False virus/trojan alert on fresh created C# .exe file when downloaded from a website

Question

I created/updated an installation application with C#, which installs files into the AppData/Roaming folders of the user. This installer loads and reads an XML file from a server, then copies file from this server to the local computer via HTTP protocol.

Since the latest modification, which was just minimal (only the address of the server where XML and files to copy are located has been changed / its just a string constant), several virus scanners report different trojans when a user tries to download the executable installer. The URL inside the installer points to a recently registered .de domain which is surely not listet on any blacklist or something like this.

And of course, the development environment is clean and the executable installer is NOT infected at all. This warning from scanners, such as "Windows Defender", "Kaspersky" etc. only occur during the download process, some other scanners report nothing but a clean file anyway. After the executable is stored in quarantine by these scanners and re-scanned, none of them finds any trojan or virus in this file as well.

How can I avoid this false-message, anyone an idea?

Answer 1

In the meanwhile i figured out, that the type of the trojan which is found by virustotal.com depends of the content of AssemblyInfo.cs, especially of [assembly: Guid("...")]. As soon as I vary this string, different trojans with different names are found.

I also tried to remove some functions, especially those which use any file accesses, directory searches etc., but this has no effect at all.

The code also contains a hard wired domain name, which is "http://". When I change this to "https://", less scanners detect malware code.

And of course, I scanned my system with several antivirus apps, none of them reported anything.