C
C#6d ago
MJT

✅ False Positive Virus Detection on my C# network ping code

So i'm trying to make a simple ping utility that just given a bunch of hostnames, does a ping to the host periodically, and graphs the results. I can make the app and it works fine for my needs. But I publish it and send it to my buddy to have a look at and his corporate Windows Defender says its a virus and deletes it. If i scan my published files it detects it as "MaxSecure Trojan.Malware.300983.susgen" on virustotal. the specific lines of code that seem to trigger this behaviour are as follows 
        public async Task AddPing()
        {
            Ping p = new();

            var reply = await p.SendPingAsync(hostname);
           
            if (reply.Status != IPStatus.Success)
            {
                Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
            }

            ///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
            await AddResult(reply.RoundtripTime);

            return;
        }

        public Task AddResult(long pingresult)
        {
            _results.Add(pingresult);

            return Task.CompletedTask;
        }
        public async Task AddPing()
        {
            Ping p = new();

            var reply = await p.SendPingAsync(hostname);
           
            if (reply.Status != IPStatus.Success)
            {
                Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
            }

            ///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
            await AddResult(reply.RoundtripTime);

            return;
        }

        public Task AddResult(long pingresult)
        {
            _results.Add(pingresult);

            return Task.CompletedTask;
        }
I guess my question is, how do I stop this from happening other than randomly changing my code and hoping it doesn't flag as a false positive?
9 Replies
Marvin
Marvin6d ago
public async Task AddPing()
{
    Ping p = new();

    var reply = await p.SendPingAsync(hostname);

    if (reply.Status != IPStatus.Success)
    {
        Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
    }

    ///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
    await AddResult(reply.RoundtripTime);

    return;
}

public Task AddResult(long pingresult)
{
    _results.Add(pingresult);

    return Task.CompletedTask;
}
public async Task AddPing()
{
    Ping p = new();

    var reply = await p.SendPingAsync(hostname);

    if (reply.Status != IPStatus.Success)
    {
        Debug.WriteLine(hostname + " error :" + reply.Status.ToString());
    }

    ///////////////////////////// this line triggers the MaxSecure Trojan.Malware.300983.susgen
    await AddResult(reply.RoundtripTime);

    return;
}

public Task AddResult(long pingresult)
{
    _results.Add(pingresult);

    return Task.CompletedTask;
}
just for better readability
MJT
MJT6d ago
thanks, sorry I cant work out how to get it to mark it as code
Marvin
Marvin6d ago
normally it even does color highlighting but im too dumb atm
MutableString
MutableString6d ago
it's ```cs
Ploot
Ploot6d ago
Defender is pretty twitchy when it comes to unsigned executables. Generally the best way you can avoid this is by signing executables you publish
jcotton42
jcotton426d ago
I noticed you said “corporate,” your buddy’s IT probably won’t like them running random exes.
MJT
MJT5d ago
oh yeah I get what you mean, he runs the IT though 🙂 I just wanted to see if my program works on a random machine, eg .net installed and stuff. I wasn't expecting a virus warning to be triggered also the intention for this was just to provide a bit of a sample application as part of a portfolio. The idea was to give a github repo of it that people could look at or build themselves. Not much good if they build it and it triggers a virus warning. not a good look
MJT
MJT5d ago
It seems that signing the assembly with a generated key works
No description
MJT
MJT5d ago
generated key using command sn -k sgKey.snk not sure if this is a permanent solution or just coincidence, but it seems to work when its the only change I made between testing
Want results from more Discord servers?
Add your server