Simon Anciaux
1184 posts
Edited by Simon Anciaux on Reason: Version 0.2

Hi,

For quite sometime now I've been working on a feed reader. It isn't anything special, but suits my needs. Here is a small demo video and here is a link to a test version ( 0.1 ). I've used it for more than a year now and don't plan to change much in the future. It's a test version because I changed/fixed/cleaned lots of things in the past few weeks and I'd like some testing before calling it "finished".

Any feedback would be appreciated.

I also have a question: I'm still using Windows 7, and when I tested the application on Windows 10, I was greeted by a message telling me that the application contains a trojan and wasn't able to launch the application. After a little search, it appears that it's common for Windows Defender AI/Cloud thing to mark every application as such and that the way around this is to submit the application to Microsoft on this page. Is that really the thing to do ? Is there another way around that ?

Edit: version 0.2

10 posts
Hey I work in security, so regarding your last question I think yes you might have just gotten unlucky with Windows Defender. It's a simple application and using a combination of APIs which is maybe found in some malicious executables, so the machine learning or whatever probably triggered.
Looking at it myself, out of context it seems to be doing file deletion, input and clipboard collection, system enumeration etc., in combination with Internet access. And if you compiled it in an unusual way or whatever the 'algorithm' may hold that against you.
Simon Anciaux
1184 posts

Halarious
And if you compiled it in an unusual way...

What do you mean by compiling in an unusual way ? I'm compiling from the command line with the following commands:

 1 2 rc -nologo Y:\rss_reader\cbuild.rc cl Y:\rss_reader\main.c Y:\rss_reader\cbuild.res -Fefeed.exe -nologo -GR- -EHa- -Oi -fp:fast -WX -W4 -wd4100 -wd4189 -wd4201 -wd4204 -wd4505 -wd4996 -wd4307 -FC -Fm -Zi -diagnostics:caret -diagnostics:column -Od -MTd -DCOMPILER_CL -DDEBUG -D_ASSERT -DWINDOWS -DTARGET_x64 -DLOG -link -INCREMENTAL:NO -opt:ref -subsystem:windows -entry:mainCRTStartup wininet.lib shell32.lib user32.lib OpenGL32.lib GDI32.lib Dwmapi.lib Shlwapi.lib Comdlg32.lib Ole32.lib 

Is that considered unusual ?

When I looked into the issue there were people claiming that an empty main function could be marked as trojan, although I think they were talking about another anti-virus (if I remember correctly). I didn't check that (as I'm not often using Windows 10).

Halarious
...file deletion, input and clipboard collection, system enumeration etc., in combination with Internet access...

I'm doing all of that, using only Windows APIs. I sort of understand the idea that it looks bad without context, but... I'm just using the operating system. The worst thing was that Windows Defender didn't leave me the choice to run the application. Most of the time trying to launch it resulted in nothing happening, and on another computer it deleted the file directly.

Is the only solution to submit the program for review ? I assume the microsoft page will only take care of Windows Defender, so do I need to submit to other anti-virus vendors ?
10 posts
Edited by Halarious on
By unusual I meant for example stripping the CRT, or it may indeed have to do with not having main; anything which is not that commonly done. But these are all guesses and don't really mean anything, just something which may contribute to some AI false labeling it as malware.

Also, your load config table seems to be invalid which may be "suspicious", but I don't know why that would be of the top of my head since you seem to be compiling it quite normally. Some info on it from the MSDN page:
https://docs.microsoft.com/en-us/...onfiguration-structure-image-only

Maybe also enabling /guard:cf and /SDL would somehow lend more legitimacy (both are currently disabled).

Other than that, I'm not sure you can do much which isn't playing the algorithm (e.g. dynamically loading some of the imports to trip machine learning models up). Packing it with something like UPX might be a hack which works, but better solutions usually unpack these so it might not have any impact, but who knows.

For personal use, you can add "Exclusions" in Windows Defender, folders which won't be scanned for malware. It should leave everything in exclusion folders alone.
Simon Anciaux
1184 posts
Edited by Simon Anciaux on
I don't know much about PE headers, but I inspected 6 executables (with this tool, which I don't know so it might not be good) and 3 of them had a config table that was empty except for the Characteristics field, one also had the reserved field set and 2 had no config table at all. So it doesn't seem to be a problem.

Anyway, thanks for the help.
Simon Anciaux
1184 posts
Edited by Simon Anciaux on Reason: Fixed link

Version 0.2 changelog:

• Fixed an issue with the html parser memory allocator.