Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post here messages if you have any problems with working of Enigma Protector
Post Reply
oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Thu Nov 11, 2021 4:40 pm

I recently received my first code signing certificate and I signed the executable after protecting it, then make the installer from that, then signed the installer. Installs and runs fine, but when I run the installer through VirusTotal, Microsoft is flagging it as containing Trojan:Win32/Sabsik.FL.B!ml. If it were coming from an unknown antivirus vendor, I would ignore this, but this is Microsoft! How to I get rid of this warning? :(

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Thu Nov 11, 2021 5:02 pm

I submitted the protected executable to Microsoft for analysis, but they probably won't get back to me for days, if not weeks or months. Is there something Enigma can do to fix this?

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Thu Nov 11, 2021 10:44 pm

Surprisingly, Microsoft already got back to me (pinch me!). They removed the detection and told me how to update my Defender signatures. So I did that and:

1) I rescanned the installer at VirusTotal. This time, it got back false positives from Sophos (Generic ML PUA (PUA)) and FireEye (Generic.mg.26285e8c3bbafe5c). So, the Microsoft false positive is gone, but now these other two are showing up. Not sure why they didn't show up last time (maybe they both exceeded the timeout?).

2) I rescanned the installer with Defender on my local machine and it found Program:Win32/Wacapew.C!ml, but it considers it a low risk, so it allowed me to easily whitelist that.

So, I'm going to make this installer available on my website, but I'd still like to see if I can remove these false positives. I would really rather not have to get in the habit of having to submit my app to all these antivirus companies every single time I rebuild my app!

Thanks

Enigma
Site Admin
Posts: 2744
Joined: Wed Aug 20, 2008 2:24 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by Enigma » Mon Nov 15, 2021 8:35 am

Hi, there should be nothing to do anymore. I believe MS whitelisted your certificate and no more false detection appear.

Antiviruses become more crazy and crazy, no matter what file is, without code signing certificate most of them becomes detected as a virus. MS's Defender is a leader in wrong detections. Simple "Hello World!" compiled file cause dozen false detections on virustotal...

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Tue Nov 16, 2021 7:13 pm

Since Adobe came out with a 64 bit version of Acrobat Reader, I'm now preparing a 64 bit version of my app. However, I'm probably going to have to leave Enigma behind because I have no desire to pay for this package all over again, just to get 64 bit support (unless you give a substantial discount). The fact that I still got false positives from other antivirus engines despite the whitelisting by Microsoft just reinforces my decision. I can't sell an app that no one trusts! (Granted, going without protection will open the app up wide to piracy, but better *some* sales than *no* sales...)

To be fair, I haven't scanned the installer since my initial post above, but I'll try again later today.

Here's a semi-related issue I'm having that maybe you can help me solve: When I try to code sign my 64 bit app (not Enigma protected, of course), I'm getting error 0x800700C1 from signtool.exe. Basically, it's saying the EXE is invalid, but I can package it up, install it and run it, so I'm not sure why it's balking. (Someone else said this error means the EXE is already signed but I know for a fact that it's not, and I verified that.)

Do you (or anyone else here) know how to research / fix this?

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Wed Nov 17, 2021 12:54 am

...and I found the cause of the problem. If you're using the JCL Debug routine and you enable the "Insert JDBG data into the binary" feature, that throws a wrench into the machine. SignTool fails to sign the app in that case. If you use EurekaLog (or similar), you don't need to enable this (I tested it). I didn't strip out JCL Debug altogether, though. You might be able to remove that too...

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Wed Nov 17, 2021 7:43 pm

Ok, I ran a new installer (32 bit, protected) by VirusTotal and it came back with ZERO false positives. I'll try this out on an older laptop to see how many warnings I get from Windows. I *might* buy the 64 bit version of Enigma after all, but I'm still hoping for a discount! Having to pay twice for this thing hurts...

oHXD3OUsHe
Posts: 12
Joined: Mon Oct 11, 2021 3:30 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by oHXD3OUsHe » Thu Nov 18, 2021 11:08 pm

The promised follow-up... I am still getting a crazy number of "Are you sure you want to install that" messages from both Edge and Windows SmartScreen, but I'm guessing this isn't Enigma's fault. I love how Microsoft treats adults like children.

This nagging won't go away until more people buy my app, and boy is it annoying as hell...

Enigma
Site Admin
Posts: 2744
Joined: Wed Aug 20, 2008 2:24 pm

Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml

Post by Enigma » Sat Nov 20, 2021 8:25 am

oHXD3OUsHe wrote:
Thu Nov 18, 2021 11:08 pm
The promised follow-up... I am still getting a crazy number of "Are you sure you want to install that" messages from both Edge and Windows SmartScreen, but I'm guessing this isn't Enigma's fault. I love how Microsoft treats adults like children.

This nagging won't go away until more people buy my app, and boy is it annoying as hell...
No, this is not due to Enigma. As far as I know, this happens for all files that are downloaded from internet, no matter of protection and even digital signature.

For other questions in this thread, please contact us at support@enigmaprotector.com

Post Reply