Does the file name affect antivirus false positives [closed]

StackOverflow https://stackoverflow.com/questions/23497631

  •  16-07-2023
  •  | 
  •  

Question

I am appending my installer name with the version number, as in "progname_setup_1.1.5678.9101.exe". I like it because it makes it easy for me to track and for the user to identify it from prior downloads. This is an Inno Setup build of .net. And it is signed (if that matters).

That means the file name will change with each update. Will this practice increase the chances of false positive flags by antivirus software. If I kept the same file name (e.g., progname_setup.exe), perhaps the file would get a chance to build a reputation, even though version numbers would change inside. Or maybe antivirus doesn't work like that at all.

So, what is the best approach for file naming regarding antivirus: progname_setup_1.1.5678.9101.exe, progname_setup.exe, or it doesn't matter?

Was it helpful?

Solution

I really can't speak for "all" anti virus engines but the good ones really don't use the file name as an indicator of anything because it's just too unreliable. Think about it, if an AV definition file said, "FOO.EXE == Malicious Virus" all the malware writer would have to do is constantly change the file name.

AV engines, at least the good ones, work by looking for bit patterns inside the body of the file; usually specific bit patterns that can exist anywhere in the file. Now, you don't have to take my word for it, check out the CLAMAv signature database docs and you will see that "file name" or any other file metadata (like size, perms, etc) are not even something you can specify in a signature.

https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

You can also run your samples via scanii's web scanning tool https://scanii.com/free-virus-scan/ if you would like to be certain that they should not trigger a false positive - disclaimer scanii is my pet project.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top