-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Antivirus false positive detections #47
Comments
A random seed for the hash is already used. I can't really help much besides suggesting things like changing the hash algorithm or something like that. The code generated is rather small, so I'd assume it's more of a heuristic detection rather than the specific generated code. |
I see, can you provide a small example how to change the hash algorithm? Also, very curious... what do you mean by heuristics? As far as I know, these is compiled time code that does not load any libraries etc so... does not really apply? |
Fork the project and replace the hashing function hash_single or it might be easier with other algos to replace hash functions that rely on this single character hashing thing.
Lack of imports and general runtime analysis performed in their sandboxes showing the fact that imports are being resolved manually. Also, AI garbage bunching similar (or literally lazy importer) code used in malware into the same boat. |
I'm using both lazy importer and xorstr for years and never had one AV detection, Are you sure you're code is not what actually detected?
|
Hello,
I've mentioned this before and I am fully aware this is not the scope of the project, however I will ask the question again as I am sure many others face the same issue. It seems that quite a few AV vendors created patterns that detect both lazy_importer and xorstr somehow as "virus".
It really doesn't matter if your .exe is x86 or x64, console or UI, has version/checksum, etc; they will still detect it. Most detected files are .dll's unfortunately. It's a real bummer.
Is there / do you have some ideas on how could one improve on this? Perhaps give the user the option to set some sort of "seed" and created obfuscation based on that? So each build / project would have unique "patterns". Idk.
Many thanks
The text was updated successfully, but these errors were encountered: