PE/COFF executable and antivirus false positives

Programming, for all ages and all languages.
Post Reply
alexfru
Member
Member
Posts: 1111
Joined: Tue Mar 04, 2014 5:27 am

PE/COFF executable and antivirus false positives

Post by alexfru »

Somehow virustotal's minions dislike my compiler's output.
sample files, sample "analysis".
I'd like to reduce the likelihood of these false positives as "maliciousness" of ~37% is a bit too high for an absolutely benign program.

If anyone battled a similar problem and can share any useful findings, it would be great.
In essence, I'm after a recipe to generate least suspicious executables.

I know my PEs aren't perfect (I know of a few specific minor issues that Windows lets me get away with) but I also know that any sufficiently fast antivirus program is going to be much much less than perfect and this is what I'm seeing. For example, adjusting the stack/heap reserved/committed sizes is enough to shut up a few of them, which speaks to the quality of their malware detection.

Here's one paper detailing the bizarre inner workings of some of the sa(i)d AVs: Attributes of Malicious Files by Joel Yonts.

Any help is appreciated.
nullplan
Member
Member
Posts: 1790
Joined: Wed Aug 30, 2017 8:24 am

Re: PE/COFF executable and antivirus false positives

Post by nullplan »

Yet another argument against antivirus.

I stopped trusting them when one triggered against one of my programs, but did not trigger anymore after turning a condition around. On a RISC architecture, the signature based way might work, but on x86 you can just forget it.

Sorry alexfru, this also means I can't help you. Just wanted to vent a little.
Carpe diem!
Post Reply