Many 'false positive' detection of SPS 2021 generated exe's

Use this forum to ask questions after your subscription maintenance expires or before you buy. Need information on licensing or pricing? Questions about a trial version? This is the right place for you. No scripting questions, please.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
This topic is 2 years and 6 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

Product: PowerShell Studio 2021 (64 Bit)
Build: v5.8.191
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.19043.0

Since the release of SPS 2021, my compiled executable was facing many 'false positive' reports by various AV providers. I'm not able to identify the exact build when it started but for 2019 I had 0 'false positive' reports and for 2020 I had one 'false positive' report. I've sent 'False Positive' reports to nearly 20 AV providers, they corrected their detection rules and it was fine until the next release of the executable.

Can you please revisit the changes that were made to the script compiler? Maybe you will find something that triggers various AVs more often.
User avatar
Alexander Riedel
Posts: 8473
Last visit: Tue Mar 19, 2024 1:15 am
Answers: 19
Been upvoted: 37 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by Alexander Riedel »

I am not aware of any changes made which would cause an uptick in false positives. The AV providers constantly update their detections and engines though.
Since you don't mention which AV providers you have the problem with, I cannot determine any further details.
Which particular type of executable did you have the problem with? Without knowing that it is also a little tricky to find out more.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

Ok, so if the script compiler didn't receive major changes, it might be that AV provides tighten their scanners to make their detection patterns too broad.

FWIW, the FP reports were sent to:
kaspersky.com
microsoft.com
eset.com
tencent.com
aegislab.com
ahnlab.com
zillya.com
cyren.com
mcafee.com

the executable type was "SAPIEN PowerShell V5 Host (Windows Forms)".
User avatar
Alexander Riedel
Posts: 8473
Last visit: Tue Mar 19, 2024 1:15 am
Answers: 19
Been upvoted: 37 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by Alexander Riedel »

I have uploaded the raw base engine to virustotal.com and it gets zero hits.
2021-08-02_11-26-14.png
2021-08-02_11-26-14.png (305.29 KiB) Viewed 23736 times
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

These are the rules that my app is trigger:

5 matches for rule
Dot net compiler compiles file from suspicious location by Joe Security from Joe Security Rule Set (GitHub)
Dot net compiler compiles file from suspicious location

5 matches for rule
Suspicious Csc.exe Source File Folder by Florian Roth from Sigma Integrated Rule Set (GitHub)
Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)

1 match for rule
Too Long PowerShell Commandlines by oscd.community, Natalia Shornikova from Sigma Integrated Rule Set (GitHub)
Detects Too long PowerShell command lines

9 matches for rule
Windows PowerShell Web Request by James Pemberton / @4A616D6573 from Sigma Integrated Rule Set (GitHub)
Detects the use of various web request methods (including aliases) via Windows PowerShell

2 matches for rule
Non Interactive PowerShell by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) from Sigma Integrated Rule Set (GitHub)
Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
Sigma rule cannot be loaded.

Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority from Snort registered user ruleset
Matches rule TAG_LOG_PKT from Snort registered user ruleset
User avatar
Alexander Riedel
Posts: 8473
Last visit: Tue Mar 19, 2024 1:15 am
Answers: 19
Been upvoted: 37 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by Alexander Riedel »

I don't know what you are doing in your application, but none of these apply to a SAPIEN PowerShell Script host.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

That's the thing, I'm not doing anything except using Compiling Win32API P/Invoke code/GitHub REST API/downloading files via Inoke-WebRequest. I will try to test it more by testing executables with those 'sensitive to AV' functions.
User avatar
Alexander Riedel
Posts: 8473
Last visit: Tue Mar 19, 2024 1:15 am
Answers: 19
Been upvoted: 37 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by Alexander Riedel »

Just as a thought, without having any clue about your application, maybe you are using modules that do these type of things when loaded?
Also, there is a humongous difference between a static pattern scan for a virus and monitoring API calls and network traffic. I cannot tell in your case what the report actually is.

As you may imagine, when working on the script packager, we build dozens of packages for testing and run them over and over again.
I cannot remember even once getting a false positive from Windows Security or MalwareBytes. We routinely upload to virustotal.com to check if we do not inadvertently catch something before a release.
Maybe the next time you have one of these cases you can share your packaged file so we can check what's happening.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

I'm using my own Add-Type for Windows Forms TreeNode Hide Checkbox.

I've done some experiments, one by one, I've stripped all additional files/code to the point where I got an empty form without any code at all. Uploading it to VT still triggered those two rules:

Code: Select all

CRITICAL:
2 matches for rule Dot net compiler compiles file from suspicious location by Joe Security from Joe Security Rule Set (GitHub)
Dot net compiler compiles file from a suspicious location

HIGH:
2 matches for rule Suspicious Csc.exe Source File Folder by Florian Roth from Sigma Integrated Rule Set (GitHub)
Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
Then, I've created an empty form project, compile it to exe as Windows PowerShell Host and VT also detect those rules:
https://www.virustotal.com/gui/file/a11 ... /detection

So there is something inside 'form' exe that triggers those detections.
User avatar
ALIENQuake
Posts: 112
Last visit: Mon Jan 29, 2024 7:35 am
Has voted: 4 times

Re: Many 'false positive' detection of SPS 2021 generated exe's

Post by ALIENQuake »

Strange, now VT interface doesn't show detection of those 2 rules. Anyway, It's probably Add-Type stuff that's being detected.
This topic is 2 years and 6 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.