Solved

Obfuscating my exe files make antivirus software recognise my files as infected files

Posted on 2016-08-16
20
41 Views
Last Modified: 2016-09-08
I am Obfuscating my exe files using SafeNet method

Obfuscating my exe files make (antivirus software) recognise my files as infected files

except scanning with Microsoft Security Essentials my exe files can pass the test ok

How to make my exe files pass (antivirus software like kaspersky, symantec ....)
0
Comment
Question by:saljas
  • 10
  • 6
  • 2
  • +1
20 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 100 total points (awarded by participants)
ID: 41757629
almost all antivirus software, including Kaspersky and Symantec, support a EXCLUDE feature to avoid scan and recognise user-known or user-trusted files and folders.

e.g. for Kaspersky Internet Security 2014, use Trusted Zone as a list to exclude those objects (such as your executables) not intended to be scanned.

for Symantec on Windows clients, choose Exception Policy page, click Exceptions, then click Add > Windows > File, and then follow the screen prompt to exclude your executables.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points (awarded by participants)
ID: 41757757
You should create exception list specific to these EXE specially generated instead of finding means to obfuscate as most of the time such "cryptor", "packer" or obfuscators are default indicator the AV look out for unless these are whitelisted application.

Simple "obfuscation"  via encoding (like Based64 or XOR or ROT13) will not help and is not really obfuscation per se as it may defeat the purpose why you are going for obfuscation at the first place. It probably more to obfuscate at code level instead - see this
Often these translations are then incorporated into six basic obfuscation methods: 7
 Dead-code-insertion – is the insertion of No Operation Performed (NOP) code; this code serves no function but is written in a way that complicates analysis
 Subroutine reordering - randomly changes the order of subroutines in the program, creating different malware signatures for every variation of subroutines
 Code transposition – changes the order of instructions by using statements which alters the code from its native form; this is achieved in two ways: by using unconditional branch statements, or by reordering the independent instructions, which is difficult to implement and harder to identify the malware
 Instruction substitution – replaces some of the code statements with the equivalent statements
 Code integration – inserts a new brief into the benign source code from a program in order to run the code malicious
 Register reassignment – replaces the unused registers with malware code registers is; the program code and its behaviour remains the same.
https://www.cert.gov.uk/wp-content/uploads/2014/11/Code-obfuscation.pdf

Otherwise password encrypted tends to be ignored as well by AV but this will not be feasible for your case moving forward.
1
 

Author Comment

by:saljas
ID: 41758949
Many thanks for your answers

The exclude will ignore the exe file even if it is infected - not a good idea.

Mr btan
I could not understand what you mean by
(You should create exception list specific to these EXE specially generated instead of finding means to obfuscate as most of the time such "cryptor", "packer" or obfuscators are default indicator the AV look out for unless these are whitelisted application.)

Do you mean that there are methods of obfuscate that AV will pass, and the unusual methods will be recognized as an infected files?

Note that the obfuscate mithod I am using injects a script to read a specific location to allow execution.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points (awarded by participants)
ID: 41759167
If you password protect, AV will not be able to scan those files but when the files get executed, AV may detect if the de-obfuscation scheme trigger any anomalous behavior that may be false positive if the files are legit. There are means to "bypass" AV per se though I very much not recommend it but we need to strike a balance too since AV can still be an obstacle if you persist on using the same obfuscated appls.
Most packers compress and/or encrypt their portable executable’s headers. These are then stored in new section headers and a new entry point is assigned where a decompression algorithm then goes to work, and carries on executing. This is what disguises the signature that the A/V uses to try and detect the malware with.

In terms of the process, the actual unpacking occurs in MEMORY. There is no file system access. This means that as far as the script kiddie is concerned it’s pretty much the ideal delivery mechanism; stealthy and clean.
https://www.pentestpartners.com/blog/defeating-corporate-anti-virus/

I don't think you can have a perfect means and packer may not be guarantee as well since most are deploying anti-malware as compared to just a traditional AV. So I suggest instead to still go for exception but then enable applocker for whitelisting only specific application to run as another layer.

But if you will to think of it that If really the legit file is infected, the eventual running need to trip certain tripwire - note AV is still based on signature and will not be able to detect all malware behavior too. Instead I suggest you can check on TRAPS (from palo alto) for anti-exploitation safeguards. At least even if you do include exception and whitelisting of the apps, and it does attempt exploitation, TRAPS or equivalent will alert you still though AV is silent on it. Not a fool proof but just to make up the deterrence and balance out with your needs.
1
 

Author Comment

by:saljas
ID: 41759728
Mr btan
Many many thanks for your help

You are using a very difficult english sentences  .... e.g.
(There are means to "bypass" AV per se though I very much not recommend it )
I am gussing you mean
(There are means to "bypass" AV,   perhaps - for a second though - I very much not recommend them )

(But if you will to think of it that If really the legit file is infected) This is too tough !@!!

I spend too long to understand you.

I think you are suggesting that I change my way to ( packers compress )

I have 52 products with 300 exe files - So shifting to another method is a too long procedure.

Several years ago I contacted Symantec, and they suggested that I send one exe to them to include in their scan in the future.  They did and it works fine for a while. So I new that I had to do the same for all AV companies (which is impossible).

I was looking for something like:-
If the scanning process reaches an exe file then do a real scan in depth.
Or
any other idea to check the exe file properly.

I am sure there is a way, because (Microsoft Security Essentials) is doing it the right way.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points (awarded by participants)
ID: 41760342
Pardon me for my writing.

