Kaspersky detects my ConsoleApplication as a trojan

Question

I've been searching for a while but I did not find any suitable answer to this question. I noticed that my antivirus started detecting my application as a trojan. My antivirus is Kaspersky 2013 and this is the type of trojan it has detected. http://www.securelist.com/en/descriptions/HEUR:Trojan.Win32.Generic

My application does only 3 things:

• check if a Dongle Key is connected to the computer

• Decrypts a dll (that is a wpf class library with a custom entry point) with the dongle key

• Starts the dll through the custom entry point.

The problem is that similar code is working in a similar app, but in this case my antivirus detects it as a trojan. I noticed that the part of code that has a problem is this:

    public static void ExecuteAssembly(byte[] Bytes)
    {
        Assembly a = Assembly.Load(Bytes);
        foreach (Type type in a.GetTypes())
        {
            try
            {
                MethodInfo main = type.GetMethod("Main");
                if (main != null)
                    main.Invoke(type, new object[] { });
            }
            catch { }
        }
    }

What can I do to avoid this problem? I'm not doing a trojan and I can't avoid using this part of code to start my dll. So i don't think the code is a problem. Thanks in advance.

Mattia

EDIT:

I have uploaded the file to the site Egor told me. This is the result. https://www.virustotal.com/en/file/7ee30172ffda51f4b99700d10df2816403cbdc8f17bfe90f7deef81a88639da3/analysis/1369058630/

What advice can you give me? To submit the file as false positive or something different like changing the code? I'm a newbie to this kind of problems so I don't know how to act. Thanks again!

Answer 1

While I can't give you an answer on how to solve it by changing code I can tell you that you are not the first one who has this problem. I encountered it before with one of my own programs and it seems even some games get detected as that trojan by Kaspersky. Like some others said in the comment you can submit this as a false positive to Kaspersky. I followed the instructions at this link: How to report undetected viruses or false positives to the viruslab, No links to malware in the forum please!

Answer 2

you're encountering a heuristic detection - meaning that kaspersky has evaluated every negative and positive attribute about your dll (every thing from import tables to file size and actual functions called) and decided that its grade is below the recommanded for a good executable.

i'm guessing that the sample code is what's causing the detection - meaning that you removed this code section and suddenly kaspersky was alright with it. if that is so you could trick the kaspersky scanner by calling the Assembly.Load using reflection. (which is probably the reason why it's detected - it is very common with trojans to download more modules as dlls and load them from memory)

typeof(Assembly).GetMethod("Load").Invoke(null,new object[] {Bytes});