False positives; how to reduce chances of your programs being flagged by antivirus software?

General discussion for topics related to the FreeBASIC project or its community.
Post Reply
datwill310
Posts: 355
Joined: May 29, 2015 20:37

False positives; how to reduce chances of your programs being flagged by antivirus software?

Post by datwill310 »

Hi all,

I have, as well as a lot of you guys probably, come across 'false positives': either in general day-to-day usage of your computer (i.e. downloading something which you're pretty darn certain is safe [haven't we all thought that ;D]), when sharing and receiving others code (be they "finished" products or not, in a team or to a community such as FreeBASIC's), or in any other applicable situation.

False positives are annoying and confusing, we can't deny it. But we also can't deny that these security results come from valid checks which we should rely on to some extent.
They are merely a minor inconvenience if you are part of a development team and sharing code, esp. if the colleges you are sharing with understand false positives.
But they become an undeniable hurdle for general users, who wish to run your code, but can't because Norton thinks its a virus (or any other security program for that matter ;), but it does vary between programs). I remember when I first came across these blighters, and I did freak out and wasn't impressed with the so called "working" program of somebody's!
I have recently experienced yet ANOTHER instance of such a false positive in the sharing of a development version of the game I am working on right now. I can't help but wonder that I would lose potential users of the game (when it comes out ;]) because of a misinterpretation of my code (or the absence of a few signatures to validate such code!) made by security programs, and I would not like to scare users because of this.

Once we get an initial version up and running, I would like to be able to validate my code in some way as to make sure it is interpreted correctly: i.e. not a virus, or to reduce the chances of such false positives occurring for potential users.

1. I have heard that application files have certain signatures which provide security programs enlightenment about if such an app is secure or not. If this is true, how would I be able to write or obtain such signatures, and is it worth the trouble?
2. I have also come across programmers having to contact the companies behind the security programs and report false positives to them. Would I have to somehow validate the game with EACH AND EVERY major company, or i can evade this if it is true?
3. Also seen security certificates? Especially in Windows. Are these the signatures I am referring to in 1., or are these entirely different?

And yes, most of the time I do an initial Google search, and when I post here with questions such as these, that search is often to no or little avail.

Any help to do with false positives is welcome. Thanks for reading.
Last edited by datwill310 on May 04, 2017 14:11, edited 1 time in total.
badidea
Posts: 2586
Joined: May 24, 2007 22:10
Location: The Netherlands

Re: False positives; how to reduce chances of them occurring for your programs?

Post by badidea »

Use linux :-p
sean_vn
Posts: 283
Joined: Aug 06, 2012 8:26

Re: False positives; how to reduce chances of them occurring for your programs?

Post by sean_vn »

Someone once redefined true and false in third party software. I had a very enjoyable time trying to figure out what was "wrong" with my code as a result.
dodicat
Posts: 7976
Joined: Jan 10, 2006 20:30
Location: Scotland

Re: False positives; how to reduce chances of them occurring for your programs?

Post by dodicat »

I suppose changing a windows file to by-pass all securities would be a boon for game creators and malevolent game creators alike.

As a first tentative step towards becoming a great big cheat, change your final game.exe to game.ex.
create a batch file in the same folder

Code: Select all

 rename game.ex game.exe
game.exe
or if even a batch file is too dodgy, then another freebasic .exe in the same folder from

Code: Select all

shell "rename game.ex game.exe"
shell "game.exe" 
If this fools Microsoft, then I will change to Linux -- defin ite ly.
marcov
Posts: 3455
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: False positives; how to reduce chances of them occurring for your programs?

Post by marcov »

datwill310 wrote:
1. I have heard that application files have certain signatures which provide security programs enlightenment about if such an app is secure or not. If this is true, how would I be able to write or obtain such signatures, and is it worth the trouble?
It is said that some antivirusses rate exes that are signed with a certificate higher, even if it is only a selfmade certificate (self signed). The rumour was specifically about AVG. But it is only a weight, and not a very strong one. Moreover the rumour is several years old, so might already not reflect current practices anymore.
2. I have also come across programmers having to contact the companies behind the security programs and report false positives to them. Would I have to somehow validate the game with EACH AND EVERY major company, or i can evade this if it is true?
Not really. The generic detections often just ban a feature and then use the feedback to tweak the ban somewhat.

The only solution is to use tools and libraries that are relatively known so that sb might report it in for you. The more niche the tool, the more you will have to do this.

Note that the main problem source is the generic/heuristic/behaviour detection (as opposed to the core signature scan). Many corporate antivirusses limit this because there false positives often cost money (as in users can't do their job wasting time, OR waste support staff time)

Antivirus firms like a certain amount of false positives simply because that gives the user a warm fuzzy feeling that he is "protected" and his/her money is well spend, even if that is based on nothing.
3. Also seen security certificates? Especially in Windows. Are these the signatures I am referring to in 1., or are these entirely different?
Yes, with the note that that rumour also applied to selfsigned (iow not bought) certificates.
And yes, most of the time I do an initial Google search, and when I post here with questions such as these, that search is often to no or little avail.
That is because there is no solution except hoping that most larger business user have corporate version antivirusses with only signature scan enabled, or at the very least a severely toned down generic detection.

