Q: Although you did not intend to create a virus, the antivirus blocks your program as a “threat”. How do you review your code and find the problem in the code?
Here are the answers from the SecPro Community members on Antivirus Blocks your Program as a Threat:
Khairil, Head of Cybersecurity
AV usually detect using unique pattern or behaviour of the application. In case of AV detecting on source file, the string usually replaced with non-offence words. For the compiled files, usually it is try and error to remove function call and compiled it again. Some sample files will also be submitted to the AV vendor for evaluation and whitelist.
Luca, Security Solutions and Operations
Basing of the evidence provided by the AV, I look for functions or procedures in the source code which could mimic a threat behaviour. It could also be possible to execute a sandbox analysis in order to find suspicious activities in the code. Then it’s necessary to re-engineer those sections in order to avoid to trigger the AV.
Avishek, Data Scientist
Review the code and debugging is the only solution. The code must adopt to the entire new environment.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.