I'm developer. How to NOT have the app I sell (.exe) "File might be dangerous"

[eh.ouais]

I'm a developer. I sell an application, that people download from my website, in a zip. They unzip it, and run the .exe.

Then Avast does a deep scan of the file and an alert "This file might be dangerous". 

How to avoid this?

Things I have tried, that don't solve the problem:

• Have proper resource.rc file in Visual C++, with details about the .exe: BLOCK "StringFileInfo", VALUE "CompanyName", "MyCompany\0", etc.
• Use makecert, certutil, signtool as detailed here

Things that won't work:

• Add to local avast exclusion (I can't ask every customer to do this!)
• Redo a "Submit file to Avast Lab for scan" for each new build of the .exe. It's not scalable to have to re-submit the .exe to Avast (and all other antivirus software) for each new build.

[Pondus]

https://www.avast.com/faq.php?article=AVKB228#artTitle

https://www.avast.com/faq.php?article=AVKB229#artTitle


have you also uploaded and tested your file at www.virustotal.com  ?
if not to big, upload the file inside the zip and make sure you click on rescan for a fresh result if it has been scanned before

you may post link to scan result here

[eh.ouais]

Thank you very much for your answer @Pondus, but as mentioned in original post, I can't send the .exe to Avast (and other antivirus software, there are many!) for every single build... So I think this link is not relevant: https://www.avast.com/faq.php?article=AVKB229#artTitle


About your other link, I followed every step, and it should comply to the guidelines. Just about this:

1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.

2. Digital signature is always beneficial.

3. If the file is packed, it should have a Taggant.

1. Can you give more infos about vendor identifier? I'm using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?

2. What kind of digital signature? I did use Microsoft SDK "signtool" as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn't change anything. Any digital signature provider recommendation?

3. What is a Taggant in this context?

[eh.ouais]

have you also uploaded and tested your file at www.virustotal.com  ?

Thanks @Pondus. I tried it and everything is green, perfect All the 63 antivirus tested say it's perfectly clean.

Now how to avoid the .exe file to be scanned and marked as "This file might be dangerous" for this build, and all future builds?

Sometimes I make 100 builds a year, and I cannot send the .exe 100 times per year to every antivirus software

[Pondus]

you may contact avast and ask >>  https://support.avast.com/support/tickets/new?form=3

Ticket system work according to first in / first out meaning if you create a new ticket you are put back in line

[eh.ouais]

Thanks.

I did a ticket. But I got a "template" answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I'm a free user. Should I buy 1 license of "every antivirus software in the world" to ask them a way to avoid my customers to have my .exe banned as "might be dangerous"? 

[bob3160]

Thanks.

I did a ticket. But I got a "template" answer:

We’re sorry, but we can’t seem to find a record of your license in our system. If you use Avast Free Antivirus, please visit the FAQ section of our website or the Avast community forum.

Indeed I'm a free user. Should I buy 1 license of "every antivirus software in the world" to ask them a way to avoid my customers to have my .exe banned as "might be dangerous"? 

Reported to Avast. Let's see if that helps.

[HonzaZ]

To submit a false positive, you do not have to be a paid user: https://www.avast.com/false-positive-file-form.php
I just scanned this thread, but did you post a link to VT, or a hash of the file, or did you submit the file already?

[eh.ouais]

Dear @HonzaZ,

Thank you for your answer.

My question was : is there a permanent way to avoid the "File might be dangerous" message ?

As I'm making new builds of the .exe quite often, I don't have time to re-submit the .exe to Avast, Avira, and 10+ other antivirus software each week...

I already looked at "Avast Clean Guidelines" : https://www.avast.com/faq.php?article=AVKB228
but it didn't help me, because this is unclear:

1. Every executable file should contain a vendor identifier. No specific format is required, but Version Info is preferred. Other option could be a plaintext description in a custom section.

2. Digital signature is always beneficial.

3. If the file is packed, it should have a Taggant.

1. Can you give more infos about vendor identifier? I'm using https://pastebin.com/PSxqv3rm, is it ok? Can you give more informations about vendor identifier?

2. What kind of digital signature? I did use Microsoft SDK "signtool" as detailed here: https://stackoverflow.com/a/201277/1422096 but it didn't change anything. Any digital signature provider recommendation?

3. What is a Taggant in this context?

Thank you in advance @HonzaZ.

[igor]

Digital signature is the answer (but using a real certificate issued by a common CA, not a self-signed one; could be generally any CA that Windows itself trusts).
Note that it doesn't start working right away, our systems need to see some samples and gather a "reputation" first.

[eh.ouais]

Thanks @igor for your answer.

Could I send you the file in PM to know more about what could be the reason for being detected "positive"? (I already submitted the file as false positive and already tried virustotal, but I can't find the real reason for triggering a false positive).

Would you have an example a "real certificate" provider? (Unfortunately, more than 50 or 100$ certificates is not an option for small developers.)

Thanks in advance @igor.

[Pondus]

If you post link to virustotal scan result here, then they can fetch the file from virustotal
alternative post file MD5 here

[igor]

I'm not sure what screen exactly you are referring to, but I don't think the file is detected as "positive"; the deep screen is triggered by the fact that the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher (= a software publisher known to be producing harmless files). In other words, there's nothing specific inside the file that would be the cause of the scan (not talking about the outcome of the scan, that would depend on the content of course).

The label "might be dangerous" means it's rare, unknown - and a deeper checking is needed to conclude the file is OK. But an actual false positive should be showing a name of the detected virus (and would remove the file from disk and put it to the Virus Chest - is it the case here?).


As for the Authenticode signature - anything where you (and your users) can rightclick the file and successfully verify the signature from the file's Properties / Digital Signatures should work. I'm afraid I don't have any list, but I'd say basically any certification authority should work (unless they explicitly said than you first need to import their root certificate into the Windows store for the signature to validate... I'm not sure if any such CA even exists).

[eh.ouais]

You're right @Igor, it's not exactly a false positive, but rather "the file is new/rare (unknown) and cannot be verified to be coming from a known software publisher", true.

In the case it's because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?
Or can you send me your email in PM @Igor ?
It would help me a lot for future builds.

About digital signature, does someone have an idea?

Thank you very much.

[Asyn]

In the case it's because of the .exe itself, can I send you the .exe in private message, so that you check what could be the reason?

See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php