InjectLibrarySystemWide* False Positive

c++ / delphi package - dll injection and api hooking
Post Reply
DarkstaR
Posts: 3
Joined: Fri Jul 10, 2015 5:06 pm

InjectLibrarySystemWide* False Positive

Post by DarkstaR »

Hello,
I'm getting a false positive when linking against the 32-bit version of the library, specifically only when I somehow reference any of the InjectLibrarySystemWide* functions. The false positive is from Avast, and it is reporting as "Win32:evo-gen [Susp]", and this is causing some AV's to delete some of my binaries on customer machines. I've made sure it's not my code, as commenting out the calls to InjectLibrarySystemWide* gets rid of the FP. Moreover, it can't have anything to do with how how I'm calling it, as the signature will trigger if I just do "auto var = &InjectLibrarySystemWideW". If I leave my code exactly the same with only that single call omitted, it works fine. Referencing any other functions, such as IsInjectionDriverRunning, StopInjectionDriver, LoadInjectionDriver, or HookAPI causes no issues. Oddly enough, scanning the .lib also yields no FP. 64 bit yields no FP.

Is this a known issue, and is there a known remedy? If not, I'd really like it if either a fix could be released or if Mathias could coordinate with AV vendors to get the signature removed from their DBs. I really would rather not re-write to use my own injection code, as I'm really relying on the madC driver.

Thanks!
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibrarySystemWide* False Positive

Post by iconic »

Fastest way to remove the FP issued from Avast is to email them your binary, explain that it's clean and tell them that it's hurting your user base. Most AV companies will swiftly look into this.

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrarySystemWide* False Positive

Post by madshi »

It's hard for me to report a false positive if I don't have access to the file that produces that false positive. So it would be best if you could contact Avast yourself. See here:

https://blog.avast.com/tag/false-positive/

In my experience such false alarms are removed very quickly by AV companies, if you report it to them.

You are signing your drivers? If so, you could ask Avast to white list all files signed by your certificate, to avoid future problems. Not sure if Avast is willing to do that, but it doesn't hurt to ask.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibrarySystemWide* False Positive

Post by iconic »

Direct link to submission form is located here https://www.avast.com/contact-form.php? ... VIRUS-FILE

--Iconic
Post Reply