Obfuscators seen as Virus


A. THE ISSUE
[ol][/li]- Can U reproduce the problem & if so how reliably?: Yes

  • If U can, exact steps to reproduce. If not, exactly what U did & what happened: Just download an obfuscator like confuser
  • If not obvious, what U expected to happen: Obfuscator (and alswo later obfuscatat files) are seen as virus
  • If a software compatibility problem have U tried the conflict FAQ?: yes
  • Any software except CIS/OS involved? If so - name, & exact version: Confuser 1.9
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    A bit more detail:
    We develop using C#.
    As we do not want to role out some OpenSource things, but are developing business programs, we are nt wanting to give competitioners or customers the sourcecode.
    There are some very cool tools like .net Reflector VSPro from Redgate which are very good from displaying something very close to original code from IL.
    Therefore some sort of obfuscation is a must.
    Tools with a good obfuscation are tools like eazfuscator or confusor.
    As confusor was recommended on different sites (like stackoverflow) it would be the weapon of choice.
    Now comodo sees confusor as virus.
  • The behaviour can be reproduced easily by downloading http://confuser.codeplex.com/ (and/or obfuscating something with all settings)
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration: 5.12.256249.2599

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:Antivirus/intelligent, D+/off (this annoying thing still doen’t work good with Visual Studio 2012 builds…), Firewall/SAfeMode
  • Have U made any other changes to the default config? (egs here.): Turned firewall off, put code directories and build directories to excluded files (Otherwise sometimes WCF connections were blocked)
  • Have U updated (without uninstall) from a CIS 5?: no
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS: no
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used: W7, 64, UAC enabled, standard user
  • Other security/s’box software a) currently installed b) installed since OS: a=Defender b=
    [/ol]

Hmm I think not a bug, but by design? Malware uses obfuscation to evade signature based detection?

So CIS heuristics picks up obfusaction.

I think you should be able to exclude the files from detection using AV exclusions.

For the moment I will forward to help to see if other mods & expert users agree.

Best wishes

Mouse


From the information you have given I am not clear whether this is a bug/issue.

For the moment I will transfer you to help so you can work through this issue with users and mods in this forum and hopefully resolve it. I hope that is OK.

Please ask any mod to move this report back to the bugs forum if it becomes clear that it is a bug/issue.

Best wishes

Mouse

Sure it is “by design” or “as implemented”

The problem is in my opinion still a valid one. If you write code which goes to a customer, the customers machine will have most surely a virus scanner ( even if we are writting software for industrial usage, most of the customers try to get a free scanner ) .

So even if we can exclude it from being scanned on a developer or build machine, a customer could still not use an obfuscated programm with ease. It just does not look good if you create a program and a customer gets an antivirus warning.

Also for security resons it would be good if the file could be scanned - but it should not think that only because it is obfuscated it is a virus.

Think about it - should we tell a customer: Don’t use this or that virusscanner together with our product, it will say that out product is a virus but it isn’t? If you exclude it maybe a virus can get attached to the file so for this files do not use this virus scanner, use that one?

Are there really virsues written in .net languages? Always thought they where written on a level nearer to hardware …

I understand that it won’t be easy to tell which programm is a virus and which is obfuscated to protect intellectual properties.