ConfuserEx icon indicating copy to clipboard operation
ConfuserEx copied to clipboard
verified publisher icon mkaring

Norton & Windows Defender detect the generated exe as infected by Heur.AdvML.B virus.

Open coralexa opened this issue 2 years ago • 1 comments

Hi, I'm generating a Windows application that must be deployed in Production. Once I try to obfuscate with ConfuserEx the executable is quarantined by Norton as a high risk threat.

These are my steps:

OS: Windows Server 2022 Standard. Microsoft Visual Studio Enterprise 2019 Version 16.11.26

Downloaded the version "1.7.0-alpha.{height}". Cleaned and recompiled the solution, Configuration: Release Any CPU.

My C# project targets the Frame Network 4.6.2 Recompiled, Configuration: Release Any CPU.

Started from an elevated Command: ...ConfuserEx\bin\Release\net462\ConfuserEx.exe

Loaded the project P123.crproj and hit the Protect button.

The second the confused exe is generated the Norton pops up signaling the threat.

Notes:

  1. The confused executable is properly generated if I disable Norton. And it works the same way as the original exe.
  2. I've exposed the confused file to the VirusTotal, https://www.virustotal.com/ Their findings are also included.

Thank you kindly for any ideas!

ConfuserProject ConfuserEx2Protect Heur AdvML B VirusTotal1 VirusTotal2

coralexa avatar Aug 01 '23 19:08 coralexa

Some of the protections cause issues like this. The reason is that actual malware developers use ConfuserEx every now and then. The following issue contains extensive information what protections may cause false positives: https://github.com/mkaring/ConfuserEx/issues/64#issuecomment-515240311

mkaring avatar Aug 02 '23 09:08 mkaring