Inquiry About Enigma Protector and Antivirus Detection

[freecounters]

Hello,

I hope you're doing well.

I read on the forum that the Enigma Protector program is detected as a virus by some antivirus software. In response, you recommended that users report the file as a false positive.

However, two questions have been on my mind:

This issue is undoubtedly due to part of your protection algorithm triggering these detections. Why don’t you modify that part yourselves?

Surely, antivirus programs flag protected files as viruses based on certain technical criteria. If the files were actually infected, wouldn’t reporting them as false positives be a security risk?

Thank you for your explanations regarding these questions.

[GameShield]

This issue is undoubtedly due to part of your protection algorithm triggering these detections. Why don’t you modify that part yourselves?

Where did you get this nonsense from? This is a problem with all protectors, not just Enigma.

[freecounters]

Hi
Yes, you're absolutely right.
However, for example, in WinLicense, if you uncheck the 'Compress and encrypt application' option, you won't have virus detection error.
This indicates that this part of its algorithm is problematic.
That's why I asked why the Enigma Protector development team isn't working on this problematic part themselves.

Also, the issue I mentioned has no conflict with the valid point you raised.
I’ll wait for an explanation from the Enigma Protector development team.
Thanks.

[Enigma]

This issue is undoubtedly due to part of your protection algorithm triggering these detections. Why don’t you modify that part yourselves?

Surely, antivirus programs flag protected files as viruses based on certain technical criteria. If the files were actually infected, wouldn’t reporting them as false positives be a security risk?

Hi, sure, there is our opinion on that.

First of all, I would clarify that this is a wrong detection, aka false positive detection. There is no any kind of virus, or malicious code inside any protected file.

Why that happens? Many reasons, main of them:
- antiviruses can't analyze protected files well, so it is more easy for them to detect something inside any protected file, than try to unpack and reverse the original code. Stronger protection may produce more false positive detections;
- virus makes also use protection systems to protect viruses against to be detected, so if antivirus finds that some virus is protected with protection, based on protected file signature (which is same for all protected files) they produce same detection for other files;
- some tricks, that protection is used to make the file more difficult to analyze are also used by viruses, so some antiviruses, when detect such tricks, detect something in protected files too.

Why code compression does not trigger false detection? Worth to believe, but due to your luck only. There is no any option in protection that allows to avoid false positive detection. You could try to protect the file once again after a minute and wrong detection may gone. Please understand, if we could make such feature, we definite already made that, but it is impossible. Any false detection - this is error of antivirus, this is not an our fault and nothing we could affect. But, if you strongly sure that code compression may affect it somehow, then in Enigma Protector you could use the option Miscellaneous - Other - Do not compress and encrypt code, it does what you need.

How to fix wrong detection?
1. Use code signing to sign protected file with code signing certificate. Any OV or EV certificates are good. Apart of all advantages that code signing gives, it also allows to avoid false positive detections.
2. Submit protected file to antivirus engineers, ask to fix problem. You know about this way.
3. Do not use virustotal to check the file after each protection. Virustotal is used not only by antivirus developers, but also by virusmakers. By defaults, uploaded files are marked by antivirus as malicious, and more submitted samples produce more wrong detections. We had a cases, when submitting file to virustotal that caused just couple of false detections, after a week become wrongly detected by almost all vendors there. This is known as cascading false detection, when vendors produce wrong detection just based on a wrong detection of another, bigger antivirus vendor.
4. Discussing that with antivirus developers, they advised us that wrong detection may automatically be cleaned up. If more users are using your file, then more chances antiviruses will clean it up automatically, without any notice or effort.

What Enigma Protector does against false detection?

Enigma Protector has internal signature in each protected file, that could determine the customer, who protected the file. There is no any personal information inside protected file, but there is some kind of signature. This signature names taggant. This one is known by some of antiviruses and used by them to track customers who protect viruses, or to determine if the file is protected with demo version or licensed one. Some antiviruses are using this information and do not detect anything in the files protected with licensed version.