0

I am could looking looking at method that involves decompilation or hex editing but I am hoping something simpler is available, although fully willing to go down that path. The scenario I am trying to solve is that I have an executable that is being flagged as a virus. I am exploring all possibilities and including the possibility that my compiler is injecting a virus into the code. I have the virus name that is being reported. I do not care if the anti-virus scanner flags it again, but I do want to develop some proof that this file is indeed safe. Assuming my paperwork is trusted how would I do so? Also, please assume that this executable can't be submitted to the anti-virus company for heuristic whitelisting.

While this situation is contrived I am asking in short, if I have executable and a virus name that is found by an anti-virus engine how can I confirm that executable does not contain that virus.

DarkSheep
  • 333
  • 2
  • 13
  • 2
    "Prove" to whom? – user Jan 29 '16 at 14:23
  • Virus analysis is a very complex field, and one in which it's _very_ hard to _prove_ anything. I think that any decent answer to your question will require a much longer answer than will fit on this site. As such, I'm voting to leave this closed as "too broad". – Mike Ounsworth Jan 29 '16 at 20:10
  • My most common answer: I have the source code you bonehead AV vendor! – Joshua Mar 14 '16 at 18:36
  • Voted to reopen - see also http://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now which is predicated by "I have determined beyond doubt that my home PC is infected" – symcbean Oct 12 '16 at 11:16

1 Answers1

1

I do believe this question is related to https://reverseengineering.stackexchange.com/ rather than security forum.

This is an extremely indepth sort of question to answer. For example, what is this application? Native or byte-code language e.g. Java, .NET etc.

So, I'll make some assumptions that it's an x86 executable.

You'll want to download:

Process Monitor - An really handy tool to see what process is for file, registry, network and threads/processes.

IDA PRO - An extremely powerful debugger/dissasembler/decompiler so you can actually breakpoint known API from what the false positive is doing. You'll require an understanding of windows internals. If you provide me with what the virus is believing to do, I can give you an list of APIs to investigate under the debugger.

API Monitor - An handy tool for just checking what it's executing over the time to see if anything stands out. For example, OpenProcess, WriteProcessMemory, ReadProcessMemory is usually used in injection code into other processes and an general application would not require these APIs.

Ideally, you'll want to learn into reverse engineering to review code as bypassing AVs and false postive are extremely common.

Community
  • 1
Paul
  • 1,552
  • 11
  • 11
  • Agree with your first line, they would likely handle this with the focus I am not able to convey to this board. Thanks. – DarkSheep Jan 29 '16 at 18:53