Author Topic: I'm developer. How to NOT have the app I sell (.exe) "File might be dangerous"  (Read 7632 times)

0 Members and 1 Guest are viewing this topic.

Offline eh.ouais

  • Newbie
  • *
  • Posts: 11
Quote
See Reply #1 from Pondus or report it here: https://www.avast.com/false-positive-file-form.php

Thanks but this won't tell me 1. what is the reason, 2. how to improve my code / .exe to avoid this in the future.

This will only help to whitelist my .exe, right? (I can't do this manual submission to 50+ antivirus software for each new build...)

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
This will only help to whitelist my .exe, right?
Yep.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11816
    • AVAST Software
As I was trying to say, there is no reason other than that the file is simply new; I wouldn't see anything inside. There's nothing to change in the file - a new file will always be new (where "new" means "not previously seen on our userbase").
The deep scan inspects the content, sure, but it doesn't find anything wrong and doesn't call your file malicious, does it?

Whitelisting a specific file may even be unnecessary - if the number of users of the application isn't really small. As soon as the file starts spreading amongst various users, the file stops being "rare" and stops being deepscreened, automatically.


But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature "trumps" the reputation of the particular file).

Offline eh.ouais

  • Newbie
  • *
  • Posts: 11
This is (see attached screenshot) the popup that was displayed recently. (I've had other popups in the past)
After 15 seconds, it says it's ok. But still it would be bad for reputation if a customer sees this popup.

My app asks for admin privileges, has a systray icon (thus main window hidden by default, like Avast for example ;) ), could this be the reason?

Offline chris..

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2695
But the digital signature has the ability to prevent the special scanning pro-actively (because then the reputation of the digital signature "trumps" the reputation of the particular file).
As often, it is the small developers who pay the fees, especially when they often have to modify their programs and the difficulty that they have from their status, to obtain a certificate.

But I also understand that antivirus do this, otherwise it is the door open to the spread of malicious software

@eh.ouais (et oui quoi  ;) ) : I do not know the notoriety, the circle (private, public) of the users nor the utility of your tool but can not you prove, to pass the trust/fair to your customers / users?

I am an user of a healthy tool proposed by a "small" developer.
The tool is also often modified (twice a month) and avast shows me the same message of mistrust, but I authorize it with each change without having to wait for the response of the avast verification.

Of course, I do so knowingly and I do not know if in your case your clients can do this. ???
« Last Edit: July 30, 2017, 02:11:53 PM by chris05 »

Offline eh.ouais

  • Newbie
  • *
  • Posts: 11
When I send the file to customers, here is what they get.

1) First this popup "Warning this file might be dangerous"



but then even worse  :(

2) "You have discovered a very rare file" (See attachment image)

And then the customer cannot open the file at all. The file is blocked. He has to wait 2 hours or more to get an approval from Avast  :(

This totally ruins my customers' user experience.

How to solve that?

I still haven't found a solution... except paying a 200$ ransom to DigiCert (and many people said that it's possible that it doesn't solve the problem  ???)

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1123
This is all intended. Of course a new file can contain malicious parts, and therefore must be analyzed before running, and of course new files might be sent over to us for even further analysis (this is called CyberCapture: https://blog.avast.com/cybercapture-protection-against-zero-second-attacks)
As we pointed out numerous times, you have two options:
1. Either you send us the new file every time you create it, so we can manually "set the reputation" of the file before the first user tries to run it (and a "this file is new" dialog appears);
2. Or you let others know in advance that this file is to be trusted. This can be done (you guessed it) by attaching a digital signature.

There is literally no other possibility. If the file is new, we will ALWAYS tell the user the file is new (obviously), with the sole exception that we recognize the digital signature (then Avast thinks something along the way of "I do not know this file, so it is suspicious, but according to the signature, it comes from this dev, and this dev has never signed a malicious file, so I do not need to perform additional scanning and I need not alert the user").

Offline eh.ouais

  • Newbie
  • *
  • Posts: 11
Thanks @HonzaZ for your answer.

To cut this long story short, the answer is that I have to pay a 200$-per-year ransom (or maybe even more for a "good" signature: 500$ or even 1000$ to be sure that the signature is good quality?  :) ).

The small and medium-size developers thank you very much.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1123
To cut this long story short, unless someone lets us know a certain file is to be trusted, we WILL tell the user that the file is new. This is hardly something unexpected. You can let us know by sending the file to us, or by digitally signing the file and let us know the signature.

I am not aware of the pricing models of signatures, nor what the benefits of more expensive signatures are. From my point of view, unless there in malware signed with that signature, our systems will automatically hide all warnings about low prevalence of a signed file.

Small and medium developers either have digital signatures, or send the files to us prior to release, or don't care about a couple of users getting a warning about a new file.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11816
    • AVAST Software
I don't think the price is right... now I admit I'm also not familiar with the exact prices and conditions, but a quick google search suggests that you should be able to find a certificate for half that amount or less.
As I was saying previously, any CA should do (just a self-signed certificate, i.e. one that you generate yourself, won't).