1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Proving False Positives are False Positives

Discussion in 'C, C++, C#' started by tehmadcracker, Mar 12, 2010.

  1. tehmadcracker

    tehmadcracker BANNED BANNED

    Joined:
    Apr 19, 2009
    Messages:
    155
    Likes Received:
    502
    I am writing this thread as a reference for whenever false positives come up in my software.

    How to prove False Positives are False Positives

    Download Visual Studio Express C# from Microsoft
    Code:
    http://download.microsoft.com/download/A/5/4/A54BADB6-9C3F-478D-8657-93B3FC9FE62D/vcssetup.exe
    Download Xenocode Postbuild (now Xenocode Obfuscator)
    Code:
    http://www.xenocode.com/Obfuscator/Setup.msi
    1. Install both downloads
    2. Create a new Windows Forms Project with Visual Studio Express
    3. Build the WinForm Project
    4. Submit the WinForm Project EXE to VirusTotal
    5. Open Xenocode and Apply Obfuscation to WinForm Project EXE
    6. Submit Xenocode WinForm EXE to VirusTotal
    7. Observe False Positives

     
  2. mackay22

    mackay22 Regular Member

    Joined:
    Jul 22, 2009
    Messages:
    244
    Likes Received:
    93
    thanks for this post mte, in relation to one of your softwares I posted here
    http://www.blackhatworld.com/blackh...hmadcracker-seobynumbers-com.html#post1609365
    about trojan from your soft,

    now what you've just posted above seems a bit long winded for me but are you saying that the trojan is a fals positive? Coz i guess I must just trust you if I dont follow your steps above right?

    Seems like a cool soft that proxy expander

    Thanks
     
  3. SpiderWebMaster

    SpiderWebMaster Power Member

    Joined:
    Jan 24, 2009
    Messages:
    617
    Likes Received:
    519
    Occupation:
    I don't have a job...
    Location:
    /dev/null
    uh... i understand what you say and believe you, but that proves nothing really lol
     
  4. tehmadcracker

    tehmadcracker BANNED BANNED

    Joined:
    Apr 19, 2009
    Messages:
    155
    Likes Received:
    502
    Well, if a blank project shows the same 6 false positives as my software, then IMO, that proves my software is just as clean as a blank project.... but whatever, I dont have the energy to debate this with you considering our history....
     
  5. SpiderWebMaster

    SpiderWebMaster Power Member

    Joined:
    Jan 24, 2009
    Messages:
    617
    Likes Received:
    519
    Occupation:
    I don't have a job...
    Location:
    /dev/null
    not trying to argue with you man, in any way. i know that code obfuscators can give out false positives but you must understand that a blank project is a blank project so those are really false positives, as for your software(or any other that uses the same obfuscation) it is not blank, so many code is there doing a variety of things, hidden by the obfuscation, and nobody can say if it is malicious or not without further analisis of what it does by other means like network traffic monitoring and such things and you as a programmer(wich i'm not) know that better than anybody else.;)
     
  6. tehmadcracker

    tehmadcracker BANNED BANNED

    Joined:
    Apr 19, 2009
    Messages:
    155
    Likes Received:
    502
    You are most definitely correct, network traffic monitoring and further program activity analysis are great ways of proving if a piece of software is malicious or not, both of which I welcome towards my apps... This is a method in which anyone can see the process in where my apps receive their false positives and compare those false positives against an app that, with absolute certainty, isn't malicious.

    Anyone willing to do further analysis on my software and post a report of their findings will be rewarded with private apps and/or licenses to the apps I sell. Please contact me on AIM, my nick is SEObyNumbers, with any questions, and/or comments.