DOWNLOAD.CNET.COM virus scan positive!

[speedyorange]

I tried uploading my program which I have protected with enigma to a download account I have at http://download.cnet.com. I was shocked when it said my file had a virus! I tried scanning both my program file and the install file(NSIS) using an online service that tests the files against a lot of virus scanners and multiple problems were found! I'm not sure how long the web site keeps the results, but since this was done in the last few minutes you should be able to see the virus scan results but just clicking on these urls:

https://www.virustotal.com/file/bfbeb44 ... 333719544/

https://www.virustotal.com/file/06127a4 ... 333719955/

The first link is the scan results for my actual program which was protected with enigma. The second link is for the installation file which was written in NSIS. As you can see both files seem to have multiple positive virus detections! Is this an enigma problem or a NSIS problem? This is something that concerns me greatly since my program would already be on http://download.cnet.com if not for this.

[speedyorange]

Further analysis shows me that both files had exactly the same problems except that the installer had one extra, a 'Trojan.Win32.Spy!IK'. 8 problems were found in my program protected with enigma and 9 problems were found with the installer, therefore enigma must be responsible for at least 8 of the positives.

[Enigma]

Hi speedyorange,

This is the reality that you may have with antiviruses. Nobody can guarantee that even absolutely clean file won't be someday falsely detected as a virus.

This is just false detection.

In your case, you need to send false detected sample to only 2 antiviruses, BitDefender and Ikarus, because all others are using their databases. And if false detection for BitDefender and Ikarus, others will show clean file too.

There is a topic that describes how to solve false detection:
http://www.softwareprotection.info/2011 ... -to-solve/

Also, digital signing can help to fix a problem. You may sign protected file with the digital certificate like Comodo (cheaper one) or VeriSign and problem with false detection should gone.
Another thing, is a taggant project that we actively involved http://standards.ieee.org/news/2011/icsg_software.html
Hope it will be completed soon and we forget about false detection problems.

[speedyorange]

Both files were in fact digitally signed with a comodo certificate.

Should I register both my program file and the installer with those 2 antiviruses?

[Enigma]

Both files were in fact digitally signed with a comodo certificate.

Really? Hum, usually signing solves all the problems.. Please re-check if the files (protected files, not an installer) are digitally signed.

Should I register both my program file and the installer with those 2 antiruses?

Just report them an installer, it should be enough.

Once you report to Ikarus at false-positive@ikarus.at another antivirus Emsisoft should make the file clean.
After reporting to BitDefender at their forum http://forum.bitdefender.com/index.php?showforum=138 antiviruses F-Secure, GData should make the file clean.
Also report to F-Prot at http://www.f-prot.com/virusinfo/submission_form.html, Commtouch also uses their database.

[speedyorange]

I can not believe that I just read on your antivirus false detection page that my submitting it to virustotal.com may actually have screwed it up worse?!@#%$

Holy mother of %$#@! What do I now do about that? Should I create a freshly compiled copy and start using that?

[speedyorange]

If you check the 2 links I gave to virustotal and scroll down near the bottom and click on where it says 'additional information' you will see that both are digitally signed!

[Enigma]

If you check the 2 links I gave to virustotal and scroll down near the bottom and click on where it says 'additional information' you will see that both are digitally signed!

This information says that checked file is signed (installer is signed), this does not say that protected files are signed.

I can help you to report to antiviruses if you give me a direct link in PM. I hope that it takes just a day to solve the problem.

[speedyorange]

The actual program file inside the installer is signed:

https://www.virustotal.com/file/bfbeb44 ... 333719544/

You know what, I think I might have done a bad. Included with my executable file is a dll that will be installed in a subdirectory under the program file. Only problem is that it is not really a dll, it is only a text file that contains security information that I put a dll extension on to hide it. It only actually contains large amounts of seemly random digits 0-9. Did I get too cute? It seems that at the most it could only be accounting for the extra virus warning that the installer program gets because it is in the installer, it would not be tested in my virus test of my actual program file.

I appreciate you help in solving this problem. By send you the link by PM do you mean email?

[Enigma]

No, unfortunately, this is not your fault, not ours, this is problem of antiviruses that sometimes detects something in even clean files. I can't tell the reason of the detection.. some customers do not have any problem with even 1 antivirus, others have problems like you. But the fact that even signed file is falsely detected makes me very frustrated.

There is also such term as cascading false detection. This happen when one more famous antivirus detects something, others - less famous, based on this detection also detect something and so on. Finally, absolutely clean file may be wrongly detected by a numerous antiviruses.

Nor you, nor I can control false detection, but we can successfully solve it. I hope that when the taggant project will be completed (very soon) we forget about false detection problem.

Send link by PM - at right side of my post there is a button PM, it allows to send me private message. Send me the link to the installer, and I will re-send it to antiviruses with the request to fix false detection.