MadCodehook unit being detected as viruses

c++ / delphi package - dll injection and api hooking

MadCodehook unit being detected as viruses

Postby pambol » Tue Jun 11, 2019 3:57 am

Hi Madshi,

When i call MadCodeHook at my application and send it to scan at virustotal detect as Gen:Variant.Jacard.155413 / Trojan.Jacard.D25F15 and others.
But when i remove the MadCodeHook unit my application have 0 detection of virus.

how solve it?
pambol
 
Posts: 46
Joined: Sat Jun 23, 2018 1:15 am

Re: MadCodehook unit being detected as viruses

Postby iconic » Tue Jun 11, 2019 6:26 am

I'm not Madshi but certainly qualified to answer your inquiry adequately

You can do the following:

[1] Contact the vendor(s) of the anti-virus software that is labeling your benign code as malicious (a false positive) and ask them to remove the detection. They may have to independently review your submission (detected files) before they just take your word for it. You may also mention that these false positives are negatively impacting the sales of your safe and helpful software designed to do similar to what their software is doing, protecting the host. Keep in mind that no software can ultimately determine whether your code hook keeps the bad guys out or lets the bad guys in to a system and this inability to differentiate/distinguish between code intentions will always exist, so this comes with the territory. Hooking and injection are often used by both Anti-Virus and by the malicious software that they are looking to detect

[2] Sign your binary modules (EXE, DLL, SYS files etc). This essentially creates a trust-based relationship between you and most anti-virus software and will solve 99% of these "false positives"

--Iconic
iconic
Site Admin
 
Posts: 930
Joined: Wed Jun 08, 2005 5:08 am

Re: MadCodehook unit being detected as viruses

Postby pambol » Tue Jun 11, 2019 8:34 pm

Sectigo was revoked my certificated since it detect as viruses after protect with vmprotect.
pambol
 
Posts: 46
Joined: Sat Jun 23, 2018 1:15 am

Re: MadCodehook unit being detected as viruses

Postby iconic » Tue Jun 11, 2019 9:00 pm

I'd ask them to remove your certificate from their revocation list since it was a legit 3rd-party tool that was causing such detections and was never malicious. It's a PE protection system that is quite popular as you know. Maybe they do not however. Alternatively, you can look into GlobalSign, they're much better than Comodo/Sectigo imho. I've had certs issued from both Certificate Authorities (CA's) in the past

--Iconic
iconic
Site Admin
 
Posts: 930
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 9 guests

cron