Anti-Virus Detection on a legitimate program

Question

Basically, my program runs along side another jar file. Here is the code for the download function:

public void saveUrl(final String filename, final String urlString) throws MalformedURLException, IOException {     BufferedInputStream in = null;     FileOutputStream fout = null;     try {         in = new BufferedInputStream(new URL(urlString).openStream());         fout = new FileOutputStream(filename);          final byte data[] = new byte[1024];         int count;         while ((count = in.read(data, 0, 1024)) != -1) {             fout.write(data, 0, count);         }      } catch (Exception e) {         return;     } finally {         if (in != null) {             in.close();         }         if (fout != null) {             fout.close();         }     } } 

And the to start the new process

public void runUpdate() throws IOException{     String folder = fileLocation;     ProcessBuilder p = new ProcessBuilder();     p.command(folder);     p.start(); } 

However, even with user prompts and having to approve the download, when I tested it outside of the eclipse environment, my anti-virus picked it up right away.

It was detected as a "trojan.downloader". I'm thinking it has something to do with the download function? I'm not really trying to beat an anti-virus program. I'm not attempting to do any illegitimate.

Perhaps some obfuscation would do the trick?

Answer 1

The bytecode generated by your compiler matches some specific code pattern/signature the AV is looking for, meaning some malware they had found/reversed in the past had code similar to this that they could reliably find.

The best option would be to identify and rewrite whichever method is triggering the detection until it no longer matches whatever the AV is looking for, obfuscation would not be a good idea (but can be done, if the obfuscator does control flow obfuscation) for fixing this problem as there's no guarantee it would produce bytecode different enough from the original (some obfuscators, like ProGuard, also do not even do control flow obfuscation).

Answer 2

You can try to sign your JAR with a code signing certificate, e.g. from Digicert.

This adds your company name to the JAR in a trusted way and thus could also be trusted by the Antivirus program. However, there's no guarantee that every Antivirus program will do so.

Note that there is also some impact of doing so:

• CRL (certificate revocation list) checks might be done. This will download data from the Internet. In case the PC has a physical network connection (local) but no Internet connection, this may run into a significant timeout.
• You need to become familiar with timestamping, otherwise the signature becomes invalid when the certificate expires.