Bot Makers: How do you make your obfuscated software show up clean on VirusTotal?

GreyHatNik

Senior Member
Jr. VIP
Joined
Feb 26, 2021
Messages
978
Reaction score
554
I'm in the process of releasing a piece of software for SM automation but am currently stuck trying to navigate the pitfalls of AV false positives. I really don't feel comfortable asking my future clientele to disregard the several warnings they'll receive on VirusTotal when scanning the software files. I have 16 out of 68 AVs claiming my software is unsafe and I feel like even a singular warning is hardly ever excusable. I have no idea how I would get around this. They're all stating the typical false positive keywords i.e. heuristics, generic, etc. but their presence alone is enough to scare people off.

I'm not entirely sure whether I'm even eligible to receive any sort of digital signature for WindowsDefender and I'm also not sure whether I'll be needing to submit a new copy of the file to each of the AVs each time I fix some small bug and have to recompile the software.

At the moment, the bot is updated automatically as soon as any changes are made on the server side of things. When first downloading the file, everything appears fine but as soon as a new update is available, Windows Defender starts going crazy, stating that computer's been infected with Trojan files (given that the software is in the process of being overwritten to match that of the server version).

I feel like that would freak out a lot of users, result in a poor reputation and probably decrease sales in the long run so I'm hoping to side-step that altogether prior to release.

Any advice?
 
You did not mention what software you are using to create your bots?! Please do not say you are using Ubot Studio! If you are then there is nothing you can do about your false AV positives, than explaining that to your clients. I am gonna PM you now some articles about that.
 
You did not mention what software you are using to create your bots?! Please do not say you are using Ubot Studio! If you are then there is nothing you can do about your false AV positives, than explaining that to your clients.
Nope, I'm using basic C#
 
I can tell you what we did. Nothing special, you have to contact every AV company that detected your software as malicious and tell them it is a false positive. They usually have a dedicated form for this, just google AV name + false positive report. Then they’ll do a manual-ish review and unless you really messed it up, it should get whitelisted and not show up anymore in their future updates. I think most update the detection software daily, maybe even faster, so you’ll know very soon.

Some only require the file that triggered the detection, others will demand to see the whole installer and website where it came from.

I trust you did the bare minimum and got a code signing certificate? But from your description of Windows Defender, it sounds you may not have any certificate at all. This cycle of Windows going crazy every update was happening to us before we signed our software. You also need to upload it to Microsoft for analysis and write down names of detections because they'll ask for that in their web form. You do that here: https://www.microsoft.com/en-us/wdsi/filesubmission They work fast and you'll get an answer in less than a day.

The part I was not yet able to solve is what to do with 3rd party libraries that a software uses, if they got a less than clean past. It is not our fault that a legit piece of software component was also used in malicious programs. You don’t want to just sign the exact same files yourself, because then you’ll just ruin your cert reputation (my hypothesis). I think (and this is unverified info as of now) you need to recompile them but this gets tricky with drivers nowadays. Are you using any of those in your software?

It is an annoying process that goes in cycles on and on for weeks, even months and you’ll quickly learn why nobody tells you shit about it – it is because barely anyone develops desktop apps these days so there's almost no developers out there that actually shipped a desktop app successfully. Maybe a paid app, but non-open source freemiums get a harsh treatment so be happy you are part of the paid app group and can work with your customers around much of the issues.

Just wait that you try to advertise your app, that’s when another round of shenanigans will start. :rolleyes:

Oh, one more thing. You mentioned you made it in C# and that it is a paid app. Since you used “obfuscated” in title, I am guessing you already used some kind of tool for that so not every noob can steal the complete source code. There is a compromise to be made between obfuscation, anti-debugging and performance. Sometimes obfuscators can even break certain features in your program. A long-term solution is to learn C++. This is another reason everyone wants to make server-side apps now and only ship SaaS in browser, to not risk their IP getting stolen. Maybe you can transform your app into something that doesn't run locally in the future.
 
Last edited:
Is there some obligation of Virustotal or those antivirus companies for those results? Can we sue these false-positive results?

1030c30f9c1355fabf46588c8112b4d6.png

This is a simple Selenium Spotify bot, I have similar results and for other apps. Very disturbing, over and over again...
 
Is there some obligation of Virustotal or those antivirus companies for those results? Can we sue these false-positive results?

