Jump to content
Sign in to follow this  
Clément

Trojan:Script/Sabsik.TE.A!ml detected (false positive of course)

Recommended Posts

Hi,

I don't know if I can post here. But.. here it goes.
I'm using Delphi 10.4.2
 

[Context]

I built a small application 23MB to query several databases using fireDac (Oracle, SQL Server, MySQL, Interbase, Firebird and PostgreSQL for now, I might add support for other engine).
The application checks if there's an update and notifies the users. The first check is done after 5 minutes.
No database connection is done at startup.
The application is available in 32 and 64bit

 

[The problem]

I'm doing some pre-public release with some friends. I'm sending them the 32bit version (compiled with Release, no debug, no madexcept, all default release options).
I'm connecting to his computer using remote desktop, and I'm copying form my machine to his (Copy/Paste). Both are running Windows 10 Pro with latest updates.
When the application is ran the first time, windows defender pops a screen notifying the user some actions are taken to prevent infection. The program opens, runs ( we can actually connect to database and runs some queries), and closes normally.
The application won't run a second time. Windows pops a screen saying the application contains a virus, and shortly after, the application is deleted (quarantined).

 

Well, for the fun I send the 64bit version release, no debug, no madexpects all default features. Copied the same way (via RDP copy/paste ) and  the program ran smoothly. Windows defender didn't detect a thing. And my friend connected to the databases he have and tested the program for hours without any problem. Closed and Reopened it several times without any problems.

I recompiled the 32bit version in debug mode (over 72MB executable). Copied the same way and windows defender didn't detect anything. Again running for hours, querying against several databases...
I start changing some of the default Release options, and after setting [Runtime errors -> I/O checking] = false the 32bit version behaved as expected. :classic_wacko:

I uploaded every version compiled in my machine to virus total and nothing was detected. (even the 32bit version windows defender didn't like)
I uploaded every version copied to my friend machine to virus total and nothing was detected.

 

So I can assume is a false positive... but that is a nasty Trojan!!
This is why I started this post with the context. Since It connects to databases and checks for updates some antivirus might confuse those connections as "trojan invasion". But, as I said, no communication is done at start-time.

 

Is there anything I can do?
Has anyone had a problem like this one. (I'm not using any compressor, just plain vanilla executable generated from the IDE).

 

Thanks,

Clément

 

---------------------

Trojan:Script/Sabsik.TE.A!ml

Nível de alerta: Grave
Status: Active

Data: 01/09/2021 20:01
Categoria: Cavalo de Tróia (Trojan Horse)
Detalhes: Este programa é perigoso e executa os comandos de um invasor. (This application is dangerous and execute command of an invader).

 

Itens afetados:

   file: E:\Clement\ckwel.exe

Edited by Clément

Share this post


Link to post

just a note when signing files - it may be obvious, but also ensure that any relevant metadata in versioninfo matches the digital signature. e.g. don't use an abbreviation in one place and not the other....the AV guys like metadata to match exactly. Most vendors have a url where you can upload a sample for review where upon acceptance the app will be whitelisted. It is annoying to have to do this however.

 

I have the false positives kicking in while I'm writing unit tests from time to time.  the test app gets deleted before it has a chance to run. ;( And then making what may be a seemingly irrelevant change gets it to work again.

  • Like 2

Share this post


Link to post

Thanks.. I will see what I can do. Hopefully signing will help.

Share this post


Link to post
16 hours ago, Nigel Thomas said:

1. Sign your files. Windows Defender heuristics are much more forgiving if an executable file has a valid digital signature.

2. Submit false positive detection: https://www.microsoft.com/en-us/wdsi/filesubmission

we are fighting against AV daily and after talking to few AV companies and their engineers all say there is no difference between unsigned and signed binary even with EV certificate.

Share this post


Link to post

I purchased my certificate and I'm waiting for the validation process to end. Hopefully next week I'll be up and running.

