合法程序上的反病毒检测 [英] Anti-Virus Detection on a legitimate program

问题描述

基本上，我的程序与另一个jar文件一起运行。下面是下载函数的代码：

Basically, my program runs along side another jar file. Here is the code for the download function:

public void saveUrl(final String filename, final String urlString) throws MalformedURLException, IOException {
    BufferedInputStream in = null;
    FileOutputStream fout = null;
    try {
        in = new BufferedInputStream(new URL(urlString).openStream());
        fout = new FileOutputStream(filename);

        final byte data[] = new byte[1024];
        int count;
        while ((count = in.read(data, 0, 1024)) != -1) {
            fout.write(data, 0, count);
        }

    } catch (Exception e) {
        return;
    } finally {
        if (in != null) {
            in.close();
        }
        if (fout != null) {
            fout.close();
        }
    }
}

开始新的进程

public void runUpdate() throws IOException{
    String folder = fileLocation;
    ProcessBuilder p = new ProcessBuilder();
    p.command(folder);
    p.start();
}

然而，即使有用户提示并且必须批准下载，当我测试时它在eclipse环境之外，我的反病毒立刻就把它捡起来了。

However, even with user prompts and having to approve the download, when I tested it outside of the eclipse environment, my anti-virus picked it up right away.

它被检测为trojan.downloader。我认为它与下载功能有关？我并不是真的想要打败反病毒程序。我不是在试图做任何非法行为。

It was detected as a "trojan.downloader". I'm thinking it has something to do with the download function? I'm not really trying to beat an anti-virus program. I'm not attempting to do any illegitimate.

或许有些混淆可以解决这个问题？

Perhaps some obfuscation would do the trick?

推荐答案

字节码由您的编译器生成的，与AV正在寻找的某些特定代码模式/签名相匹配，这意味着他们过去发现/撤消的某些恶意软件具有与它们可以找到的类似的代码。

The bytecode generated by your compiler matches some specific code pattern/signature the AV is looking for, meaning some malware they had found/reversed in the past had code similar to this that they could reliably find.

最好的选择是识别并重写触发检测的方法，直到它不再匹配AV正在寻找的任何方式，混淆不是一个好主意（但是可以做到，如果混淆器控制流混淆）来修复这个问题，因为不能保证它会产生与原始字节码不同的字节码（有些混淆器，比如ProGuard，甚至也不做控制流混淆）。

The best option would be to identify and rewrite whichever method is triggering the detection until it no longer matches whatever the AV is looking for, obfuscation would not be a good idea (but can be done, if the obfuscator does control flow obfuscation) for fixing this problem as there's no guarantee it would produce bytecode different enough from the original (some obfuscators, like ProGuard, also do not even do control flow obfuscation).

这篇关于合法程序上的反病毒检测的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！