Question about Virus False Positive - Feedback Shared

[packetdog]

Hello,

It seems like SentinelOne started to detect this as a false positive, and I just wanted to provide the feedback to the team. It seems that it doesn't like certain things about the binary and/or how it's structured. I also saw on VirusTotal that it doesn't seem to like a lack of signature (here: https://www.virustotal.com/gui/file/dc79e3abebd128d7f44fa8f03a4e660b5f60b011f7bcf374b35c18a741f5818a/details) and/or some behaviors (here: https://www.virustotal.com/gui/file/dc79e3abebd128d7f44fa8f03a4e660b5f60b011f7bcf374b35c18a741f5818a/behavior).

I wanted to share the output, just to see if there were any changes that could be made to take it down a few notches in future releases and hopefully avoid the false positive ding. I don't expect you to be able to solve AV false positives, it's a losing battle with open source software.

Thanks,
-pd

[ge0rdi]

Hello and thank you for sharing the info.

Few comments regarding SentinelOne analysis of our installer:

This binary contains abnormal section names which could be an indication that it was created with non-standard development tools

The binary is compiled using standard Visual Studio 2022. See the project.

The only abnormal section name I can see is .fptable which seems to contain some table of API resolved by MS runtime. I don't remember seeing this before, most likely it was added in some recent VS2022 version. In any case this is what compiler generates and we can hardly affect it.

SentinelOne should update its heuristics about what is abnormal section name and what is not.

The majority of sections in this PE have high entropy, a sign of obfuscation or packing
This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)

Indeed, the installer binary contains MSI installation packages that contain compressed data. I'd say this is pretty common things among installers. The point of installer is simply to extract and install some files (and other stuff).

There is one rather non-standard thing. We have one installer binary for all platforms (x86, x64 (and ARM64 soon)) and x64 MSI package contains also a lot of files that are present in x86 package. Thus we are storing just part of x64 MSI package (like a half of it) to significantly reduce installer size. Then before actual installation we recreate the package using x86 one and this diff.

In any case there is nothing malicious about that.
And I doubt we'd like to change this (and make installer much bigger).

This binary imports functions used to raise kernel exceptions

Will be great to know what functions they mean exactly.
Perhaps they mean RaiseException function. That one is used by MS runtime (as most of other imports) and we can't do anything about that (and there is also nothing malicious/suspicious about that).

This binary imports debugger functions

Again, it is not clear what functions they mean.
Maybe IsDebuggerPresent / OutputDebugStringW that are again used by MS runtime (and not by our code directly).

To me it looks like their threat indicators use some overzealous heuristics (AI as many like to call it) that simply flags half of perfectly normal benign executables.
There is hardly anything anyone could do to fight this ...