Share via

how do i automate submission to "malware analysis" ?

David M. Cotter 1 Reputation point
2020-08-19T03:48:01.343+00:00

I make release builds sometimes weekly.

I just got an EV code signing cert (usb-key) and want to ensure that my freshly-minted key isn't flagged as signing bad files, so i want the files i sign with it to be able to pass muster with Defender. (all this came about because i use a particular e-commerce library, and it or one of its dependencies ALWAYS flags a false positive) (please don't be distracted attempting to analyze that, the question still stands regardless of whether THAT particular problem is solved)

To ensure Defender won't balk, I just have to submit the exe to the malware analysys web site, and wait for the all-clear, right? but .... but that takes days to get back to me? well, that's a question for another time, but meanwhile: how can i AUTOMATE the uploading of my zipped app bundle? my entire build is automated, except for this part. how is it done?

for extra credit: can i use webhooks or IFTTT or something to get a notify when said file passes inspection?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David M. Cotter 1 Reputation point
    2020-08-19T03:49:42.027+00:00

    alternately is it possible to somehow analyze ONE build of my app, and have that somehow whitelist every build of my app assuming it uses the same components?

    0 comments
  2. Carl Fan 241 Reputation points
    2020-08-19T08:34:15.687+00:00

    Hi David,
    As far as I know, I‘m afraid that it's hard to do at the system level (No matter for detect a specific same component or submit the file automatically). Microsoft uses the reputation of digital certificates to help determine the reputation of files signed by them.
    Extended validation (EV) code signing requires a more comprehensive identity verification and authentication process for each developer, and also requires the use of hardware to sign applications. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP。
    As you said, submit your file to the malware analysys web site. It's an official way for submitting is described here. You could check the state after submitting.
    Submit files for analysis
    https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide
    So I suggest that you could contact Microsoft Windows Defender team support.
    You could try contact Microsoft Support in your country:
    https://support.microsoft.com/en-us/worldwide
    Best Regards,
    Carl

    0 comments
  3. David M. Cotter 1 Reputation point
    2020-08-19T15:42:35.76+00:00

    i'm not convinced you understood my question.

    I'm not asking how to detect a problem. I'm asking how to, via script, take my app, the one i wrote, and already code-signed, and cause it to be automatically uploaded to MS's "Submit a file for malware analysis" web site, to ensure it is removed from being flagged as PUA, and cause the defender definitions to be updated to reflect that fact, so that when an end user updates their definitions, my app won't be flagged.

    I know how EV certs work, as i said, i have one.

    Seems like you didn't know this: the official docs from MS say that even with an EV cert, if your app is flagged as PUA, your cert's reputation WILL be downgraded and possibly destroyed.

    in the end you say "submit my file to the malware analysis web site". which confirms that you didn't understand that that is EXACTLY what i want to do, but i want to do it via script, and not by hand.

    0 comments
  4. David M. Cotter 1 Reputation point
    2020-08-21T05:55:38.357+00:00

    does anyone have any idea about this?