Now I'm worried. I was hopping to solve this false positive issue.
I don't know if this helps, but I'm able to duplicate this virus detection in my machine too. Just by setting the "I/O Checking" to true or false makes Windows defender act.
I set my project file as an exclusion folder to avoid having conflicts between the AV and the IDE. Once I copied my application to another folder and ran it, windows defender quarantined it. The detail here is "ran it". There's nothing detected in the application upon copying it. When it is executed the I/O checking code triggers something that Windows Defender don't like.

Would it do any good to send this application to Microsoft "as is" before I make some changes and Defender stops detecting it?
(Or send it to Emb? They might be able to check the code generated by I/O Checking in this case, and who knows make some changes in RTL or the Compiler? (One can dream, right?) )

This application, cKwel - Query tool, is a SQL helper meant for developers and will be freeware.
I'm just waiting to sign it before uploading and make it publicly available.

(Although it would be really nice to let people download a program that's not detected as a malware :classic_blush:  )

Edited by Clément

Share this post


Link to post
2 hours ago, Clément said:

Would it do any good to send this application to Microsoft "as is" before I make some changes and Defender stops detecting it?

As it is clearly a false positive, then yes. In my experience, MS have always been good at fixing false positive detections when I've sent them.

 

Others might suggest uploading a copy to VirusTotal as well; I'd recommend against that, as it tends to just lead other AV vendors to jump on the bandwagon and add detection for a file they can see other(s) detect, but they don't, instead of actually analysing it.

Share this post


Link to post
On 9/2/2021 at 5:29 PM, DPStano said:

we are fighting against AV daily and after talking to few AV companies and their engineers all say there is no difference between unsigned and signed binary even with EV certificate.

I doubt much has changed since this blog was written in 2018: https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/

 

" One of the most effective ways for developers to reduce the chances of their software being detected as malware is it to digitally sign files with a reputable certificate. "

Share this post


Link to post
Guest

My thoughts on this 

1) I highly recommend to do the following once you had you own sign certificate, start with build few applications (an empty one and few different projects you have) then sign them, then upload them to VirusTotal, this will build you a list of AV that sees you application(s) as malicious or a candidate for an action, after that report each of them as false positive to each and every one of them, from my experience they have great support and greater labs to check and act, even if you got no response directly and it took a week or so the whitelisting will happen, this will whitelist your certificate, meaning the false positive will be very rare, and just cases like runtime and red handed wrong doing will trigger an action.

You can check later and re-report false positive to MS after singing.

 

2) I want a confirmation of what you meant by " [Runtime errors -> I/O checking] = false the 32bit version behaved as expected." by as expected, you meant detected as badware , right ?

in all cases, i don't think a set that option to false in my life, meaning i am afraid it is rusty and stuck after these years, not sure if it is a true/false :classic_blink:

Joking aside, i would suggest to put your exe to run in a debugger, a real debugger like https://x64dbg.com/ , and see if there is an escaping exception(s) that silently been dropped in the IDE, also i would suggest to use Process Monitor to see what files and registry you application accessing or trying to access, of course keep an eye on the failed operations in particular but yet the success operation is also need to be recorded, and if there is files enumeration for the root folder in any drive ( and in particular "C" ), is there is scanning of any sort, is there a connections "TCP, HTTP(S)...", isolate the responsible part and share with us your finding.

See if there is access denied in the Process Monitor logs.

 

Keep in mind that the application ran for once then prevented from running second time, meaning it did triggered the defender in a way that defender didn't like, but wasn't really that bad, if defender found something wrong it would stopped it right away at runtime, though defender on closing the application didn't like some behaviour and decided better safe than sorry, so might be the closing and memory cleaning might be a trigger too, like unloading the dynamically loaded dll, also double check memory leaks, while application memory is not much of a concern i would be concerned if an API allocated memory (like OS allocated strings) and you app didn't freed it, also trach the handles and see if there is a leak of sort.

 

Share this post


Link to post
15 hours ago, Kas Ob. said:

1) I highly recommend to do the following once you had you own sign certificate, start with build few applications (an empty one and few different projects you have) then sign them, then upload them to VirusTotal, this will build you a list of AV that sees you application(s) as malicious or a candidate for an action, after that report each of them as false positive to each and every one of them, from my experience they have great support and greater labs to check and act, even if you got no response directly and it took a week or so the whitelisting will happen, this will whitelist your certificate, meaning the false positive will be very rare, and just cases like runtime and red handed wrong doing will trigger an action.

