Click here to Skip to main content
15,301,841 members
Please Sign up or sign in to vote.
5.00/5 (4 votes)
See more:
Dear all,
on our websites, we are publishing demo versions of our programs. Users can download them and can unlock them later.

Now the problem is that various antivirus programs are treating our files as 'suspicious' and are BLOCKING the download to our client's computers.

What can we do to prevent this? Does code signing help? Is there some sort of 'proof' or 'certificate' we could get for our programs?

Please note, our programs are for small markets and we are updating rather often.
Our software is mostly written C#/.NET

Thanks in advance for your help!

Kind regards
Georg Scholz
Posted
Updated 11-Apr-11 22:48pm
v2
Comments
Prerak Patel 11-Apr-11 6:28am
   
and one more thing we would like to know what your software does.
Georg Scholz 11-Apr-11 6:47am
   
These are databases for storing and analyzing patient data. We use MS Access as back-end, and C#/.NET as front-end.

Three of our websites are:
www.lat-online.at
www.esc-online.at
www.raucherberatungsprogramm.at

Prerak Patel 11-Apr-11 7:07am
   
And what exact message client gets?
Georg Scholz 11-Apr-11 7:31am
   
For example, Norton 360 says: "WS.Reputation.1 - Only a few users have downloaded this file." This is handled as a threat.
Richard MacCutchan 11-Apr-11 9:48am
   
Try contacting the AV manufacturers and ask them to tell you why they see your programs as viruses.
Marc A. Brown 11-Apr-11 12:02pm
   
It doesn't look like they're being flagged as viruses, based on the OP's comment above. They're being marked as suspicious because they haven't been downloaded often (at least not by users of the antimalware software in question).
Richard MacCutchan 11-Apr-11 12:31pm
   
I'm no AV expert but it just seemed the logical thing to enquire about.
Marc A. Brown 11-Apr-11 13:47pm
   
Sure, and it wouldn't hurt to do so. But given Georg's comment where he lists a specific message (from Norton 360), I remembered something about the reputation system they use. It *may* indicate questionable programming or it may just indicate that the software isn't heavily downloaded. Didn't mean for it to sound like I was dismissing your suggestion but in rereading my comment I guess it did. Sorry 'bout that. :)
Richard MacCutchan 12-Apr-11 4:35am
   
No offence taken.

Looks like you're getting flagged because you don't have a large number of users downloading the software, perhaps? A feature of comprehensive antimalware software like N360 is that it looks at what its users are downloading and how safe it's been in the past (at least that's how I understand it). Not sure whether you can do anything about that from your end.

EDIT: This[^] explains the Norton 360 message. Near the bottom is information about new (and perhaps infrequently downloaded?) files. It also provides a link[^] for developers to get their software whitelisted.
   
v4
Comments
Sergey Alexandrovich Kryukov 11-Apr-11 13:29pm
   
I hardly can imagine such situation. Maybe I simply never had experience with such software, but what's the use if it if it would suspect any freshly-build application no matter what?

I have somewhat different opinion, will you see my Answer?
--SA
Marc A. Brown 11-Apr-11 13:39pm
   
Please see the following for an explanation. Near the bottom is a bit on new files that supports my answer. I'm also going to add the link to my answer. http://community.norton.com/t5/Norton-360/Clarification-on-WS-Reputation-1-detection/td-p/232159
Sergey Alexandrovich Kryukov 11-Apr-11 13:52pm
   
Thank you for the reference and your note.
--SA
Marc A. Brown 11-Apr-11 13:54pm
   
You're quite welcome. I should've done the research to verify before I posted the initial version of my answer. :)
Sergey Alexandrovich Kryukov 11-Apr-11 14:34pm
   
I don't know why should I do this research, but I up-voted your answer by 5 finally.
It still seems to me the Norton practice is questionable, but this is a matter of discussion.
Cheers,
--SA
Marc A. Brown 11-Apr-11 14:38pm
   
