防病毒软件将加密代码标记为恶意软件
Antivirus software flagging encryption code as malware
从恶意软件识别的角度来看,我的 WPF .NET 4 应用程序有几个缺点:
- 它必须 运行 直接来自 U 盘
- 它必须允许用户设置绑定到主机的设备安全性
- 设置设备安全性后,设备上绝不能有解密文件
- 它必须解密文件到主机的临时目录
事实证明,现在有 "ransomware" 可以加密用户的文件,然后要求为解密密钥付费。
特别是卡巴斯基,将文件加密过程标记为恶意软件,并非常有效地杀死了应用程序。加密时,卡巴斯基识别恶意软件,标识为 PDM:Win32.Generic,然后继续检测、终止和删除。对已加密设备的扫描返回 100% 干净 - 没问题。
这是文件 encrypt/decrypt 代码。它改编自 CodeProject 文件加密文章。这段代码中会不会有什么东西会引发对 AV 软件的怀疑?我只使用纯 .NET,没有第 3 方库:
/// <summary>
/// Encrypt a file with a user-supplied password.
/// WARNING: File will be lost if password is forgotton.
/// </summary>
/// <param name="inputFile">
/// The name of the unencrypted file to encrypt.
/// </param>
/// <param name="encryptedFile">
/// The name of the newly encrypted file to created.
/// </param>
/// <param name="clearTextPassword"></param>
/// <param name="salt">
/// You can bypass this and use the predefined salt in this class
/// BUT IT IS NOT RECOMMENDED. Your code should provide an 8-byte
/// array for the salt.
/// </param>
public static void EncryptFile( string inputFile, string encryptedFile,
string clearTextPassword, byte[] salt = null )
{
salt = salt ?? FileSalt;
byte[] key = new Rfc2898DeriveBytes( clearTextPassword, salt ).GetBytes( 16 );
FileStream fsCrypt = new FileStream( encryptedFile, FileMode.Create );
RijndaelManaged rmCrypto = new RijndaelManaged();
rmCrypto.Padding = PaddingMode.PKCS7;
CryptoStream cs = new CryptoStream( fsCrypt,
rmCrypto.CreateEncryptor( key, key ),
CryptoStreamMode.Write );
FileStream fsIn = new FileStream( inputFile, FileMode.Open );
int data;
while( ( data = fsIn.ReadByte() ) != -1 )
cs.WriteByte( (byte)data );
fsIn.Close();
cs.Close();
fsCrypt.Close();
}
/// <summary>
/// Decrypt a file with a user-supplied password.
/// </summary>
/// <param name="inputFile">
/// The name of the encrypted file to decrypt.
/// </param>
/// <param name="unencryptedFile">
/// The name of the unencrypted file to create.
/// </param>
/// <param name="clearTextPassword"></param>
/// <param name="salt">
/// You can bypass this and use the predefined salt in this class
/// BUT IT IS NOT RECOMMENDED. Your code should provide an 8-byte
/// array for the salt.
/// </param>
public static void DecryptFile( string inputFile, string unencryptedFile,
string clearTextPassword, byte[] salt = null )
{
salt = salt ?? FileSalt;
byte[] key = new Rfc2898DeriveBytes( clearTextPassword, salt ).GetBytes( 16 );
FileStream fsCrypt = new FileStream( inputFile, FileMode.Open );
RijndaelManaged rmCrypto = new RijndaelManaged();
rmCrypto.Padding = PaddingMode.PKCS7;
CryptoStream cs = new CryptoStream( fsCrypt,
rmCrypto.CreateDecryptor( key, key ),
CryptoStreamMode.Read );
FileStream fsOut = new FileStream( unencryptedFile, FileMode.Create );
int data;
while( ( data = cs.ReadByte() ) != -1 )
fsOut.WriteByte( (byte)data );
fsOut.Close();
cs.Close();
fsCrypt.Close();
}
请注意,我对关于我使用字符串与 SecureString 作为明文密码等的评论不太感兴趣,除非该信息有助于解决 AV 问题。
卡巴斯基已断定这是一个误报,他们正在纠正他们的软件来处理它。
从恶意软件识别的角度来看,我的 WPF .NET 4 应用程序有几个缺点:
- 它必须 运行 直接来自 U 盘
- 它必须允许用户设置绑定到主机的设备安全性
- 设置设备安全性后,设备上绝不能有解密文件
- 它必须解密文件到主机的临时目录
事实证明,现在有 "ransomware" 可以加密用户的文件,然后要求为解密密钥付费。
特别是卡巴斯基,将文件加密过程标记为恶意软件,并非常有效地杀死了应用程序。加密时,卡巴斯基识别恶意软件,标识为 PDM:Win32.Generic,然后继续检测、终止和删除。对已加密设备的扫描返回 100% 干净 - 没问题。
这是文件 encrypt/decrypt 代码。它改编自 CodeProject 文件加密文章。这段代码中会不会有什么东西会引发对 AV 软件的怀疑?我只使用纯 .NET,没有第 3 方库:
/// <summary>
/// Encrypt a file with a user-supplied password.