If I get a report from an user and it has "GEN" or "HEUR" or something else in the definition that flags it as a heuristic detection, I don't even bother looking further and I just mail him a faq.

If I need to get a bit more cooperation, I point him to sites that check an exe with umpteen antivirusses, and tell him that the majority will probably be right.
datwill310
Posts: 355
Joined: May 29, 2015 20:37

Re: False positives; how to reduce chances of them occurring for your programs?

Post by datwill310 »

marcov wrote:That is because there is no solution except hoping that most larger business user have corporate version antivirusses with only signature scan enabled, or at the very least a severely toned down generic detection.

If I get a report from an user and it has "GEN" or "HEUR" or something else in the definition that flags it as a heuristic detection, I don't even bother looking further and I just mail him a faq.

If I need to get a bit more cooperation, I point him to sites that check an exe with umpteen antivirusses, and tell him that the majority will probably be right.
Thanks for the replies everybody!

So from what I can see, I can't really ensure that my program is secure with the anti-virus programs.

I like the idea of sites which scan a file and report if it's secure or not! Maybe I could use that to my advantage in ensuring that my game is secure in respect to malicious content.
I think I've come across one before? The file is scanned with anti-virus databases or is scanned some other way, and each anti-virus system reports on what it finds.
This is definitely a solution worth considering!
datwill310
Posts: 355
Joined: May 29, 2015 20:37

Re: False positives; how to reduce chances of them occurring for your programs?

Post by datwill310 »

badidea wrote:Use linux :-p
As a developer, it would not be practice to use Linux alone. And anyways, I've already got >100K code to try and ensure works on an entirely different platform (if I do use Linux instead), so I would not use Linux :P
datwill310
Posts: 355
Joined: May 29, 2015 20:37

Re: False positives; how to reduce chances of them occurring for your programs?

Post by datwill310 »

sean_vn wrote:Someone once redefined true and false in third party software. I had a very enjoyable time trying to figure out what was "wrong" with my code as a result.
xD ouch!

There's a better prank you can pull thou! If a language which ends statements with ;s is used, you can replace all the ;s with Greek question marks.

That was a good one I learnt from... Browsing... ;D
caseih
Posts: 2157
Joined: Feb 26, 2007 5:32

Re: False positives; how to reduce chances of them occurring for your programs?

Post by caseih »

Can the original poster change the subject of this topic to include "antivirus" in the title? His post is very confusing until you figure out that he's talking about being flagged by antivirus software.
dodicat wrote:As a first tentative step towards becoming a great big cheat, change your final game.exe to game.ex.
create a batch file in the same folder
Besides the obvious problem that this isn't going to work since normal users have no access to "Program Files," any antivirus program is going to see the resulting exe file and scan it upon opening.
datwill310
Posts: 355
Joined: May 29, 2015 20:37

Re: False positives; how to reduce chances of them occurring for your programs?

Post by datwill310 »

dodicat wrote:I suppose changing a windows file to by-pass all securities would be a boon for game creators and malevolent game creators alike.

As a first tentative step towards becoming a great big cheat, change your final game.exe to game.ex.
create a batch file in the same folder

Code: Select all

 rename game.ex game.exe
game.exe
or if even a batch file is too dodgy, then another freebasic .exe in the same folder from

Code: Select all

shell "rename game.ex game.exe"
shell "game.exe" 
If this fools Microsoft, then I will change to Linux -- defin ite ly.
I'm not too sure if this would work :/ if the other executable or batch file had a similar false positive. But it's interesting to know that such high-profile programs such as professional anti-virus systems define how they check files solely on file extensions. That doesn't seem safe for such an important role in the computer system...
And if my actual game was renamed then run, wouldn't my game get blocked before execution because of the false positive? Or do they only popup when downloading?

Also, I'll need to be clearer to all about what exactly is being reported as negative: it's the installer. I'm not too sure if this makes a difference to any answers posted, but it does mean that I would prefer not to bundle the installer with another app just to rename it :/
Last edited by datwill310 on May 04, 2017 14:13, edited 1 time in total.
datwill310
Posts: 355
Joined: May 29, 2015 20:37

Re: False positives; how to reduce chances of them occurring for your programs?

Post by datwill310 »

caseih wrote:Can the original poster change the subject of this topic to include "antivirus" in the title? His post is very confusing until you figure out that he's talking about being flagged by antivirus software.
dodicat wrote:As a first tentative step towards becoming a great big cheat, change your final game.exe to game.ex.
create a batch file in the same folder
Besides the obvious problem that this isn't going to work since normal users have no access to "Program Files," any antivirus program is going to see the resulting exe file and scan it upon opening.
Yes I will change the title of the OP. And yes I have reposted what you said there :|
Post Reply