Antivirus software is blocking our programs

Question

5.00/5 (4 votes)

See more:

Dear all,
on our websites, we are publishing demo versions of our programs. Users can download them and can unlock them later.

Now the problem is that various antivirus programs are treating our files as 'suspicious' and are BLOCKING the download to our client's computers.

What can we do to prevent this? Does code signing help? Is there some sort of 'proof' or 'certificate' we could get for our programs?

Please note, our programs are for small markets and we are updating rather often.
Our software is mostly written C#/.NET

Thanks in advance for your help!

Kind regards
Georg Scholz

Posted 11-Apr-11 0:12am

Georg Scholz

Updated 11-Apr-11 22:48pm

v2

Add a Solution

Comments

Prerak Patel 11-Apr-11 6:28am

and one more thing we would like to know what your software does.

Georg Scholz 11-Apr-11 6:47am

These are databases for storing and analyzing patient data. We use MS Access as back-end, and C#/.NET as front-end.

Three of our websites are:
www.lat-online.at
www.esc-online.at
www.raucherberatungsprogramm.at

Prerak Patel 11-Apr-11 7:07am

And what exact message client gets?

Georg Scholz 11-Apr-11 7:31am

For example, Norton 360 says: "WS.Reputation.1 - Only a few users have downloaded this file." This is handled as a threat.

Richard MacCutchan 11-Apr-11 9:48am

Try contacting the AV manufacturers and ask them to tell you why they see your programs as viruses.

Marc A. Brown 11-Apr-11 12:02pm

It doesn't look like they're being flagged as viruses, based on the OP's comment above. They're being marked as suspicious because they haven't been downloaded often (at least not by users of the antimalware software in question).

Richard MacCutchan 11-Apr-11 12:31pm

I'm no AV expert but it just seemed the logical thing to enquire about.

Marc A. Brown 11-Apr-11 13:47pm

Sure, and it wouldn't hurt to do so. But given Georg's comment where he lists a specific message (from Norton 360), I remembered something about the reputation system they use. It *may* indicate questionable programming or it may just indicate that the software isn't heavily downloaded. Didn't mean for it to sound like I was dismissing your suggestion but in rereading my comment I guess it did. Sorry 'bout that. :)

Richard MacCutchan 12-Apr-11 4:35am

No offence taken.

3 solutions

Solution 1

Looks like you're getting flagged because you don't have a large number of users downloading the software, perhaps? A feature of comprehensive antimalware software like N360 is that it looks at what its users are downloading and how safe it's been in the past (at least that's how I understand it). Not sure whether you can do anything about that from your end.

EDIT: This[^] explains the Norton 360 message. Near the bottom is information about new (and perhaps infrequently downloaded?) files. It also provides a link[^] for developers to get their software whitelisted.

Posted 11-Apr-11 6:04am

Marc A. Brown

Updated 11-Apr-11 7:41am

v4

Comments

Sergey Alexandrovich Kryukov 11-Apr-11 13:29pm

I hardly can imagine such situation. Maybe I simply never had experience with such software, but what's the use if it if it would suspect any freshly-build application no matter what?

I have somewhat different opinion, will you see my Answer?
--SA

Marc A. Brown 11-Apr-11 13:39pm

Please see the following for an explanation. Near the bottom is a bit on new files that supports my answer. I'm also going to add the link to my answer. http://community.norton.com/t5/Norton-360/Clarification-on-WS-Reputation-1-detection/td-p/232159

Sergey Alexandrovich Kryukov 11-Apr-11 13:52pm

Thank you for the reference and your note.
--SA

Marc A. Brown 11-Apr-11 13:54pm

You're quite welcome. I should've done the research to verify before I posted the initial version of my answer. :)

Sergey Alexandrovich Kryukov 11-Apr-11 14:34pm

I don't know why should I do this research, but I up-voted your answer by 5 finally.
It still seems to me the Norton practice is questionable, but this is a matter of discussion.
Cheers,
--SA

Marc A. Brown 11-Apr-11 14:38pm

No, I said *I* should've researched and verified before posting. You were fine. I'm not sure what I think of Norton's reputation system. Since they provide a means of getting your software "whitelisted" to provide a rep bump, it's better than it would be otherwise. Thanks for the vote!

