Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Obfuscating my exe files make antivirus software recognise my files as infected files

Posted on 2016-08-16
20
Medium Priority
?
102 Views
Last Modified: 2016-09-08
I am Obfuscating my exe files using SafeNet method

Obfuscating my exe files make (antivirus software) recognise my files as infected files

except scanning with Microsoft Security Essentials my exe files can pass the test ok

How to make my exe files pass (antivirus software like kaspersky, symantec ....)
0
Comment
Question by:saljas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 2
  • +1
20 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 400 total points (awarded by participants)
ID: 41757629
almost all antivirus software, including Kaspersky and Symantec, support a EXCLUDE feature to avoid scan and recognise user-known or user-trusted files and folders.

e.g. for Kaspersky Internet Security 2014, use Trusted Zone as a list to exclude those objects (such as your executables) not intended to be scanned.

for Symantec on Windows clients, choose Exception Policy page, click Exceptions, then click Add > Windows > File, and then follow the screen prompt to exclude your executables.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points (awarded by participants)
ID: 41757757
You should create exception list specific to these EXE specially generated instead of finding means to obfuscate as most of the time such "cryptor", "packer" or obfuscators are default indicator the AV look out for unless these are whitelisted application.

Simple "obfuscation"  via encoding (like Based64 or XOR or ROT13) will not help and is not really obfuscation per se as it may defeat the purpose why you are going for obfuscation at the first place. It probably more to obfuscate at code level instead - see this
Often these translations are then incorporated into six basic obfuscation methods: 7
 Dead-code-insertion – is the insertion of No Operation Performed (NOP) code; this code serves no function but is written in a way that complicates analysis
 Subroutine reordering - randomly changes the order of subroutines in the program, creating different malware signatures for every variation of subroutines
 Code transposition – changes the order of instructions by using statements which alters the code from its native form; this is achieved in two ways: by using unconditional branch statements, or by reordering the independent instructions, which is difficult to implement and harder to identify the malware
 Instruction substitution – replaces some of the code statements with the equivalent statements
 Code integration – inserts a new brief into the benign source code from a program in order to run the code malicious
 Register reassignment – replaces the unused registers with malware code registers is; the program code and its behaviour remains the same.
https://www.cert.gov.uk/wp-content/uploads/2014/11/Code-obfuscation.pdf

Otherwise password encrypted tends to be ignored as well by AV but this will not be feasible for your case moving forward.
1
 

Author Comment

by:saljas
ID: 41758949
Many thanks for your answers

The exclude will ignore the exe file even if it is infected - not a good idea.

Mr btan
I could not understand what you mean by
(You should create exception list specific to these EXE specially generated instead of finding means to obfuscate as most of the time such "cryptor", "packer" or obfuscators are default indicator the AV look out for unless these are whitelisted application.)

Do you mean that there are methods of obfuscate that AV will pass, and the unusual methods will be recognized as an infected files?

Note that the obfuscate mithod I am using injects a script to read a specific location to allow execution.
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points (awarded by participants)
ID: 41759167
If you password protect, AV will not be able to scan those files but when the files get executed, AV may detect if the de-obfuscation scheme trigger any anomalous behavior that may be false positive if the files are legit. There are means to "bypass" AV per se though I very much not recommend it but we need to strike a balance too since AV can still be an obstacle if you persist on using the same obfuscated appls.
Most packers compress and/or encrypt their portable executable’s headers. These are then stored in new section headers and a new entry point is assigned where a decompression algorithm then goes to work, and carries on executing. This is what disguises the signature that the A/V uses to try and detect the malware with.

In terms of the process, the actual unpacking occurs in MEMORY. There is no file system access. This means that as far as the script kiddie is concerned it’s pretty much the ideal delivery mechanism; stealthy and clean.
https://www.pentestpartners.com/blog/defeating-corporate-anti-virus/

I don't think you can have a perfect means and packer may not be guarantee as well since most are deploying anti-malware as compared to just a traditional AV. So I suggest instead to still go for exception but then enable applocker for whitelisting only specific application to run as another layer.

But if you will to think of it that If really the legit file is infected, the eventual running need to trip certain tripwire - note AV is still based on signature and will not be able to detect all malware behavior too. Instead I suggest you can check on TRAPS (from palo alto) for anti-exploitation safeguards. At least even if you do include exception and whitelisting of the apps, and it does attempt exploitation, TRAPS or equivalent will alert you still though AV is silent on it. Not a fool proof but just to make up the deterrence and balance out with your needs.
1
 

Author Comment

by:saljas
ID: 41759728
Mr btan
Many many thanks for your help

You are using a very difficult english sentences  .... e.g.
(There are means to "bypass" AV per se though I very much not recommend it )
I am gussing you mean
(There are means to "bypass" AV,   perhaps - for a second though - I very much not recommend them )

(But if you will to think of it that If really the legit file is infected) This is too tough !@!!

I spend too long to understand you.

I think you are suggesting that I change my way to ( packers compress )

I have 52 products with 300 exe files - So shifting to another method is a too long procedure.

Several years ago I contacted Symantec, and they suggested that I send one exe to them to include in their scan in the future.  They did and it works fine for a while. So I new that I had to do the same for all AV companies (which is impossible).

I was looking for something like:-
If the scanning process reaches an exe file then do a real scan in depth.
Or
any other idea to check the exe file properly.

I am sure there is a way, because (Microsoft Security Essentials) is doing it the right way.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points (awarded by participants)
ID: 41760342
Pardon me for my writing.

