Obfuscating my exe files make antivirus software recognise my files as infected files

Many thanks for your answers

The exclude will ignore the exe file even if it is infected - not a good idea.

Mr btan
I could not understand what you mean by
(You should create exception list specific to these EXE specially generated instead of finding means to obfuscate as most of the time such "cryptor", "packer" or obfuscators are default indicator the AV look out for unless these are whitelisted application.)

Do you mean that there are methods of obfuscate that AV will pass, and the unusual methods will be recognized as an infected files?

Note that the obfuscate mithod I am using injects a script to read a specific location to allow execution.

Mr btan
Many many thanks for your help

You are using a very difficult english sentences  .... e.g.
(There are means to "bypass" AV per se though I very much not recommend it )
I am gussing you mean
(There are means to "bypass" AV,   perhaps - for a second though - I very much not recommend them )

(But if you will to think of it that If really the legit file is infected) This is too tough !@!!

I spend too long to understand you.

I think you are suggesting that I change my way to ( packers compress )

I have 52 products with 300 exe files - So shifting to another method is a too long procedure.

Several years ago I contacted Symantec, and they suggested that I send one exe to them to include in their scan in the future.  They did and it works fine for a while. So I new that I had to do the same for all AV companies (which is impossible).

I was looking for something like:-
If the scanning process reaches an exe file then do a real scan in depth.
Or
any other idea to check the exe file properly.

I am sure there is a way, because (Microsoft Security Essentials) is doing it the right way.

> The exclude will ignore the exe file even if it is infected - not a good idea.

you are correct. ignoring or skipping is the most simple or tough way to avoid seeing the errors. its prerequisite is: the excluded items are known trusted.

basically, if you do want to exclude them, the ONLY way is to give correct and up to date SIGNATURES or VIRUS DATABASE for the AV engine in order to avoid the false positive alerts.

as you may have awared, it depends on the vendors of your AV products in use.

if an AV product does not provide you options to CUSTOMISE its signature or database file, AND if you could not identify which part of your executables match the exisiting criteria or signatures (or trigger the alerts), basically you have NO way to DIY the things. you have to talk to the vendor and submit your files for their further invrstigation and analysis, and be patient waiting for vendor's update.

otherwise, choose another product which can detect correctly. but be aware:

1.  it may be not practical for an enterprise environment to switch AV systems across the whole infrastructure. it can be time consuming and labor consuming.

2. even you could switch, i believe the new vendor can't guarantee you they can correctly scan all your executables in the future. the same story may happen again.

the choice is up to you.

Run separate scan on the packaged exe before it is pushed down to the client machines. Typically a second opinion scanning is strongly advocated if infection happened but detected via the network (IDS etc) or other system (email, web proxy etc) doing the extra scan too. Suggest the additional scan instead as the SEP support may not necessarily put into their general release of signature for the exe you submitted to them hence any new updated signature will still detect and flag on your exe.

Mr btan,
The site (virustotal.com) is good.   It gave me 2/55 and 15/55 for two different files.

Mr Bing,
I have more than 300 exe files, no way I send them to 50 different AV companies.
And, if I did send the 300 exe - we keep changing files every 3 to 6 mounths, which means another sending process!!!

Also some of the users refuse to exclude files.

Also I can not ask users to change their AV which they paid for.

A new news I got today.
The SafeNet company stopped enhancement of their method of layering exe files.

I am in tough position :(

Actually the AV is doing their job to flag. Obfuscation and packer are mainly to deter reverse engineering the application and more for copyright protection of intellectual property.

If you have a copyright, you don't need obfuscation. An exe file is compiled and already different from the source code and unreadable to humans, and therefore not easily reverse engineered.

There are probably other, better files you can obfuscate rather than the exe, to make it less easy to decode.

some appl like .NET sadly can be "reverse engineer" using Reflector

Dear rindi

You have said
(Personally I can't see the point in obfuscating exe files. The only reason to do that would in my point of view be to hide malicious content)
The following lines might change your way.

On 2008  someone decompiled one of my exe files and removed the protection.
We used what you called the (copyright), and we proved that he took our software. Police held him in jail and he admit his crime.

The next step is
TO PROVE HOW MUCH DID THE THEIF MAKE ME LOSE!!!!!
The judge is not convinced with what I requested,   so I lost $700,000

I discovered that  the copyright is a BIG JOKE

The copyright is a tool to prove that they did steal your product, BUT NOT A TOOL TO GET BACK WHAT YOU LOST

Dear Mr rindi
Do Obfuscation to all of your exe files as soon as possible.
Copy right is not dependable.

Many thanks for yor help

I will close the question if you have any comments

Best regards,

Thanks for sharing.

Close the question

Solution and approaches are advised.