C
C#4mo ago
MJT

✅ False Positive Virus Detection on my C# network ping code

So i'm trying to make a simple ping utility that just given a bunch of hostnames, does a ping to the host periodically, and graphs the results. I can make the app and it works fine for my needs. But I publish it and send it to my buddy to have a look at and his corporate Windows Defender says its a virus and deletes it. If i scan my published files it detects it as "MaxSecure Trojan.Malware.300983.susgen" on virustotal. the specific lines of code that seem to trigger this behaviour are as follows
public async Task AddPing()
{
Ping p = new();

var reply = await p.SendPingAsync(hostname);

if (reply.Status != IPStatus.Success)
{
Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
}

///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
await AddResult(reply.RoundtripTime);

return;
}

public Task AddResult(long pingresult)
{
_results.Add(pingresult);

return Task.CompletedTask;
}
public async Task AddPing()
{
Ping p = new();

var reply = await p.SendPingAsync(hostname);

if (reply.Status != IPStatus.Success)
{
Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
}

///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
await AddResult(reply.RoundtripTime);

return;
}

public Task AddResult(long pingresult)
{
_results.Add(pingresult);

return Task.CompletedTask;
}
I guess my question is, how do I stop this from happening other than randomly changing my code and hoping it doesn't flag as a false positive?
9 Replies
Marvin
Marvin4mo ago
public async Task AddPing()
{
Ping p = new();

var reply = await p.SendPingAsync(hostname);

if (reply.Status != IPStatus.Success)
{
Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
}

///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
await AddResult(reply.RoundtripTime);

return;
}

public Task AddResult(long pingresult)
{
_results.Add(pingresult);

return Task.CompletedTask;
}
public async Task AddPing()
{
Ping p = new();

var reply = await p.SendPingAsync(hostname);

if (reply.Status != IPStatus.Success)
{
Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
}

///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
await AddResult(reply.RoundtripTime);

return;
}

public Task AddResult(long pingresult)
{
_results.Add(pingresult);

return Task.CompletedTask;
}
just for better readability
MJT
MJTOP4mo ago
thanks, sorry I cant work out how to get it to mark it as code
Marvin
Marvin4mo ago
normally it even does color highlighting but im too dumb atm
HtmlCompiler
HtmlCompiler4mo ago
it's ```cs
Ploot
Ploot4mo ago
Defender is pretty twitchy when it comes to unsigned executables. Generally the best way you can avoid this is by signing executables you publish
jcotton42
jcotton424mo ago
I noticed you said “corporate,” your buddy’s IT probably won’t like them running random exes.
MJT
MJTOP4mo ago
oh yeah I get what you mean, he runs the IT though 🙂 I just wanted to see if my program works on a random machine, eg .net installed and stuff. I wasn't expecting a virus warning to be triggered also the intention for this was just to provide a bit of a sample application as part of a portfolio. The idea was to give a github repo of it that people could look at or build themselves. Not much good if they build it and it triggers a virus warning. not a good look
MJT
MJTOP4mo ago
It seems that signing the assembly with a generated key works
No description
MJT
MJTOP4mo ago
generated key using command sn -k sgKey.snk not sure if this is a permanent solution or just coincidence, but it seems to work when its the only change I made between testing
Want results from more Discord servers?
Add your server