I'm currently working with FASM to compile Windows executables. However, I have noticed that there is a high rate of AV false positives, which I'm trying to understand and resolve.
My approach is to create a minimal executable and try to "fix" the format, until AV's do not flag it. The goal is to understand what triggers the AV's suspicion.
format PE GUI 4.0
entry start
include 'win32ax.inc'
section '.text' code readable executable
start:
invoke MessageBoxA, 0, Message, Title, 0
invoke ExitProcess, 0
section '.data' data readable writeable
maybe_there_should_be_a_rw_section_too dd ?
section '.rdata' data readable
Title db 'Test', 0
Message db 'Hello, World!', 0
section '.idata' import data readable writeable
library \
ntdll, 'ntdll.dll', \
kernel32, 'kernel32.dll', \
user32, 'user32.dll'
import kernel32, \
ExitProcess, 'ExitProcess'
import user32, \
MessageBoxA, 'MessageBoxA'
This code is the minimal executable. I've tried following approaches to make it seem more "normal" to AV:
- Add a .rsrc section with VersionInfo and a manifest
- Add some additional imports (maybe too few imports seem suspicious?)
So far, this has not lowered the false positive rate.
This is what triggered even more false positives on VirusTotal:
- Adding 1 KB of repeating
mov eax, 0opcodes to the code section - Adding RT_RCDATA with 1 KB of data
- Adding 1 KB of data to the .data or .rdata sections
Question: Are there any recommendations or good practives to avoid false positives without using digital signatures? Especially, when adding more code or data to the assembly, many AV flag the executable, which definitely would lead to complains.