Maybe can try out virustotal to see if all other AVs do trigger alerts. This online service has updated a list of AV to conduct such scanning for file (such as exe) uploaded. https://www.virustotal.com

Maybe from there you can check from there if any other AV scans will not trigger alert.
1
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41760410
> The exclude will ignore the exe file even if it is infected - not a good idea.

you are correct. ignoring or skipping is the most simple or tough way to avoid seeing the errors. its prerequisite is: the excluded items are known trusted.

basically, if you do want to exclude them, the ONLY way is to give correct and up to date SIGNATURES or VIRUS DATABASE for the AV engine in order to avoid the false positive alerts.

as you may have awared, it depends on the vendors of your AV products in use.

if an AV product does not provide you options to CUSTOMISE its signature or database file, AND if you could not identify which part of your executables match the exisiting criteria or signatures (or trigger the alerts), basically you have NO way to DIY the things. you have to talk to the vendor and submit your files for their further invrstigation and analysis, and be patient waiting for vendor's update.

otherwise, choose another product which can detect correctly. but be aware:

1.  it may be not practical for an enterprise environment to switch AV systems across the whole infrastructure. it can be time consuming and labor consuming.

2. even you could switch, i believe the new vendor can't guarantee you they can correctly scan all your executables in the future. the same story may happen again.

the choice is up to you.
0
 
LVL 61

Expert Comment

by:btan
ID: 41760549
Run separate scan on the packaged exe before it is pushed down to the client machines. Typically a second opinion scanning is strongly advocated if infection happened but detected via the network (IDS etc) or other system (email, web proxy etc) doing the extra scan too. Suggest the additional scan instead as the SEP support may not necessarily put into their general release of signature for the exe you submitted to them hence any new updated signature will still detect and flag on your exe.
0
 

Author Comment

by:saljas
ID: 41760673
Mr btan,
The site (virustotal.com) is good.   It gave me 2/55 and 15/55 for two different files.

Mr Bing,
I have more than 300 exe files, no way I send them to 50 different AV companies.
And, if I did send the 300 exe - we keep changing files every 3 to 6 mounths, which means another sending process!!!

Also some of the users refuse to exclude files.

Also I can not ask users to change their AV which they paid for.

A new news I got today.
The SafeNet company stopped enhancement of their method of layering exe files.

I am in tough position :(
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points (awarded by participants)
ID: 41760678
Thanks for sharing. In fact I am thinking if we can "educate" user to self scan if they deem that for extra assurance check on the file before execution or installation etc. If so, Virustotal has a file uploader utility that the user can leverage on. Check out more info on the tool -
https://www.virustotal.com/en/documentation/desktop-applications/
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 87

Assisted Solution

by:rindi
rindi earned 100 total points (awarded by participants)
ID: 41760717
Personally I can't see the point in obfuscating exe files. The only reason to do that would in my point of view be to hide malicious content... This will naturally have to ring bells with AntiVirus and AntiMalware software. Just because m$ security essentials' doesn't ring bells only shows that it isn't working properly (it has also lost a lot of ground lately because of it's poor detection percentages compared with others).
0
 
LVL 61

Expert Comment

by:btan
ID: 41760899
Actually the AV is doing their job to flag. Obfuscation and packer are mainly to deter reverse engineering the application and more for copyright protection of intellectual property.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41760919
If you have a copyright, you don't need obfuscation. An exe file is compiled and already different from the source code and unreadable to humans, and therefore not easily reverse engineered.

There are probably other, better files you can obfuscate rather than the exe, to make it less easy to decode.
0
 
LVL 61

Expert Comment

by:btan
ID: 41760923
some appl like .NET sadly can be "reverse engineer" using Reflector
0
 

Author Comment

by:saljas
ID: 41761048
Dear rindi

You have said
(Personally I can't see the point in obfuscating exe files. The only reason to do that would in my point of view be to hide malicious content)
The following lines might change your way.

On 2008  someone decompiled one of my exe files and removed the protection.
We used what you called the (copyright), and we proved that he took our software. Police held him in jail and he admit his crime.

The next step is
TO PROVE HOW MUCH DID THE THEIF MAKE ME LOSE!!!!!
The judge is not convinced with what I requested,   so I lost $700,000

I discovered that  the copyright is a BIG JOKE

The copyright is a tool to prove that they did steal your product, BUT NOT A TOOL TO GET BACK WHAT YOU LOST

Dear Mr rindi
Do Obfuscation to all of your exe files as soon as possible.
Copy right is not dependable.
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points (awarded by participants)
ID: 41761126
Just to share on other tool though I understand that it is not to change the obfuscator tool such as
To prevent false positives from antiviruses the registered version of VMProtect uses the Taggant library that signs the protected file with a certificate of the license owner.
http://vmpsoft.com/support/user-manual/introduction/what-is-vmprotect/

Also understand that most of such tool may have conflict with Window 10
Guys, to speed up the process, please, submit also your protected files using this form: https://www.microsoft.com/en-us/securit ... ubmit.aspx

NOTE, the radiobox "I believe this file should not be detected as malware" should be checked there. In the the notes you may say "False Detection of the file protected with Enigma Protector, protected file take few minutes to start."

Found that multiple protection systems are affected by this issue, not just Enigma Protector, other major systems also have same problems.
http://forum.enigmaprotector.com/viewtopic.php?f=6&t=8962&p=17855&hilit=antivirus#p17864
0
 

Author Comment

by:saljas
ID: 41763427
Many thanks for yor help

I will close the question if you have any comments

Best regards,
0
 
LVL 61

Expert Comment

by:btan
ID: 41763545
Thanks for sharing.
0
 

Author Comment

by:saljas
ID: 41783377
Close the question
0
 
LVL 61

Expert Comment

by:btan
ID: 41789220
Solution and approaches are advised.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now