virus signalled when using packer: compressor

[janhec]

A very basic attempt produced a serious virus error about password stealing. Windows defender.
See bottom of log, occured through packer. proj is very simple (and not by anyway an end product):
Without packer this does not happen. Makes me quite unhappy.

Threat detected: PWS:MSIL/CryptInjector!MTB
Alert level: Severe
Category: Password Stealer
Details: This program is dangerous and captures user passwords.

<project outputDir="Desktop\output" baseDir="Repos\SST2\x64\Release" xmlns="http://confuser.codeplex.com"> <packer id="compressor" /> <module path="SST_Gis.exe"> <rule pattern="true" inherit="false" /> </module> </project>

[INFO] ConfuserEx v1.0.0-38-g7889971 Copyright (C) Ki 2014
[INFO] Running on Microsoft Windows NT 6.2.9200.0, .NET Framework v4.0.30319.42000, 64 bits
[DEBUG] Discovering plugins...
[INFO] Discovered 11 protections, 1 packers.
[DEBUG] Resolving component dependency...
[INFO] Loading input modules...
[INFO] Loading 'SST_Gis.exe'...
[INFO] Initializing...
[DEBUG] Building pipeline...
[DEBUG] Executing 'Type scanner' phase...
[INFO] Resolving dependencies...
[DEBUG] Checking Strong Name...
[DEBUG] Creating global .cctors...
[DEBUG] Watermarking...
[DEBUG] Executing 'Type scrambler' phase...
[DEBUG] 1] Import
[DEBUG] 0] Create
[DEBUG] 1] Create
[DEBUG] 2] Create
[DEBUG] 3] Create
[DEBUG] 4] Create
[DEBUG] 5] Create
[DEBUG] 6] Create
[DEBUG] 7] Create
[DEBUG] 8] Create
[DEBUG] 9] Create
[DEBUG] 10] Create
[DEBUG] 11] Create
[DEBUG] 12] Create
[DEBUG] 13] Create
[DEBUG] 14] Create
[DEBUG] 15] Create
[DEBUG] 16] Create
[DEBUG] 17] Create
[DEBUG] 18] Create
[DEBUG] 19] Create
[DEBUG] Executing 'Name analysis' phase...
[DEBUG] Building VTables & identifier list...
[DEBUG] Analyzing...
[DEBUG] WinForms found, enabling compatibility.
[INFO] Processing module 'SST_Gis.exe'...
[DEBUG] Executing 'Invalid metadata addition' phase...
[DEBUG] Executing 'Renaming' phase...
[DEBUG] Renaming...
[DEBUG] Executing 'Anti-debug injection' phase...
[DEBUG] Executing 'Anti-dump injection' phase...
[DEBUG] Executing 'Anti-ILDasm marking' phase...
[DEBUG] Executing 'Encoding reference proxies' phase...
[DEBUG] Executing 'Constant encryption helpers injection' phase...
[DEBUG] Executing 'Resource encryption helpers injection' phase...
[DEBUG] Executing 'Constants encoding' phase...
[DEBUG] Executing 'Anti-tamper helpers injection' phase...
[DEBUG] Executing 'Control flow mangling' phase...
[DEBUG] Executing 'Post-renaming' phase...
[DEBUG] Executing 'Anti-tamper metadata preparation' phase...
[DEBUG] Executing 'Packer info extraction' phase...
[INFO] Writing module 'koi'...
[INFO] Finalizing...
[INFO] Packing...
[DEBUG] Encrypting modules...
[INFO] Protecting packer stub...
[DEBUG] Discovering plugins...
[INFO] Discovered 12 protections, 1 packers.
[DEBUG] Resolving component dependency...
[INFO] Loading input modules...
[INFO] Loading 'SST_Gis.exe'...
[INFO] Initializing...
[DEBUG] Building pipeline...
[DEBUG] Executing 'Type scanner' phase...
[DEBUG] Executing 'Module injection' phase...
[INFO] Resolving dependencies...
[DEBUG] Checking Strong Name...
[DEBUG] Creating global .cctors...
[DEBUG] Watermarking...
[DEBUG] Executing 'Type scrambler' phase...
[DEBUG] 1] Import
[DEBUG] 0] Create
[DEBUG] 1] Create
[DEBUG] 2] Create
[DEBUG] 3] Create
[DEBUG] 4] Create
[DEBUG] 5] Create
[DEBUG] 6] Create
[DEBUG] 7] Create
[DEBUG] 8] Create
[DEBUG] 9] Create
[DEBUG] 10] Create
[DEBUG] 11] Create
[DEBUG] 12] Create
[DEBUG] 13] Create
[DEBUG] 14] Create
[DEBUG] 15] Create
[DEBUG] 16] Create
[DEBUG] 17] Create
[DEBUG] 18] Create
[DEBUG] 19] Create
[DEBUG] Executing 'Name analysis' phase...
[DEBUG] Building VTables & identifier list...
[DEBUG] Analyzing...
[INFO] Processing module 'SST_Gis.exe'...
[DEBUG] Executing 'Packer info encoding' phase...
[DEBUG] Executing 'Invalid metadata addition' phase...
[DEBUG] Executing 'Renaming' phase...
[DEBUG] Renaming...
[DEBUG] Executing 'Anti-debug injection' phase...
[DEBUG] Executing 'Anti-dump injection' phase...
[DEBUG] Executing 'Anti-ILDasm marking' phase...
[DEBUG] Executing 'Encoding reference proxies' phase...
[DEBUG] Executing 'Constant encryption helpers injection' phase...
[DEBUG] Executing 'Resource encryption helpers injection' phase...
[DEBUG] Executing 'Constants encoding' phase...
[DEBUG] Executing 'Anti-tamper helpers injection' phase...
[DEBUG] Executing 'Control flow mangling' phase...
[DEBUG] Executing 'Post-renaming' phase...
[DEBUG] Executing 'Anti-tamper metadata preparation' phase...
[DEBUG] Executing 'Packer info extraction' phase...
[INFO] Writing module 'SST_Gis.exe'...
[INFO] Finalizing...
[DEBUG] Saving to 'F:\TEMP\yqhrl5pa.suw\s0qfxbzj.lsy\SST_Gis.exe'...
[DEBUG] Executing 'Export symbol map' phase...
[INFO] Finish protecting packer stub.
[ERROR] An IO error occurred, check if all input/output locations are readable/writable.
Exception: System.IO.IOException: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
at Confuser.Core.Packer.ProtectStub(ConfuserContext context, String fileName, Byte[] module, StrongNameKey snKey, Protection prot) in C:\projects\neo-confuserex\Confuser.Core\Packer.cs:line 86
at Confuser.Protections.Compressor.Pack(ConfuserContext context, ProtectionParameters parameters) in C:\projects\neo-confuserex\Confuser.Protections\Compress\Compressor.cs:line 91
at Confuser.Core.ConfuserEngine.Pack(ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 427
at Confuser.Core.ProtectionPipeline.ExecuteStage(PipelineStage stage, Action1 func, Func1 targets, ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ProtectionPipeline.cs:line 135
at Confuser.Core.ConfuserEngine.RunPipeline(ProtectionPipeline pipeline, ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 256
at Confuser.Core.ConfuserEngine.RunInternal(ConfuserParameters parameters, CancellationToken token) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 175
Failed at 20:55, 0:03 elapsed.

