Jump to content

C++ code "generates" VHO:Trojan.Win32.Convagent.gen


Go to solution Solved by Gene15644,

Recommended Posts

Posted

Good Day:

VS 2022  ver 17.4.3

Win 10 - 10.0.19044 Build 19044

 

If I compile this, no problem.....
 

#include <iostream>
#include <complex.h>

using std::cout;
using std::cin;
using std::endl;

 double add(double x, double y) {

    return (x + y);

}

int main()

{

    int total = add(3, 4);

    cout << "3 + 4 is " << total << endl;


    double another = add(1.2, 3.4);

    cout << endl;
    cout << "1.2 and 3.4 is " << another << endl;

   cout << "Hello World!\n";
}



If I compile this, having added four lines   I get a complaint of VHO:Trojan.Win32.Convagent.gen

//

#include <iostream>
#include <complex.h>

using std::cout;
using std::cin;
using std::endl;

 double add(double x, double y) {

    return (x + y);

}

 double add( double x, double y, double z) {

        return add(add(x,y),z);

  }


int main()

{

    int total = add(3, 4);

    cout << "3 + 4 is " << total << endl;


    double another = add(1.2, 3.4);

    cout << endl;
    cout << "1.2 and 3.4 is " << another << endl;

   cout << "Hello World!\n";
}

 

}

 double add( double x, double y, double z) {

        return add(add(x,y),z);

  }


int main()

{

    int total = add(3, 4);

    cout << "3 + 4 is " << total << endl;


    double another = add(1.2, 3.4);

    cout << endl;
    cout << "1.2 and 3.4 is " << another << endl;

   cout << "Hello World!\n";
}

 

I don't see this code snippet changing the code to resemble a trojan.  

double add( double x, double y, double z) {

        return add(add(x,y),z);

  }

This is an obvious false positive, at least that is my take on it.


There was a previous post regarding Convagent.gen but if after a year and a half of this reappearing....  what do I conclude?  Kaspersky is still having problems with this code.

Any thoughts?  Any way to change the settings on either the development environment or Kaspersky?


Of course there are solutions, but they are cumbersome...

1. Install a Windows VM without Kaspersky
2. Remove Kaspersky from this machine.
3. Configure Kaspersky to create a sandbox.
4. Kaspersky can fix their ware.
5. Make changes to the VS 2022 so that it does not generate "Trojans".

Option 3 seems best, followed by Option 5.


 

Posted

Hi, Berny,

I agree with your evaluation.    I would have followed this course except that there is at least one other post on this forum regarding VHO:Trojan.Win32.Convagent.gen.    This happened almost a year and a half ago.

Almost precisely the same origin - someone was writing C code.  In my case,  C++, given how most compilers roll it's "potato/potatoe".

So this kind of error is "known" to Kaspersky.   A known flaw that is over a year and a half old.

They have not been able to discriminate between the product of a C++ compiler and a genuine Trojan?


Do I need to take this approach each time that my compiler generates a false positive?    What is the time required for resolution, so that Kaspersky doesn't "see" this particular flaw?   So for this particular addition of code...
 

double add( double x, double y, double z) {

        return add(add(x,y),z);

  }

Do  I need to undergo this process while I relearn C++?   I don't have the bandwidth to babysit my Malware checker and learn a language. 

You are probably aware of the process that happens when a "trojan" is found.

1. EVERYTHING stops while Kaspersky looks for collateral damage.   That's about twenty minutes.
2.The device restarts.
3. Microsoft gets into the act to clean up damage.  Reboot.

We're talking twenty minutes of lost time because I called a function by reference?

Can't I create a sandbox?

I have alternatives.   I can remove Kaspersky from this system.   I'd rather not do that.   Another is to get a beefier machine, install the compiler into a VM.   That's tedious too.

Isn't there a way to adjust Kaspersky to allow for these exceptions?

Posted

One other thing - Trojan writers can now take advantage of this known flaw to spoof Kaspersky users.

Anyone who develops C or C++ on a system will blow off Trojan "warnings" because "Hey, that's my Kaspersky".

This is known as  a false positive vulnerability.    People do not take the product seriously and ignore problems.

Worse, they drop Kaspersky.  The outfit loses marketshare.

Posted

@Gene15644

Please see Kaspersky Threats → Trojan.Win32.Convagent

Only Kaspersky Virus Lab can confirm or deny a FP.
Your best option is to submit a request to Kaspersky Technical Support, the link is available at the top of this Webpage.

  • Solution
Posted
4 hours ago, Berny said:

@Gene15644

Please see Kaspersky Threats → Trojan.Win32.Convagent

Only Kaspersky Virus Lab can confirm or deny a FP.
Your best option is to submit a request to Kaspersky Technical Support, the link is available at the top of this Webpage.


Here's my concern....

I do not want to have to request a waiver/exception/"this is OK" for every unique version of code that I compile.

Imagine if each time that I change four lines of code and Kaspersky "sees" a nuisance problem, that it binds up a system, then forces a reboot.

If Kaspersky has their process, then I will need to adopt my process - a machine without Kaspersky, a VM or some other work around.

I will continue to use Kaspersky for 'routine' malware checks.   I've had very few "pass throughs" over the years.   Works well...  in this case, too well.
 

  • Like 1
Posted

Subsequent actions....

I will retain Kaspersky on other systems that I have here.   

I would counsel Kaspersky to consider a "sandbox" option or "chain of custody" of compilation feature for popular development tools.

1. The virus checker enforces a discipline onto installed software but exclude programs that are freshly compiled.  The ware should ask the user if this is required....
2. That the virus check examines code that tries to alter other exe files,  tries to invoke system calls and other more sophisticated functions.

Alternately an "extension" similar to those for Web Browsers, that applies to popular development tools.  

This extension would monitor compiling and linking to generation of an *.exe file.  Thus verifying a good process, the Heuristic could be applied and seamlessly report deviations back to Kaspersky.

This service would seamlessly help Kaspersky refine their Heuristics while improving the quality of compiled code.  This might be a premium feature that Kaspersky could offer only to interested customers?   I would gladly pay for such a feature.

I do not know what would be required to implement any of requests.    I do see opportunities for Kaspersky to gain market share into the developer community by offering these services.

  • Like 2
Posted (edited)

@Gene15644  I have VB6 on my pc and when i compile a vb project in exe Kaspersky blocks vb, i need insert vb in trusted application, so vb can compile without problem.

Default, Kaspersky places VB6 in low restricted.

Every vb just compiled in exe, Kaspersky place them in low restricted because Kaspersky says that they have a very few people, i place them in trusted with not problems. 

I like so because i feel more protected.

 

Edited by Gionatan

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...