避免数据文件中的防病毒误报
我的一个应用程序使用的数据文件最近被 Symantec Antivirus 隔离(触发的签名为“Nightfall.5815”)。 该文件是动态写入和读取的,内容是任意数据。
我的应用程序有什么方法可以避免这些文件触发 AV 扫描吗?
我知道其他问题关于误报的SO,但它们似乎主要与可执行文件和Delphi有关。此类问题的许多答案都涉及联系 AV 供应商来报告误报。就我而言,这是一个我需要保护免受隔离的任意数据文件,因此我不确定单个报告和解决方案是否会阻止我将来再次触发。我感兴趣是否有任何通用方法可以从应用程序角度避免这种情况(不同的文件权限、改变文件格式),或者是否有一种方法可以通过从扫描中排除目录来解决这个问题。
A data file used by one of my applications was recently quarantined by Symantec Antivirus (signature triggered was 'Nightfall.5815').
The file is written and read dynamically, and the content is arbitrary data.
Is there any way for my application to avoid these files triggering AV scans?
I am aware of other questions on SO concerning false positives, but they mostly appear to be concerned with executable files and Delphi. Many of the answers to this type of question involve contacting the AV vendors to report the false positive. In my case this is an arbitrary data file that I need to protect from quarantine, so I'm not sure a single report and resolution would prevent me from triggering again in the future. I am interested if there are any general approaches to avoiding this from the application perspective (different file permissions, altering file format), or if there is a way to address this by possibly excluding a directory from the scan.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您可以始终让防病毒软件在文件上触发,请尝试用全 0 填充文件的开头 x 个字节数(例如)。我想知道防病毒软件是否会在特定位置拾取特定的字节序列,或者特定的字节序列是否总是被认为是坏的。
否则,从病毒扫描中排除该目录将是最好的选择。
If you can consistently get the Antivirus(es) to trigger on a file, try padding the beginning x-number-of-bytes of the file with all 0's (for example). Am wondering whether antiviruses pick up on particular sequences of bytes at particular positions or whether a certainly sequence of bytes would always be considered bad.
Otherwise, excluding the directory from the virus scan would be the best option.
根据卡巴斯基的术语(Virus.DOS.NightFall.5815),该病毒似乎是一个老式的 dos 文件感染者。
AV 公司经常签署旧病毒,以提高其在 AV-Comparatives 或 ICSA 等 AV 认证流程中的分数。
他们使用模式匹配技术来检测定义的字节序列。
不幸的是,有时序列很弱并且会产生太多误报。
我认为你的 dat 文件运气真的很差。
你可以尝试改变文件编码,那么序列就会改变,不会被弱签名捕获。
为了检查您的文件现在是否正常,请通过 AV 交叉扫描仪运行它,例如 Jotti。
According to kaspersky's terminology (Virus.DOS.NightFall.5815) this virus seems to be an old timer dos file infector.
AV companies often signed old viruses in order to improve their scores in AV certifications processes such as AV-Comparatives or ICSA.
They use pattern-matching technics in order to detect a defined sequence of bytes.
Unfortunately sometimes the sequence is weak and create too much false positives.
I think you just had real bad luck with your dat file.
You can try to change the file encoding, then the sequence will change and won't be captured by the weak signature.
In order to check if your file is now doing ok, run it through AV cross-scanner like Jotti.