No, I said *I* should've researched and verified before posting. You were fine. I'm not sure what I think of Norton's reputation system. Since they provide a means of getting your software "whitelisted" to provide a rep bump, it's better than it would be otherwise. Thanks for the vote!
Sergey Alexandrovich Kryukov 11-Apr-11 14:43pm
   
You're welcome. Sorry I misunderstood you previous comment.
Reputation system discussion might need some prior experience to understand its value of pitfalls...
--SA
Georg Scholz 12-Apr-11 4:59am
   
Thank you for the link this helped me a lot.
Georg Scholz 12-Apr-11 4:55am
   
Hello, yes exactly, this is the problem. Our software is pretty 'normal' in a technical sense, but it is known only to a small community. I talked with Norton Support and I will enroll in the whitelisting process. Also, we will digitally sign our excecutables.

However, Norton is not the only one. A customer told me about some problem with Avira. I think most of the big security companies have a reputation mechanism like Norton has.
Marc A. Brown 12-Apr-11 8:58am
   
Excellent. Be sure to accept the answer or answers that helped you solve the problem. That way the next guy who comes along with a similar problem can easily tell what helped.
Blocking an application but one or two stupid anti-virus algorithms would be OK, maybe, but be "various anti-virus programs" — looks suspicious to me. You programs might use questionable programming techniques or— how do you know they are not infected?

I would understand if you make some extremely exotic system utility using very cunning and intrusive system tricks. In such rare cases I could imaging it is detected by some anti-virus software even though your software is perfectly legit, but&hellop; do you do something like that?

Do you digitally sign all your assemblies? I would say you always should, by many reasons. I don't think the software can be "certified" in some other way. How could it be used to proof it's virus-free. Anyone could design a virus which is "certified" unless it is checked up by some authority, but who could possibly take such responsibility?

—SA
   
v2
Comments
Nish Nishant 11-Apr-11 13:52pm
   
Good response, take a 5 vote!
Sergey Alexandrovich Kryukov 11-Apr-11 14:31pm
   
Thank you, Nishant.
--SA
Marc A. Brown 11-Apr-11 14:39pm
   
Have a 5! :) I think the answer may be a combination of things -- your answer and mine both make sense.
Sergey Alexandrovich Kryukov 11-Apr-11 14:43pm
   
Thank you, Marc.
--SA
Georg Scholz 12-Apr-11 4:57am
   
I'm pretty sure it is not infected, because I'm running Norton 360 on my local computer, and on the local computer, norton says it is clean.
Sergey Alexandrovich Kryukov 12-Apr-11 15:48pm
   
OK, good for you if so. Please see our discussion with Marc. To me, the reputation approach of such anti-virus software is quite questionable. It means that freshly-developed application are suspect by definition. This is a way into totalitarism, come to think about. The situation with viruses is difficult, I think different approaches are needed.

Good luck,
--SA
The most likely reason is that you have some code in your binary or binaries that resembles code used by viruses or trojans, so a signature match is falsely fired when they check your binary. Do you have any code that attempts to use any stealth techniques like hiding the main window, hiding the process from the task manager, API hooks, attempted silent administrator elevation, or some such thing?
   
Comments
Sergey Alexandrovich Kryukov 11-Apr-11 13:53pm
   
Agree, a good point, my 5. A also asked about something like this in my Answer.
--SA
Nish Nishant 11-Apr-11 13:54pm
   
Yeah, saw it, your answer is more detailed. That got my 5! :-)
Sergey Alexandrovich Kryukov 11-Apr-11 14:31pm
   
Thank you very much.
--SA
Marc A. Brown 11-Apr-11 13:56pm
   
That's a definite possibility; however, given Georg's comment about Norton 360, please see my answer as well. EDIT: Forgot to throw a 5 your way earlier.
Georg Scholz 12-Apr-11 4:58am
   
No I'm sure this is not the case. Our app is pretty normal. I'm also sure it is not infected, because on the local computer, norton says it is clean.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900