You can check later and re-report false positive to MS after singing.

I uploaded several compilations to VirusTotal.  All of them were clean, including the one that triggered windows defender.

15 hours ago, Kas Ob. said:

2) I want a confirmation of what you meant by " [Runtime errors -> I/O checking] = false the 32bit version behaved as expected." by as expected, you meant detected as badware , right ?

in all cases, i don't think a set that option to false in my life, meaning i am afraid it is rusty and stuck after these years, not sure if it is a true/false :classic_blink:

Joking aside, i would suggest to put your exe to run in a debugger, a real debugger like https://x64dbg.com/ , and see if there is an escaping exception(s) that silently been dropped in the IDE, also i would suggest to use Process Monitor to see what files and registry you application accessing or trying to access, of course keep an eye on the failed operations in particular but yet the success operation is also need to be recorded, and if there is files enumeration for the root folder in any drive ( and in particular "C" ), is there is scanning of any sort, is there a connections "TCP, HTTP(S)...", isolate the responsible part and share with us your finding.

See if there is access denied in the Process Monitor logs.

When copying the file to my friends computer, the moment I run the application windows popped up a notification windows stating it has detected a malware. The program didn't executed any file or port or protocol scanning. It's just a basic initialization of classes and starting threads. It closed "normally", without any runtime error. When restarting windows displays a "showmessage" like window stating the application wasn't safe and cannot run. Clicking OK close that windows a few seconds later the program disappeared.

image.thumb.png.7aca54d11462ec944fe7fa735148caae.png

 


I copied the "32-bit release" version with all default settings to his computer. And all of the above happened. Then I compiled the 64-bit release it worked without triggering windows defender. That's what I meant when I said it ran as expected. Then I tried the "32-bit debug" version, the very same I used in my machine to debug the app. It also executed without triggering windows defender. It's only then that I experimented changing some release configuration option. After switching I/O checking to false, the 32 bit version ran without triggering windows defender. All the other Release options I toggled triggered windows defender.

This application doesn't use Registry or directory scanning. It saves two configuration files: One with connection data for each and every database one can work with, and another with Data Definition Settings so files can be imported/exported according to some rules. For example, you can specify the output date format like YYYYMMDD or YYYY-MM-DD.
 

To illustrate: At this point no actual connection is made to any server, at startup the configuration is read and loaded to the treeview.
image.png.1f52054ee125fb37877f0acc482fd2c5.png


When the user expands a node, a connection is made to retrieve the database metadata:
image.png.01b913d5c51908511b7cd33522a5226a.png

 

There's only one action done without user interaction which is checking for updates which is triggered 5 minutes after starting up. Windows Defender notification window is triggered way before that if compiled with IOChecking true in 32bit.

 

I will comment out some initialization routines to see which one is triggering windows defender. I will try other tools to see if there's a silent access violation or any other error that I missed and maybe is triggering too... I can't sleep anyway

Edited by Clément

Share this post


Link to post

FWIW, I've had issues with CrowdStrike flagging any 32-bit application compiled with recent versions (10.x) of Delphi as malicious. Just an empty form will do it, does not matter if it is signed or not. 64-bit applications are fine. I've emailed and submitted as false positive with no response. My employer uses CrowdStrike and if a 32-bit app is deployed or updated (very rare; all 64-bit these days) then I have to provide the hash of the exe to our system guy so he can add it to the list of approved/excluded apps. 

 

Site to run a check against your exe if anyone is interested:

https://www.hybrid-analysis.com/

 

 

Share this post


Link to post
Guest

@Clément few things to try alone and combined

 

1) Enable DEP https://stackoverflow.com/questions/8066266/how-can-i-enable-dep-nx-and-aslr-on-a-delphi-2006-or-earlier-executable

2) If the icon is the default set it to something new, you can edit it by the painter and draw on it, the point is to make the icons with unique and new hash values.