Sergey Alexandrovich Kryukov 11-Apr-11 14:43pm

You're welcome. Sorry I misunderstood you previous comment.
Reputation system discussion might need some prior experience to understand its value of pitfalls...
--SA

Georg Scholz 12-Apr-11 4:59am

Thank you for the link this helped me a lot.

Georg Scholz 12-Apr-11 4:55am

Hello, yes exactly, this is the problem. Our software is pretty 'normal' in a technical sense, but it is known only to a small community. I talked with Norton Support and I will enroll in the whitelisting process. Also, we will digitally sign our excecutables.

However, Norton is not the only one. A customer told me about some problem with Avira. I think most of the big security companies have a reputation mechanism like Norton has.

Marc A. Brown 12-Apr-11 8:58am

Excellent. Be sure to accept the answer or answers that helped you solve the problem. That way the next guy who comes along with a similar problem can easily tell what helped.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2011-04-11T07:23:00

Solution 2

Blocking an application but one or two stupid anti-virus algorithms would be OK, maybe, but be "various anti-virus programs" — looks suspicious to me. You programs might use questionable programming techniques or— how do you know they are not infected?

I would understand if you make some extremely exotic system utility using very cunning and intrusive system tricks. In such rare cases I could imaging it is detected by some anti-virus software even though your software is perfectly legit, but&hellop; do you do something like that?

Do you digitally sign all your assemblies? I would say you always should, by many reasons. I don't think the software can be "certified" in some other way. How could it be used to proof it's virus-free. Anyone could design a virus which is "certified" unless it is checked up by some authority, but who could possibly take such responsibility?

—SA

Posted 11-Apr-11 7:23am

Sergey Alexandrovich Kryukov

Updated 11-Apr-11 7:26am

v2

Comments

Nish Nishant 11-Apr-11 13:52pm

Good response, take a 5 vote!

Sergey Alexandrovich Kryukov 11-Apr-11 14:31pm

Thank you, Nishant.
--SA

Marc A. Brown 11-Apr-11 14:39pm

Have a 5! :) I think the answer may be a combination of things -- your answer and mine both make sense.

Sergey Alexandrovich Kryukov 11-Apr-11 14:43pm

Thank you, Marc.
--SA

Georg Scholz 12-Apr-11 4:57am

I'm pretty sure it is not infected, because I'm running Norton 360 on my local computer, and on the local computer, norton says it is clean.

Sergey Alexandrovich Kryukov 12-Apr-11 15:48pm

OK, good for you if so. Please see our discussion with Marc. To me, the reputation approach of such anti-virus software is quite questionable. It means that freshly-developed application are suspect by definition. This is a way into totalitarism, come to think about. The situation with viruses is difficult, I think different approaches are needed.

Good luck,
--SA

Nish Nishant · Accepted Answer · 2011-04-11T07:50:00

Solution 3

The most likely reason is that you have some code in your binary or binaries that resembles code used by viruses or trojans, so a signature match is falsely fired when they check your binary. Do you have any code that attempts to use any stealth techniques like hiding the main window, hiding the process from the task manager, API hooks, attempted silent administrator elevation, or some such thing?

Posted 11-Apr-11 7:50am

Nish Nishant

Comments

Sergey Alexandrovich Kryukov 11-Apr-11 13:53pm

Agree, a good point, my 5. A also asked about something like this in my Answer.
--SA

Nish Nishant 11-Apr-11 13:54pm

Yeah, saw it, your answer is more detailed. That got my 5! :-)

Sergey Alexandrovich Kryukov 11-Apr-11 14:31pm

Thank you very much.
--SA

Marc A. Brown 11-Apr-11 13:56pm

That's a definite possibility; however, given Georg's comment about Norton 360, please see my answer as well. EDIT: Forgot to throw a 5 your way earlier.

Georg Scholz 12-Apr-11 4:58am

No I'm sure this is not the case. Our app is pretty normal. I'm also sure it is not infected, because on the local computer, norton says it is clean.