PE/COFF executable and antivirus false positives
Posted: Sun Oct 13, 2019 1:57 am
Somehow virustotal's minions dislike my compiler's output.
sample files, sample "analysis".
I'd like to reduce the likelihood of these false positives as "maliciousness" of ~37% is a bit too high for an absolutely benign program.
If anyone battled a similar problem and can share any useful findings, it would be great.
In essence, I'm after a recipe to generate least suspicious executables.
I know my PEs aren't perfect (I know of a few specific minor issues that Windows lets me get away with) but I also know that any sufficiently fast antivirus program is going to be much much less than perfect and this is what I'm seeing. For example, adjusting the stack/heap reserved/committed sizes is enough to shut up a few of them, which speaks to the quality of their malware detection.
Here's one paper detailing the bizarre inner workings of some of the sa(i)d AVs: Attributes of Malicious Files by Joel Yonts.
Any help is appreciated.
sample files, sample "analysis".
I'd like to reduce the likelihood of these false positives as "maliciousness" of ~37% is a bit too high for an absolutely benign program.
If anyone battled a similar problem and can share any useful findings, it would be great.
In essence, I'm after a recipe to generate least suspicious executables.
I know my PEs aren't perfect (I know of a few specific minor issues that Windows lets me get away with) but I also know that any sufficiently fast antivirus program is going to be much much less than perfect and this is what I'm seeing. For example, adjusting the stack/heap reserved/committed sizes is enough to shut up a few of them, which speaks to the quality of their malware detection.
Here's one paper detailing the bizarre inner workings of some of the sa(i)d AVs: Attributes of Malicious Files by Joel Yonts.
Any help is appreciated.