Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
I recently received my first code signing certificate and I signed the executable after protecting it, then make the installer from that, then signed the installer. Installs and runs fine, but when I run the installer through VirusTotal, Microsoft is flagging it as containing Trojan:Win32/Sabsik.FL.B!ml. If it were coming from an unknown antivirus vendor, I would ignore this, but this is Microsoft! How to I get rid of this warning?
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
I submitted the protected executable to Microsoft for analysis, but they probably won't get back to me for days, if not weeks or months. Is there something Enigma can do to fix this?
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
Surprisingly, Microsoft already got back to me (pinch me!). They removed the detection and told me how to update my Defender signatures. So I did that and:
1) I rescanned the installer at VirusTotal. This time, it got back false positives from Sophos (Generic ML PUA (PUA)) and FireEye (Generic.mg.26285e8c3bbafe5c). So, the Microsoft false positive is gone, but now these other two are showing up. Not sure why they didn't show up last time (maybe they both exceeded the timeout?).
2) I rescanned the installer with Defender on my local machine and it found Program:Win32/Wacapew.C!ml, but it considers it a low risk, so it allowed me to easily whitelist that.
So, I'm going to make this installer available on my website, but I'd still like to see if I can remove these false positives. I would really rather not have to get in the habit of having to submit my app to all these antivirus companies every single time I rebuild my app!
Thanks
1) I rescanned the installer at VirusTotal. This time, it got back false positives from Sophos (Generic ML PUA (PUA)) and FireEye (Generic.mg.26285e8c3bbafe5c). So, the Microsoft false positive is gone, but now these other two are showing up. Not sure why they didn't show up last time (maybe they both exceeded the timeout?).
2) I rescanned the installer with Defender on my local machine and it found Program:Win32/Wacapew.C!ml, but it considers it a low risk, so it allowed me to easily whitelist that.
So, I'm going to make this installer available on my website, but I'd still like to see if I can remove these false positives. I would really rather not have to get in the habit of having to submit my app to all these antivirus companies every single time I rebuild my app!
Thanks
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
Hi, there should be nothing to do anymore. I believe MS whitelisted your certificate and no more false detection appear.
Antiviruses become more crazy and crazy, no matter what file is, without code signing certificate most of them becomes detected as a virus. MS's Defender is a leader in wrong detections. Simple "Hello World!" compiled file cause dozen false detections on virustotal...
Antiviruses become more crazy and crazy, no matter what file is, without code signing certificate most of them becomes detected as a virus. MS's Defender is a leader in wrong detections. Simple "Hello World!" compiled file cause dozen false detections on virustotal...
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
Since Adobe came out with a 64 bit version of Acrobat Reader, I'm now preparing a 64 bit version of my app. However, I'm probably going to have to leave Enigma behind because I have no desire to pay for this package all over again, just to get 64 bit support (unless you give a substantial discount). The fact that I still got false positives from other antivirus engines despite the whitelisting by Microsoft just reinforces my decision. I can't sell an app that no one trusts! (Granted, going without protection will open the app up wide to piracy, but better *some* sales than *no* sales...)
To be fair, I haven't scanned the installer since my initial post above, but I'll try again later today.
Here's a semi-related issue I'm having that maybe you can help me solve: When I try to code sign my 64 bit app (not Enigma protected, of course), I'm getting error 0x800700C1 from signtool.exe. Basically, it's saying the EXE is invalid, but I can package it up, install it and run it, so I'm not sure why it's balking. (Someone else said this error means the EXE is already signed but I know for a fact that it's not, and I verified that.)
Do you (or anyone else here) know how to research / fix this?
To be fair, I haven't scanned the installer since my initial post above, but I'll try again later today.
Here's a semi-related issue I'm having that maybe you can help me solve: When I try to code sign my 64 bit app (not Enigma protected, of course), I'm getting error 0x800700C1 from signtool.exe. Basically, it's saying the EXE is invalid, but I can package it up, install it and run it, so I'm not sure why it's balking. (Someone else said this error means the EXE is already signed but I know for a fact that it's not, and I verified that.)
Do you (or anyone else here) know how to research / fix this?
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
...and I found the cause of the problem. If you're using the JCL Debug routine and you enable the "Insert JDBG data into the binary" feature, that throws a wrench into the machine. SignTool fails to sign the app in that case. If you use EurekaLog (or similar), you don't need to enable this (I tested it). I didn't strip out JCL Debug altogether, though. You might be able to remove that too...
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
Ok, I ran a new installer (32 bit, protected) by VirusTotal and it came back with ZERO false positives. I'll try this out on an older laptop to see how many warnings I get from Windows. I *might* buy the 64 bit version of Enigma after all, but I'm still hoping for a discount! Having to pay twice for this thing hurts...
-
- Posts: 12
- Joined: Mon Oct 11, 2021 3:30 pm
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
The promised follow-up... I am still getting a crazy number of "Are you sure you want to install that" messages from both Edge and Windows SmartScreen, but I'm guessing this isn't Enigma's fault. I love how Microsoft treats adults like children.
This nagging won't go away until more people buy my app, and boy is it annoying as hell...
This nagging won't go away until more people buy my app, and boy is it annoying as hell...
Re: Getting flagged with Trojan:Win32/Sabsik.FL.B!ml
No, this is not due to Enigma. As far as I know, this happens for all files that are downloaded from internet, no matter of protection and even digital signature.oHXD3OUsHe wrote: ↑Thu Nov 18, 2021 11:08 pm The promised follow-up... I am still getting a crazy number of "Are you sure you want to install that" messages from both Edge and Windows SmartScreen, but I'm guessing this isn't Enigma's fault. I love how Microsoft treats adults like children.
This nagging won't go away until more people buy my app, and boy is it annoying as hell...
For other questions in this thread, please contact us at support@enigmaprotector.com