3) Encapsulate all the content of the main in dpr with try..except the content of the except..end doesn't matter

begin
  try
    //ReportMemoryLeaksOnShutdown := True;
    Application.Initialize;
    Application.MainFormOnTaskbar := True;
    Application.CreateForm(TForm9, Form9);
    Application.Run;
  except
  end;
end.

The point here is to show Defender that there is SEH structure, in case a specific system call is being monitored and expected to be target/prone for malicious behaviour.

4) Fill the EXE description, version name copyright ...

 

Sorry for the guessing but if you got time to investigate while waiting for Certificate then your case might help others.

 

1 hour ago, Dale M said:

Just an empty form will do it, does not matter if it is signed or not. 64-bit applications are fine.

"Empty will do" is understandable, but signed !?

Report false positive to each AV that flagged you software, and write in (notes, description .. ) in the report that you are asking to whitelist the certificate, this worked for me every time, they do response some at the same day and some takes more than a week, some respond with an email, some don't, the emails sometimes with no-replay and sometimes from the labs and engineers asking for specific details, or just info.

 

Also protecting the software with packers/protectors might help greatly here, as they behave like the worst nightmare for AV, but they do have established system to identify the owner of the packers as long his license is not flagged, and this a long with signing certificate will establish better trust chain that makes AV relaxing with your software, after all there is two trails of money to you in case of wrong doing.

 

//////////////////////////

 

Talking about using protection software, so for years i had an idea for embarcadero for similar system like "IEEE Taggant System" which can be win-win-win, will write it here anyway

 

To understand the idea, it will be better first to understand the "IEEE Taggant System", we have two technologies and software domains, one is Security (like AV..) its main target is help users, not just all users, but the ones who doesn't know how to protect them selves, so these AV (for short) will sometimes be very harsh, but also they need experts and highly experienced reverse engineering (RE) people and contractors, to predict and analyze all sorts of softwares and categorize them, also to research the most innocents software for wrong doing, so this technology sector produced very sophisticated programmers, reverse engineers, and yes hackers and pirates .., while most hired people in this sectors are hackers and RE experts, on the other hand there is the protection technology and its softwares, which was there to protects developers and their companies form the piracy, these two sectors always played the cat-mouse game, the more sophisticated the protection which is in their right led to harder and longer analysis for the AV guys and this was problem as it depleted their resources and time, in short this cycle between these sectors went from decades producing as a side effect very sophisticated hackers and pirates, there is always this margin of people crossing to the dark side, while there as there is many crossing to the light side, most hired people from AV are in fact ex-pirates and ex-hackers.

Anyway, this loop where getting weirder and more expensive for both sectors, while the victims were the developers and companies, as in many cases it is easier for AV to flag a software as malicious to fulfill their promise to their clients, harming both developers and protection software, and in many cases denying the user from using perfectly safe software.

This ended when group of AV companies along with Microsoft and many protection software companies adopted a system, (see after all the protection software is a software that need to be protected form piracy too), this system allow (optional) and demand (optional) from the protection software company to taggant the protected software, just mark the protected software with information connecting the owner of the protection software to his license and his binary, very similar to code signing, but without disclosing any personal information, this led to this shorter loop, if the protection software was pirated then its company will revoke the license this will make all the software protected with that protection software with invalid license to be flagged as malicious without even scanning, just like Authenticode, on other hand this relieved the AV from spending resources on the highly protected software, as it is sometimes can takes a hours or even days by an expert, now developers with valid protection license can enjoy deploying their software without the fear of asking their clients to do the whitelisting manually.

So it was Win-Win-Win, (counting on the hand there is another Win for the users of AV who can enjoy the full protection by AV while running their software)

 

 

Now the idea what if Embarcadero contacted IEEE and established similar mechanism to taggant the compiler binaries with the valid licenses, (this will be optional for Delphi developers), this will lead to 

1) AV will not flag every binary built with Delphi as malicious in a semi arbitrary bahaviour unless told to not to, nor they need to waste full time scanning manually, or requesting a contact from the developers to whitelist.

2) Delphi (and CB) developers will enjoy easy deploying, and even remove the need to buy a code singing certificate, or asking their client to manually whitelist the software producing a conflict in trust between AV, users and developers.