/// WARNING: File will be lost if password is forgotton.
/// </summary>
/// <param name="inputFile">
/// The name of the unencrypted file to encrypt.
/// </param>
/// <param name="encryptedFile">
/// The name of the newly encrypted file to created.
/// </param>
/// <param name="clearTextPassword"></param>
/// <param name="salt">
/// You can bypass this and use the predefined salt in this class
/// BUT IT IS NOT RECOMMENDED. Your code should provide an 8-byte
/// array for the salt.
/// </param>
public static void EncryptFile( string inputFile, string encryptedFile,
string clearTextPassword, byte[] salt = null )
{
salt = salt ?? FileSalt;
byte[] key = new Rfc2898DeriveBytes( clearTextPassword, salt ).GetBytes( 16 );
FileStream fsCrypt = new FileStream( encryptedFile, FileMode.Create );
RijndaelManaged rmCrypto = new RijndaelManaged();
rmCrypto.Padding = PaddingMode.PKCS7;
CryptoStream cs = new CryptoStream( fsCrypt,
rmCrypto.CreateEncryptor( key, key ),
CryptoStreamMode.Write );
FileStream fsIn = new FileStream( inputFile, FileMode.Open );
int data;
while( ( data = fsIn.ReadByte() ) != -1 )
cs.WriteByte( (byte)data );
fsIn.Close();
cs.Close();
fsCrypt.Close();
}
/// <summary>
/// Decrypt a file with a user-supplied password.
/// </summary>
/// <param name="inputFile">
/// The name of the encrypted file to decrypt.
/// </param>
/// <param name="unencryptedFile">
/// The name of the unencrypted file to create.
/// </param>
/// <param name="clearTextPassword"></param>
/// <param name="salt">
/// You can bypass this and use the predefined salt in this class
/// BUT IT IS NOT RECOMMENDED. Your code should provide an 8-byte
/// array for the salt.
/// </param>
public static void DecryptFile( string inputFile, string unencryptedFile,
string clearTextPassword, byte[] salt = null )
{
salt = salt ?? FileSalt;
byte[] key = new Rfc2898DeriveBytes( clearTextPassword, salt ).GetBytes( 16 );
FileStream fsCrypt = new FileStream( inputFile, FileMode.Open );
RijndaelManaged rmCrypto = new RijndaelManaged();
rmCrypto.Padding = PaddingMode.PKCS7;
CryptoStream cs = new CryptoStream( fsCrypt,
rmCrypto.CreateDecryptor( key, key ),
CryptoStreamMode.Read );
FileStream fsOut = new FileStream( unencryptedFile, FileMode.Create );
int data;
while( ( data = cs.ReadByte() ) != -1 )
fsOut.WriteByte( (byte)data );
fsOut.Close();
cs.Close();
fsCrypt.Close();
}
请注意,我对关于我使用字符串与 SecureString 作为明文密码等的评论不太感兴趣,除非该信息有助于解决 AV 问题。
卡巴斯基已断定这是一个误报,他们正在纠正他们的软件来处理它。