Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Vfp exe encrypted with defox gets deleted by windows security
- Thread starter Sng1
- Start date
Chris Miller
Programmer
Virus detection has many different ways. It could look for some virus signature you just can hit by chance with either compression or encryption. Then your chances are just a slight modification gets you out of that suspicion.
It could be the policy of data execution prevention. Any mechanism that decrypts into memory and executes that memory would fail and might be suspected to be a virus, If defox does that, defox is dead unless users whitelist that EXE somehow, perhaps.
So I'd first try with any other earlier version or simple modification, if the problem is just that specific exe or the defox mechanism is suspected as virus for how it generally works. Even when defox creates a decrypted exe version in temp or any directory that would alarm AV heuristics suspecting an EXE creating another EXE is a virus.
A signed executable would higher trust, and the other, though not the fastest solution is to let the AV software company analyze your exe and have it white listed or specialize its detection to make a distinction between your EXE and an EXE having embedded the virus it detects. You can't expect that to be part of next days AV virus definition data or detection heuristic, though.
The fastest solution is to let the user exclude exactly this EXE in its version from virus detection, AV software usually can exclude specified directories or single files. And when users trust you, that shouldn't be asked too much and it doesn't effect virus defense and detection of any other files.
One thing to do to guarantee your EXE won't be used as a trojan horse with a virus changing or extending it would be to let it check itself by a signature to see it's in the original state. Are you familiar with cryptographic ideas and concepts? A signature based on a key pair would prevent fiddling with the EXE even if knowing the signature algorithm used and recomputing the signature of a virus modified exe, because you can check the signature with the public key of the pair that can be provided with the EXE, but a new signature needs to be created with the private key you keep for yourself, so there is no chance to modify the exe and change its signature to pass your check.
Which in short means, trust to you and that signature security check gives an OK to excluding that EXE from AV detection without it becoming a weak point.
Chriss
It could be the policy of data execution prevention. Any mechanism that decrypts into memory and executes that memory would fail and might be suspected to be a virus, If defox does that, defox is dead unless users whitelist that EXE somehow, perhaps.
So I'd first try with any other earlier version or simple modification, if the problem is just that specific exe or the defox mechanism is suspected as virus for how it generally works. Even when defox creates a decrypted exe version in temp or any directory that would alarm AV heuristics suspecting an EXE creating another EXE is a virus.
A signed executable would higher trust, and the other, though not the fastest solution is to let the AV software company analyze your exe and have it white listed or specialize its detection to make a distinction between your EXE and an EXE having embedded the virus it detects. You can't expect that to be part of next days AV virus definition data or detection heuristic, though.
The fastest solution is to let the user exclude exactly this EXE in its version from virus detection, AV software usually can exclude specified directories or single files. And when users trust you, that shouldn't be asked too much and it doesn't effect virus defense and detection of any other files.
One thing to do to guarantee your EXE won't be used as a trojan horse with a virus changing or extending it would be to let it check itself by a signature to see it's in the original state. Are you familiar with cryptographic ideas and concepts? A signature based on a key pair would prevent fiddling with the EXE even if knowing the signature algorithm used and recomputing the signature of a virus modified exe, because you can check the signature with the public key of the pair that can be provided with the EXE, but a new signature needs to be created with the private key you keep for yourself, so there is no chance to modify the exe and change its signature to pass your check.
Which in short means, trust to you and that signature security check gives an OK to excluding that EXE from AV detection without it becoming a weak point.
Chriss
- Thread starter
- #3
Problem is not with exe but is defox specific as exe without defox runs well without giving any security threat. Don't know about cryptographic ideas and concepts in details . How do VFP developers protect their exe ? Because this is generic problem to all VFP developers.
Chris Miller
Programmer
That still doesn't indicates it's about what defox generally does, it can still simply be that specific encryption has a byte sequence identified as virus, just by chance. Do you get the same virus detection with an older defoxed version of your EXE or when defoxing the same EXE with another key? If it's really just that defoxed EXE version that's no big problem, is it?
Chriss
Chriss
tomk3
Programmer
Hello,
we are using refox for encryption and compression without problems.
Maybe an exe packer can help, for example UPX.
Best regards
tom
(Or maybe there is an update on defox ?)
we are using refox for encryption and compression without problems.
Maybe an exe packer can help, for example UPX.
Best regards
tom
(Or maybe there is an update on defox ?)
Mike Lewis
Programmer
Do you have any control over the users' AV settings? Most AVs (including Windows Defender and Microsoft Security Essentials) allow you to whitelist specific files. So you could whitelist your own EXE without it affecting EXEs in general.
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
Mike Lewis
Programmer
If I remember rightly, this has come about because you first had problems getting Modebox to work. You then decided to go with Refox instead. Several of us at the time warned you against encrypting your EXE, and pointed out that the risk of reverse engineering was much less than many people thought. Are you still convinced that you need to encrypt your application?
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
- Thread starter
- #8
Chris Miller
Programmer
A suite that repeatedly has that problem is XAMPP. Especially the xamp-manager.exe. They address programmers, who are more familiar with the topic but they are quite open about the issue and inform users this may happen and how to configure their AV. See their FAQ. (edit: the link to it is
Besides that, Mikes point would obviously also be a solution as you by now only know you have problems with a defoxed (or is it really Refox?) version of your exe.
The shortest way to find out would be generating another key to encrypt the exe, thereby llikely avoiding to have the same byte sequence that may cause a false positive. If you try multiple times and every version is considered a virus, the next step I'd try is encrypting a really simple hello word application and see whether its the decryption mechanism that fails.
Chriss
Besides that, Mikes point would obviously also be a solution as you by now only know you have problems with a defoxed (or is it really Refox?) version of your exe.
The shortest way to find out would be generating another key to encrypt the exe, thereby llikely avoiding to have the same byte sequence that may cause a false positive. If you try multiple times and every version is considered a virus, the next step I'd try is encrypting a really simple hello word application and see whether its the decryption mechanism that fails.
Chriss
- Status
Similar threads