Ruby project packed with Ocra is generating false positives on virus scanners.

[atomicpickle]

I have tried using both compressed with lzma and uncompressed exes for my ruby game. Either way, it is generating false positives in some virus scanners, including Windows Defender. See this virus total result for my game here: https://www.virustotal.com/gui/file/a8a896ed6a01277abde4f57cc89196c99b2ffd1588f6b3cb30fa2f6e4f83c7eb/detection

no idea why this is happening. Cant seem to fix this issue. Do I need to abandon Ocra and use another packer? What's going on here?

[EwaRvr]

Check the history of closed issues. Specifically #115. This is a recurring issue.
We deal with it from time to time. Sometimes adding a newline or some extra comments in your code, and then packing it again helps. Or breaking up the code in different files. But it is trial and error.
If that doesn't work for you, yes, try another packer.

[atomicpickle]

Check the history of closed issues. Specifically #115. This is a recurring issue.
We deal with it from time to time. Sometimes adding a newline or some extra comments in your code, and then packing it again helps. Or breaking up the code in different files. But it is trial and error.
If that doesn't work for you, yes, try another packer.

There is another issue, it appears exes are coming out unsigned as well now and windows doesn't really like that. This didn't start happening until recently.

[jpschafer]

I just experienced this on Windows 10 with Windows defender on security intelligence version 1.357.375.0. It is being marked as Trojan:Win32/Wacatac.B!ml which is considered a SEVERE threat by Windows.

I have submitted my executable to Microsoft (it's just for a school project) to hopefully see if an analyst there will review it and fix it on their end. I'm not totally sure what is causing it to be flagged. I will report back here the results. so far the automatic scanner on the cloud reported it as a Trojan:Win32/Sabsik.FL.B!ml but strangely enough the client version isn't reporting any false positives on their server, which is using the same version of the definition (security intelligence) file.

I submitted it here if anyone is curious and wants to submit theirs for analysis, you can set an expiry date so the executable doesn't sit on their servers forever:

https://www.microsoft.com/en-us/wdsi/filesubmission

[jpschafer]

So it appears I received a response back from Microsoft and they removed the false positive. After updating Windows Defender this problem seems to have finally stopped propping up even with modifications to my application.

Anyone who is experiencing this problem still with other virus scanners, I recommend submitting an example application built with OCRA to that virus scanner's submission program, if they have one, for false positives.

This may not permanently resolve the problem, I am not entirely sure what heuristics are used that seem to consistently cause the false positives to occur, but it is a step in the right direction.