Maybe can try out virustotal to see if all other AVs do trigger alerts. This online service has updated a list of AV to conduct such scanning for file (such as exe) uploaded. https://www.virustotal.com

Maybe from there you can check from there if any other AV scans will not trigger alert.
1
 
LVL 37

Expert Comment

by:bbao
ID: 41760410
> The exclude will ignore the exe file even if it is infected - not a good idea.

you are correct. ignoring or skipping is the most simple or tough way to avoid seeing the errors. its prerequisite is: the excluded items are known trusted.

basically, if you do want to exclude them, the ONLY way is to give correct and up to date SIGNATURES or VIRUS DATABASE for the AV engine in order to avoid the false positive alerts.

as you may have awared, it depends on the vendors of your AV products in use.

if an AV product does not provide you options to CUSTOMISE its signature or database file, AND if you could not identify which part of your executables match the exisiting criteria or signatures (or trigger the alerts), basically you have NO way to DIY the things. you have to talk to the vendor and submit your files for their further invrstigation and analysis, and be patient waiting for vendor's update.

otherwise, choose another product which can detect correctly. but be aware:

1.  it may be not practical for an enterprise environment to switch AV systems across the whole infrastructure. it can be time consuming and labor consuming.

2. even you could switch, i believe the new vendor can't guarantee you they can correctly scan all your executables in the future. the same story may happen again.

the choice is up to you.
0
 
LVL 64

Expert Comment

by:btan
ID: 41760549
Run separate scan on the packaged exe before it is pushed down to the client machines. Typically a second opinion scanning is strongly advocated if infection happened but detected via the network (IDS etc) or other system (email, web proxy etc) doing the extra scan too. Suggest the additional scan instead as the SEP support may not necessarily put into their general release of signature for the exe you submitted to them hence any new updated signature will still detect and flag on your exe.
0
 

Author Comment

by:saljas
ID: 41760673
Mr btan,
The site (virustotal.com) is good.   It gave me 2/55 and 15/55 for two different files.

Mr Bing,
I have more than 300 exe files, no way I send them to 50 different AV companies.
And, if I did send the 300 exe - we keep changing files every 3 to 6 mounths, which means another sending process!!!

Also some of the users refuse to exclude files.

Also I can not ask users to change their AV which they paid for.

A new news I got today.
The SafeNet company stopped enhancement of their method of layering exe files.

I am in tough position :(
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points (awarded by participants)
ID: 41760678
Thanks for sharing. In fact I am thinking if we can "educate" user to self scan if they deem that for extra assurance check on the file before execution or installation etc. If so, Virustotal has a file uploader utility that the user can leverage on. Check out more info on the tool -
https://www.virustotal.com/en/documentation/desktop-applications/
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 400 total points (awarded by participants)
ID: 41760717
Personally I can't see the point in obfuscating exe files. The only reason to do that would in my point of view be to hide malicious content... This will naturally have to ring bells with AntiVirus and AntiMalware software. Just because m$ security essentials' doesn't ring bells only shows that it isn't working properly (it has also lost a lot of ground lately because of it's poor detection percentages compared with others).
0
 
LVL 64

Expert Comment

by:btan
ID: 41760899
Actually the AV is doing their job to flag. Obfuscation and packer are mainly to deter reverse engineering the application and more for copyright protection of intellectual property.
0
 
LVL 88

Expert Comment

by:rindi
ID: 41760919
If you have a copyright, you don't need obfuscation. An exe file is compiled and already different from the source code and unreadable to humans, and therefore not easily reverse engineered.

There are probably other, better files you can obfuscate rather than the exe, to make it less easy to decode.
0
 
LVL 64

Expert Comment

by:btan
ID: 41760923
some appl like .NET sadly can be "reverse engineer" using Reflector
0
 

Author Comment

by:saljas
ID: 41761048
Dear rindi

You have said
(Personally I can't see the point in obfuscating exe files. The only reason to do that would in my point of view be to hide malicious content)
The following lines might change your way.

On 2008  someone decompiled one of my exe files and removed the protection.
We used what you called the (copyright), and we proved that he took our software. Police held him in jail and he admit his crime.

The next step is
TO PROVE HOW MUCH DID THE THEIF MAKE ME LOSE!!!!!
The judge is not convinced with what I requested,   so I lost $700,000

I discovered that  the copyright is a BIG JOKE

The copyright is a tool to prove that they did steal your product, BUT NOT A TOOL TO GET BACK WHAT YOU LOST

Dear Mr rindi
Do Obfuscation to all of your exe files as soon as possible.
Copy right is not dependable.
0
 
LVL 64

Accepted Solution

by:
btan earned 1200 total points (awarded by participants)
ID: 41761126
Just to share on other tool though I understand that it is not to change the obfuscator tool such as
To prevent false positives from antiviruses the registered version of VMProtect uses the Taggant library that signs the protected file with a certificate of the license owner.
http://vmpsoft.com/support/user-manual/introduction/what-is-vmprotect/

Also understand that most of such tool may have conflict with Window 10
Guys, to speed up the process, please, submit also your protected files using this form: https://www.microsoft.com/en-us/securit ... ubmit.aspx

NOTE, the radiobox "I believe this file should not be detected as malware" should be checked there. In the the notes you may say "False Detection of the file protected with Enigma Protector, protected file take few minutes to start."

Found that multiple protection systems are affected by this issue, not just Enigma Protector, other major systems also have same problems.
http://forum.enigmaprotector.com/viewtopic.php?f=6&t=8962&p=17855&hilit=antivirus#p17864
0
 

Author Comment

by:saljas
ID: 41763427
Many thanks for yor help

I will close the question if you have any comments

Best regards,
0
 
LVL 64

Expert Comment

by:btan
ID: 41763545
Thanks for sharing.
0
 

Author Comment

by:saljas
ID: 41783377
Close the question
0
 
LVL 64

Expert Comment

by:btan
ID: 41789220
Solution and approaches are advised.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question