[XenocodeRCE]

This is a free and open source project, what are you unhappy with ?

Everything is open-source and has been source-proofed against any malicious code.

I do not want to offer solution to potentially protect malware for malware creator, so if you want to remove that false detection, you can send the file to their false detection submission (because they know such scenario happens frequently, they made an online free plateform for that)

https://www.microsoft.com/en-us/wdsi/filesubmission

[AndresRohr]

In Windows 10 Home still get these warnings. Microsoft Defender is much too inaccurate. If he sees a confused exe he immediately thinks it's malicious. Maybe it's because he is not able to peek into these files, which is kind of the idea of this solution for protecting your hard work from being stolen. My obfuscated software still is regularly flagged. Submitted to Microsoft but nothing improved. 65 other antivirus products don't see a problem with it, two others are also reacting to the inability to peek into it. At least they say "Heuristic guess" and "It's packed", but also not really good info for users who are afraid.

[AndresRohr]

Seems there is only a problem with the files that are written temporarily into the %localtemp% directory. The final produced output doesn't get blocked by Microsoft Defender. So, the solution is quite easy: Not closing the temporary files. I have a working quick & dirty solution now that never closes a temp file but just puts the open handles in a Dictionary<pathName, stream>. If a processing reopens the same file I just give it the same handle and set the position to 0. On closing I do just a 'stream.Length = ...'. Sadly also the dnlib must be patched with this mechanism, although only in one location, in 'ProtectStub()' . So the dictionary with the open file handles must be handed over to dnlib per Dependency Injection. As I said, quick & dirty. But it works, at least (:-).