Misdetection of Virus in xPortal3000 Software

Problem (Issue) Statement:

Misdetection of Virus in xPortal3000 Software and How to Fix It.

Description:

A guide to fix the misdetection of virus in xPortal3000. The software could not be executed when there is antivirus installed and running in the same machine.

Related Software:

xPortal3000 v3.0.0.28 or earlier

Related Hardware:

NIL

System Application:

Door Access System

Symptom and Finding:
  1. After the software installation, user starts the xPortal3000 Server Configuration Manager service but the service failed to run.
    Unable to Start xPortal3000 Service Error Message
    Figure 1: Unable to Start xPortal3000 Service Error Message

  2. The following error message is shown.
    Unable to Open xPortal3000 Service Error Message
    Figure 2: Unable to Open xPortal3000 Service Error Message

  3. When the xPortal3000 Server Configuration Manager service is executed, it is detected as a threat by the antivirus software and is instantly moved to Quarantine.
    xPortal3000 File Was Detected as A Threat
    Figure 3: xPortal3000 File Was Detected as A Threat

  4. The software is detected as virus / malware.
    Antivirus Software Logged The xPortal3000 as Virus
    Figure 4: Antivirus Software Logged The xPortal3000 as Virus

  5. User is then unable to login to the xPortal3000 Client due to the xPortal3000 Server Configuration Manager service failed to start.

Cause:

The software was detected as Trojan due to the obfuscation implemented in the software.

Obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. It is a technique used to prevent tampering, deter reverse engineering or even as a puzzle or recreational challenge for someone reading our source code. It is meant to discourage the reproduction of our software following detailed examination of its construction or composition; or the encryption algorithms involved. This is a measure taken to safeguard the intellectual property of our code.

However, this is a common issue with every obfuscation tool. Some people misuse obfuscation tool to obfuscate their malware or Trojan. Because of slight similarities in signatures after obfuscation, the obfuscated output becomes detected as malware or Trojan too.

Solution:

Warning!

  • Users are not recommended to run any xPortal software in Windows XP operating system as the system is unstable

  • Users are also advised to stop the xPortal Services before shutting down the Server PC to prevent any missing transaction issues.

.

.

Summary:

.

Step-by-step Guide:

  • Re-install the latest xPortal3000 version:

This issue has been fixed in /wiki/spaces/SRN/pages/94307494 (11/10/2017). We have adjusted the obfuscation level of the software so that the Antivirus will not identify it as Trojan virus. However, we cannot guarantee that our application will not be flagged by antivirus software after the virus definition is updated in the future. Please re-install the software using the fixed version or higher.

Info

We will include the virus scanning steps in upcoming release.

.

.

  • To verify the applied code signing to the software to reduce false positive detection by antivirus software:

This code signing is added to make sure Windows can recognize the xPortal software as genuine product, and hence the antivirus will not detect our software as a threat. 

This information can be obtained from the xPortal3000 installer, right-click on xPortal3000 Server v3.0.0.33.exe > Properties > Digital Signatures. Same goes to the xPortal3000 Client.
Digital Signature
Figure 5: Digital Signature

Code Signing Algorithm
sha1 – Windows XP SP2 or earlier.
sha256 – Windows 7 and higher.

The installer must apply the dual signing (sha1 and sha256) if you’re running the software on Windows 7 or above.


User can see that the installer is copyrighted to MicroEngine Technology Sdn Bhd, by right-clicking on xPortal3000 Server v3.0.0.33.exe > Properties > Details. Same goes to the xPortal3000 Client.

Copyright Name
Figure 6: Copyright Name

Date Documentation:

04/07/2018 (Rev 1.0)

PROOF-READ

.

.


.

© MicroEngine Technology Sdn Bhd (535550-U). All rights reserved.