View attachment 189735

This is a simple Selenium Spotify bot, I have similar results and for other apps. Very disturbing, over and over again...

Most likely not. VT will tell you that they got nothing to do with the results. They are simply connecting your file to multiple antivirus companies for bulk scanning, but the results are from those anti virus companies, not from VT. What is even worse is that, many of these APIs are not being regularly updated and operate with a different set of AV definitions compared to their desktop app counterparts. Same big brand name AV tools would report file as malicious when tested through VT, but as clean when tested with their desktop variant.

Only thing you can do is contact these companies 1 by 1. Find their official procedure for false positive reports and follow it. Even if you follow it, some will just ignore you, but the big ones will reply and are mostly cooperative. Such as Microsoft, you'll have no issues getting your app whitelisted with them, just go to https://www.microsoft.com/en-us/wdsi/filesubmission and follow the steps.

Keep in mind that a malicious file is only a file that does something that user did not allow it to do, nothing more, nothing else. There is really no good way to avoid false positives from AV standpoint. Imho, best way is to work on building trust. As with all things, some trust can be bought, think of it as a baseline initial trust. You start by buying an EV Code Signing certificate and sign your files. This won't help you immensely, but it does give AV companies an additional parameter to increase or decrease your certificate reputation over time.

This is why everyone avoids desktop development. It is expensive to start, very monopolized, and AV companies are basically holding you hostage from day one.

One more advice that is often given, but I doubt it is feasible for any complex project is to try to find out which part of your code is triggering the detection and then rewriting it or using a different library to do the same thing (some 3rd party libs that you are using may have been associated with malicious files in the past). See if you can do the same thing in multiple ways and compare AV reactions. At the end, reaching out and getting your app whitelisted is the only sure way.
 
Last edited:
I'm in the process of releasing a piece of software for SM automation but am currently stuck trying to navigate the pitfalls of AV false positives. I really don't feel comfortable asking my future clientele to disregard the several warnings they'll receive on VirusTotal when scanning the software files. I have 16 out of 68 AVs claiming my software is unsafe and I feel like even a singular warning is hardly ever excusable. I have no idea how I would get around this. They're all stating the typical false positive keywords i.e. heuristics, generic, etc. but their presence alone is enough to scare people off.

I'm not entirely sure whether I'm even eligible to receive any sort of digital signature for WindowsDefender and I'm also not sure whether I'll be needing to submit a new copy of the file to each of the AVs each time I fix some small bug and have to recompile the software.

At the moment, the bot is updated automatically as soon as any changes are made on the server side of things. When first downloading the file, everything appears fine but as soon as a new update is available, Windows Defender starts going crazy, stating that computer's been infected with Trojan files (given that the software is in the process of being overwritten to match that of the server version).

I feel like that would freak out a lot of users, result in a poor reputation and probably decrease sales in the long run so I'm hoping to side-step that altogether prior to release.

Any advice?
My suggestion is similar to @oldguyjoe , it might be more beneficial to you to move your software to server-side and just make the downloadable software itself a "login" type method.
This way all of your updates can be instantly made on server-side, and a login software method will prevent others duplicating your product.
For example, the user downloads your software, which just acts as a portal to access server-side software. This also somewhat prevents users from reverse engineering your software.
It might be a lot of work to migrate to serverside but I think it will save you more work in the long run if you plan to constantly make updates, as you will have to submit them over and over again.
 
@oldguyjoe, thank you for your time and the answer

Most likely not. VT will tell you that they got nothing to do with the results. They are simply connecting your file to multiple antivirus companies for bulk scanning, but the results are from those anti virus companies, not from VT. What is even worse is that, many of these APIs are not being regularly updated and operate with a different set of AV definitions compared to their desktop app counterparts.
VT is a famous app for checking for problems right, and it is standard, for credibility, for example, Yelp, for customers review, some user false comments and actually not eat on some hotels, but writing a bad review every time. Yelp have obligation to remove those users right, and it doing it. I will check some apps, but I am sure that some virus companies are always on this bad review list- so if is true VT needs to remove them from checking until they update or solve internal problems.


Keep in mind that a malicious file is only a file that does something that user did not allow it to do, nothing more, nothing else.

It is a very wide explanation. For example, this current bot, writing on text files, how to user allow it, I mean, this sentence is problematic on several levels and actually not used in real apps, you want to say that somehow I need to ask a user for each line of code.... my app not writing or changing system files or anything in the source of OS.....

