Hi, is your antivirus Jiangmin or Microsoft? I am writing a tool with this library, but possibly compiling with another version of Go (1.12 in my case). When I compile a tool that has a false positive, I usually try to compile it with other versions of Go, it usually resolves. Just a tip.
My tool: https://www.virustotal.com/gui/file/eb68f67e752b4b48ddc47cd3c5e4f1c3068d8d040e6443c5093499336a74879f/detection
Windows Defender on Windows 10, defender sees the compiled binary and promptly deletes it because of how serious it thinks the malware is
The same is true with my antivirus, I use Jiangmin / Kasper. This is quite common. So I have three directories with three different versions of Go (and respectively three binaries in the bin folder). When this happens with some compilation, just rename the folders and compile with another version of Go, it always works. Test a later version or an earlier version. On Windows, programs written in Go always result in false positives with one or the other antivirus, but it always does.
I have a few alternatives to prevent or at least reduce the incidence of false positives by adding version information, digitally signing it with signtool, or even adding an icon to the binary.
VersionInfo: https://github.com/josephspurrier/goversioninfo
To avoid false positives -- VirusTotal -- Look for SignTool and SignGUI (the GUI needs the CLI), it just needs a PFX file, which you generate with OpenSSL. Any doubt I am available.
My tool also results in false positives in several antivirus brands (especially mine and yours). Today I did some tests.
Very simple: https://github.com/pedroalbanese/dialogbox
When I compile with version 1.11.13, I get the following result (even adding version information): https://www.virustotal.com/gui/file/bf876f1e29718f30ae3b4d5faed67d2b43a0224767976b1c946639cf8adffaae/detection
When I sign digitally with SignTool, I get this result (just conflicts with Jiangmin): https://www.virustotal.com/gui/file/71120cc575d97185711691eb3a9f5057a3a782192ac9baf2941b96e603e132ca/detection
However, when I switch to version 1.15.3, just adding version information (a lot of AVs): https://www.virustotal.com/gui/file/d5c058bd567cccacbb02a46072bf552565f328a8fe450a6d27891e5537982f15/detection
But if I digitally sign the binary (It reduces drastically): https://www.virustotal.com/gui/file/42bd67f5f7a1623798839782e4e8c55816c7f94e5352e400718d6e8304cf1449/detection
I believe it is the only way to "circumvent" false positives.
So I believe that it is not enough to just add the version info, but it is essential: VersionInfo: https://github.com/josephspurrier/goversioninfo
SignTool: http://ybshare.com/download/pnupgf5esw
To generate a PFX file you need a private DSA key and the certificate in crt.
(Updated)
openssl dsaparam -out params.pem 1024 openssl gendsa -out privDSA.pem params.pem openssl req -sha1 -x509 -new -days 3651 -key privDSA.pem -out certDSA.crt [-config openssl.cnf]
so:
openssl pkcs12 -export -inkey privDSA.pem -in certDSA.crt -out CertDSA.pfx
The more information you add to the certificate, the less the antivirus will detect it as a virus. Try not to use url nor add a website in the SignGUI tool (this usually confuses the mechanisms).
I was having trouble finding a version that would not conflict with my antivirus. After downloading about three different versions, I only managed with version 1.12.1 of Go.
This is the result of the compilation with only version info: https://www.virustotal.com/gui/file/bf98fad0584be2bf2cb96834a8b5550c2e09fece0d776bcfcc57d2c6d65f3deb/detection
And this is a result after binary authentication (digital signature) through steps that I have described. https://www.virustotal.com/gui/file/47aaf67ce4e13afee046b099d5953b34eb469efbcabd99037dec93c90bf6497d/detection
I needed it to be with a version that still runs on WindowsXP, i.e. 1.12 or lower. But you will have several possibilities, each version will result in different false positives, different brands of antivirus (Wacatac & Wacapew for M$). Try to do all the steps, in all possible* versions. One will have no or almost no false positives (only for unknown brands)