AV signatures

Homepage Forums Technical Support AV signatures

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #191245
    wyattwic
    Participant

    Hello,

    VorpX has had a long history of issues with different AV, and in my case I use McAfee Endpoint Protection. Would it be possible for you to certificate based signing of your work so we can verify something came from you? I should then be able to send the detected files to McAfee for global exclusion.

    When I updated from a old version (autoupdate was broken), the way I was excluding it in McAfee stopped working. Now I need to go for a more holistic solution, and hopefully this helps everyone out.

    I would love to work with you to make VorpX not be identified as a bad actor.

    #191248
    Ralf
    Keymaster

    The bad actor is your AV program which repeatedly falsely classifies vorpX as malicious with each new update. I’m a bit of tired of these apps and their obviously highly flawd guesswork TBH. If at least they would let their users know when they are just guessing.

    Try to exclude the vorpX program folder from your scanner, usually that would be C:\Program Files (x86)\Animation Labs\vorpX. If that doesn’t help, please report the issue as false positive to your AV vendor so they can fix their problem.

    Alternatively consider switching to Windows Defender, which comes free with Windows 10. Windows Defender provides excellent protection without being as invasive as some other AV programs. False positives also can happen with Defender from time to time, but Microsoft at least reacts fast and reliable when they are made aware of them.

    #191249
    wyattwic
    Participant

    Hello Ralf,

    Leaving McAfee is not an option for us right now and asking people to change major aspects of their environment isn’t reasonable.

    My question is would you be willing to do code signing?

    It helps security professionals like myself eliminate issues like this and helps us know it was made by you. I’ve already emailed samples of the current version to McAfee support and it will likely be off the list in the next few days, but code signing helps keep future versions off too.

    #191250
    wyattwic
    Participant

    Adding this for reference. Its from good old 2005, but it hasn’t changed.

    http://techgenix.com/code-signing/

    #191252
    Ralf
    Keymaster

    To avoid false positives caused by the flawed guesswork of your AV software the best you can do is excluding the vorpX program folder from your scanner. If that doesn’t help, let them know about their false positive detection, so they can fix their problem.

    Apart from that all I can really recommend is switching to an AV solution that takes a more reasonable, less trigger happy approach.

    #191253
    wyattwic
    Participant

    The folder is already excluded, you have executable being written to the tmp folder then ran, causing the new issues I’m having.

    vorpcontrol.exe is also already considered trusted and doesn’t need an exclusion but flags on the files you are writing to “\AppData\Local\Temp”. The flag description tells me that McAfee doesn’t recognize the file in temp as yours and looks like a privilege escalation attempt of a tool kit.

    Is there an option to modify that behavior to keep the file inside the installation directory?

    I want to help you get your program away from being detected. I get paid to do this for programs I don’t enjoy. I enjoy your program, I would like to help.

    Goodnight, I’ll be on tomorrow!

    #191256
    wyattwic
    Participant

    Forgot to add this before I head off. Here is a screenshot of the detection trace

    View post on imgur.com

    In this case vorpcontrol downloads the update file to temp and when it tries to execute it ATP deletes the downloaded file, causing vorpcontrol to crash. Vorpcontrol is seen as 70% trusted because it knows it ran in response to the user and came from a trusted source. The downloaded file is seen as 15% because it sees it as a background executed file, from an unknown source being ran as admin.

    Hope this helps a little!

    #191258
    Ralf
    Keymaster

    Flawed guesswork at its best. I have nothing more to say to that kind of stuff without getting impolite. A program you actively started downloads a setup, writes it to temp and for your AV that is enough to call it malicious? I’d laugh if it wasn’t so sad. How on earth do these people their updates? Probably in the exact same manner, just like everyone else too.

    Try to run your web installer manually. That way you get the latest version without running the auto update. If you need a new one, you can get it here: http://www.vorpx.com/request-new-download/

    Apart from that all I can really recommend is switching to an AV solution that takes a more reasonable, less trigger happy approach. Seriously.

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.

Spread the word. Share this post!