One more advice that is often given, but I doubt it is feasible for any complex project is to try to find out which part of your code is triggering the detection and then rewriting it or using a different library to do the same thing (some 3rd party libs that you are using may have been associated with malicious files in the past). See if you can do the same thing in multiple ways and compare AV reactions.

very nice advice, yes, I using for example
https://pypi.org/project/auto-py-to-exe/
Maybe this module triggered something, but it is a famous module too....
 
Oh, one more thing. You mentioned you made it in C# and that it is a paid app. Since you used “obfuscated” in title, I am guessing you already used some kind of tool for that so not every noob can steal the complete source code. There is a compromise to be made between obfuscation, anti-debugging and performance. Sometimes obfuscators can even break certain features in your program. A long-term solution is to learn C++. This is another reason everyone wants to make server-side apps now and only ship SaaS in browser, to not risk their IP getting stolen. Maybe you can transform your app into something that doesn't run locally in the future.

This is the future. And it's a better experience for the user because different OS environments and other AVs on each machine can make a pretty big hassle.

The downside is a server renting price, but this can be optimized and scaled as the user base grows with proper management.

Yep, this can be a hassle too, but the second option is much more trouble-making.
 
VT is a famous app for checking for problems right, and it is standard, for credibility, for example, Yelp, for customers review, some user false comments and actually not eat on some hotels, but writing a bad review every time. Yelp have obligation to remove those users right, and it doing it. I will check some apps, but I am sure that some virus companies are always on this bad review list- so if is true VT needs to remove them from checking until they update or solve internal problems.
If you ever find a group of software developers, who are working on a judicial path to fight unjust false positive reporting and direct business damages caused by AV misinformation, let me know, I would be happy to join in, but we would need massive numbers to gain any tractions. As individuals, we are but flies on the windshield.

I using for example
https://pypi.org/project/auto-py-to-exe/Maybe this module triggered something, but it is a famous module too....
I never had to distribute python based end-product, so I don't know, if this specific tool is causing you problems, but I would definitely try to find some other alternative of packaging python scripts into portable executables and compare VT scans for each. There should be many available.


It is a very wide explanation. For example, this current bot, writing on text files, how to user allow it, I mean, this sentence is problematic on several levels and actually not used in real apps, you want to say that somehow I need to ask a user for each line of code.... my app not writing or changing system files or anything in the source of OS.....
I was only trying to say that AV companies can really bend the reality when they decide what is malicious. We daily use a bunch of software that behaves maliciously. Windows being a prime example of this with forced updates and reboots that actually cause users to lose their data (not everything is saved and restored). A prime example of malicious behavior, but it is "ok", because it is a big corp. You see where I am going with this? Double standards everywhere.

You as a small developer are not only competing with companies that have much more capital than you. You are also competing against companies that can get away with bending privacy and consumer laws, which you can't, or you get canceled, banned, deindexed or whatever.

This is the future. And it's a better experience for the user because different OS environments and other AVs on each machine can make a pretty big hassle.
The downside is a server renting price, but this can be optimized and scaled as the user base grows with proper management.
Yep, this can be a hassle too, but the second option is much more trouble-making.
Exactly, you can deploy a desktop app that is basically only a plain GUI app with a http client that communicates with main server, where all the logic happens. Your desktop app will still probably get flagged (but the code base is much smaller and simpler), so your next step is to move it into a browser (website), but here is the problem with browsers, you are now closed into another sandbox with less privileges and you might need some OS functionality that browser does not provide. If you can work within a browser, it is definitely much less of a hassle to do so.
 
Last edited:
SaaS has a lot of advantages over the standalone app, but a lot of solutions are not handy when a user needs a lot of hardware resources when main kinds of stuff need hardware. You can solve maybe it with big server, but then you have problems with trial options, you need to start a very expensive server...
 
One more note about Saas vs desktop app, users like to own app to have on his side, this little magic box, for help for their business,to manage and run, a cloud app is nice and does not ask a lot of resources but from a marketing angle, a desktop app is better for better fillings for users.
But at end of the day, Virus total must-have responsibility like any middle man service on the internet, especially it is a leader and most trusted service. In the past I tested and some simple c# desktop app, it had false-positive too, so it is not only related to some third party service it is related to something very wrong with Virus total and some antivirus companies.
 
Back
Top