I once got my own program falsely detected as virus while developing it. It was such a bizarre experience: you press "Run" in the Visual Studio, it apparently builds successfully but then it can't run because the executable does not exist. Huh?

Anyhow, it turned out that apparently my hand-coded base64-decoder was sufficiently similar to a base64-decoder used in some trojan out there (which was apparently built with the same version of MSVC): removing/sufficiently rewriting my decode_base64 function made the detection go away reliably. So yeah, I believe now that those virus signatures are quite arbitrary in nature.

> just because it happened to see a pattern of bytes in the binary

It’s bizarre. I built an app and it was flagged by numerous AVs, and many of them had a “submit false positive” thing which eventually removed them. There’s no way that involved manual review so I assume bad actors can do the same.

Apparently these misclassifications are extremely common, and affect certain devs more than others. For instance, I had a Go binary which was flagged for a certain Trojan/worm and it was apparently common with other Go projects on GitHub.

Without any knowledge of what they're really doing: automated sandbox analysis is a common tool. They could also be doing reputation analysis of the submitter.

I hate it.

My little hobby projects that I write end up getting flagged by all these ML AV systems and I don't seem to have any recourse against it as a developer.

It causes issues and general confusion by my albeit small communiy of users.

Such systems are even more useless than hash/pattern matching scanners. I've had CrowdStrike on my machines before and it would've had no qualms with me exposing root-level access over an RPC interface.

Now do sketchy things on that interface and see how long it takes for your SOC to reach out to you.

It would have no qualms but it would send the information to your security team and they might.

That'd be great if hardware vendors didn't use dirty hacks to control their devices. One of my laptops fan control software still requires an open source kernel driver that someone else once used to setup a bootkit in EFI, so now I have to run with vulnerable driver blocklist off forever.

I'm yet to try a ML based security solution (antivirus, cloud security scanner, etc...) that isn't a false positive machine gun.

That's pure marketing fluff, just like the difference between antivirus and EDR.

Heuristic detection has been a thing for literally decades, and cloud-based antivirus which uses aggregate detection has been around for almost as long. It's notable that NIST does not seem to distinguish between these and just lumps them under endpoint protection.

Windows Defender classifies some of our in house tools as viruses, because we built it into a single file exe using Nuitka.