3) This will harm the piracy greatly, this will be enjoyed by Embarcadero itself, any pirated license can be revoked, leading to flag every software built with that pirated version as malicious, rendering it useless.

 

So it is Win-Win-Win.

 

How about that ?

Share this post


Link to post

@Kas Ob. Great news!!!

I try all your suggestions, either alone and combine in the 32 bit release only. Here are the results.
1) Including DEP directive. ( Did NOT trigger Windows defender )
   I included {$DYNAMICBASE ON} in my DPR as follows:

  

{$R *.res}
{$R 'D:\Projetos2k10\Projects V\DHS\SQL explorer II\src\resource\cKwel_versioninfo.RES'}
{$DYNAMICBASE ON}  // Enable DEP, works also when using {$SetPEOptFlags $40}

begin
//  try
    {$IFDEF DEBUG}ReportMemoryLeaksOnShutdown:= true;{$ENDIF}
    Application.Initialize;
    Application.MainFormOnTaskbar := True;
    Application.Title := 'cKwel - Query Tool';
    Application.CreateForm(TdmSkinController, dmSkinController);
    Application.CreateForm(TdmImages, dmImages);
    Application.CreateForm(TdmLookAndFeel, dmLookAndFeel);
    Application.CreateForm(TdmEditRepository, dmEditRepository);
    Application.CreateForm(TfrmMain, frmMain);
    Application.Run;
//  except

//  end;
end.

2) Changing /modifying icon TRIGGERS Windows defender
3) Encapsulate all the content of the main in dpr with try..except did NOT trigger Windows defender:

{$R *.res}
{$R 'D:\Projetos2k10\Projects V\DHS\SQL explorer II\src\resource\cKwel_versioninfo.RES'}
{.DYNAMICBASE ON}

begin
  // Enable SEH by setting all code between try..except. 
  try
    {$IFDEF DEBUG}ReportMemoryLeaksOnShutdown:= true;{$ENDIF}
    Application.Initialize;
    Application.MainFormOnTaskbar := True;
    Application.Title := 'cKwel - Query Tool';
    Application.CreateForm(TdmSkinController, dmSkinController);
    Application.CreateForm(TdmImages, dmImages);
    Application.CreateForm(TdmLookAndFeel, dmLookAndFeel);
    Application.CreateForm(TdmEditRepository, dmEditRepository);
    Application.CreateForm(TfrmMain, frmMain);
    Application.Run;
  except
     // No code is required here
  end;
end.

4) Fill the EXE description, version name copyright TRIGGERS windows defender.

 

 

I don't know if the combination should produce some valid results, but any combination that includes 1 or 3 works. For example 2 and 4 will TRIGGER windows defender while 1, 2 and 4 WON'T trigger it.
 

Cool!

Hope this thread will help others!

 

This link is also usefull:
https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

 

It might be a good idea to set DEP and ASLR by default.

 

Edited by Clément
Added link
  • Thanks 1

Share this post


Link to post

@Kas Ob. @Clément Thanks for this discussion. 🙂 Adding {$DYNAMICBASE ON} appears to please CrowdStrike also.

 

Delphi 10.4.2, New Windows VCL application (that's it...just an empty form), 32-bit, Release config

https://www.hybrid-analysis.com/sample/e8a4cdfe94031025baafff9924d82210bd74b4088607fa369b30deeb83e72480

image.png.007adeea2fb1eabddf2bdc3994728008.png

 

Same as above but with {$DYNAMICBASE ON}

https://www.hybrid-analysis.com/sample/86e9c1fe77dbe5cfc962dce19e79e7a7930b92dd1ba90cba60395d5998995c1b

image.png.f2225c52933e6e743e72f10781b6d897.png

  • Like 1

Share this post


Link to post

Just to end this thread,

 

I finally got my digital certificate, and I'm signing my applications.

I kept a false positive version of the product to test signing it. Well it did work. That version wasn't compiled with DEP or SEH,  and signing solved the false positive too.

 

Hopefully this thread will help others

  • Like 2
  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×