[john_moscow]

To be fair, this does look like a false positive.

In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.

If you don't qualify as a "mainstream software vendor", simply building a random piece of code into an exe file will get you about 10% chance of getting flagged by one of the "heuristic engines" if you upload it to VirusTotal.

You can contact the A/V vendor and they will usually add it to the whitelist, but it only lasts until the next rebuild. Or you can rebuild it a couple of times with different optimization levels, and the detection sometimes goes away.

[howaboutnope]

Deleting both the exe and the source code makes a false positive seem rather unlikely to me.

[jcrawfordor]

The source code in question appears to have been obfuscated (possibly just for brevity). I'd guess the Defender signature in question was written around the packer/obfuscator.

[eurasiantiger]

Wanna bet the signature is the hex key?

[jcrawfordor]

yeah, that'd be my guess. It's going to be in different representations in the source and the executable but if I was writing a signature for it straight up I'd probably add the C escape representation as well for good measure.

[kwonkicker]

I don't care how broad your definition is, it shouldn't include the mp4 files in my hard drive.

[npteljes]

How so? Everything that's interacted with by a computer can be exploited - in case of media files, here's[0] one example that gets talked about. I understand your frustration about flagging your harmless files as malicious, but it really shows just how difficult is to properly detect malware.

[0] https://security.stackexchange.com/questions/97856/can-simpl...

[geofft]

Er, doesn't that assume that the mp4 files on your hard drive can't genuinely be infected with viruses? Why is that assumption true?

[Xylakant]

Especially given how common media files are as an attack vector.

[gruez]

Are they? Compared to other forms (eg. trojans or browser/os 0days) they're not really common. I suspect you have a better chance of getting infected from a site asking you to download a "codec", than you have of the site serving you a malformed media file.

[Xylakant]

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jpeg returns 390 results. And that’s jpeg alone. It’s fairly common that you see some sort of media file format parsing bug to lead to command execution.

[gruez]

But how many of those are actually exploited, and how does that compare to the other vectors I mentioned? Media file exploits seem in same class of exploits as spectre/rowhammer. You hear about them often (not as often as spectre/rowhammer, but I frequently see security fixes being mentioned in media player changelogs), but you rarely hear about attacks that use them.

[anthk]

pledge(4)ing an image or video viewer under OpenBSD doesn't look difficult at all.

Also, you can convert your PNG images to Farbleld (+.gz | +.xz) without losing quality.

And the farbleld image format it's more difficult to exploit.

[geofft]

I think running pledge(2) on Windows is quite difficult. :)

(At least, I'm assuming the question here is "What should Windows Defender do?" I agree that the answer to "What should OpenBSD's built-in antivirus do?" is "Literally not even exist," which it already does.)

[magicalhippo]

I think most users would be happy to avoid getting infected via content files like videos and pictures[1][2].

Us power users can always just configure the exception list.

[1]: https://docs.microsoft.com/en-us/security-updates/SecurityBu...

[2]: https://www.kb.cert.org/vuls/id/297462

[icare_1er]

The amount of false-positives with WinDef is insane, it's pretty much like any desktop link to as shared drive is considered malware right of the bat without even inspecting it.

Let alone documents with macros...

Having said that, I wouldn't want to be one of those having to implement detection logics because the malware jungle is so creative that it's pretty much an impossible job they have to do.

[RcouF1uZ4gsC]

> In general, the desktop antivirus space in 2021 is a mess.

I don’t think that antivirus is helpful in 2021. I think the most important thing you can do is make sure you are all patched and do not run as administrator.

Antivirus is likely to be unable to catch the really bad stuff, and it actually increases your attack surface. In addition, you pay a performance tax all the time. IMO, just not worth it.

[eru]

> In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.

Why do they have to use regular expressions?

[zinekeller]

"Regular expressions" as a concept, not PCRE regex.

[eru]

In the sense of https://en.wikipedia.org/wiki/Regular_language ?

That's even more restricted than PCRE regex. (Which is often a good thing, but not sure about here.)

[integricho]

I don't believe they use regular expressions.

[pmalynin]

Why not? I.e. is that from experience on working on anti malware remediation systems?

[eurasiantiger]

What would it match against? ASCII strings? Add a whitelisted string and make your malware pass.

The heuristics are much more complex than that, cf. spamassassin rules.

[pwdisswordfish8]

Opcode sequences. Regular expressions may be applied to any formal language, not just ones based on human-readable alphabets.

[eurasiantiger]

That kinda makes sense, thanks.

However, wouldn’t this kind of heuristic be extremely simple to counter by obfuscating the machine code, e.g. by inserting complex noops and using threaded subroutines which individually look innocuous? Or, are this kind of techniques looking at known syscall patterns or something like that, and ignoring the general program flow?

To me, regex doesn’t seem applicable to static analysis of machine code, but what do I know :)

[dannyw]

antiviruses are composed of multiple systems and techniques. Regexp is just one.

[kmonsen]

The thing is, malware vendors can do the same. At least for zero day attacks you just test them on the target’s antivirus to make sure it will not discover the malware.