Microsoft offers to download this release in their official site, then let’s go there and download iso images. Installing of new [...]]]> Microsoft has released developers edition of the Windows 8 that is planned to release someday in 2012, and we, as software protection vendors, have to be sure our products are working correctly there too.

Microsoft offers to download this release in their official site, then let’s go there and download iso images. Installing of new version is not taking too much time, that’s is good enough. I will not focus on the interface of new Windows, we have to test program compatibility there only.

Initial screen is looking so:

Click on Desktop icon to switch to more regular interface. Ok, now it is looking “better” Download Enigma Protector at http://enigmaprotector.com/assets/files/enigma_en_demo.exe .

Run Enigma Protector setup and walk through the installation steps. First opinion – great, installer is working well! Trying to run Enigma Protector.

It is running and working well! Since Enigma Protector is protected by itself, we can say protection is working under Windows 8!
Make another testing – protect the test file with as much protection options enabled as possible. Trying to run – same result, protected file is working perfectly!

Really, our specialists already carefully checked Windows 8, Enigma Protector (surely, together with our freeware Enigma Virtual Box) and protection workability there. We can say Enigma Protector is fully compatible with the existing version of Windows 8, there was not found any problem or incompatibility.

We should also note that this version of Windows 8 is just preview for software developers, who knows what Microsoft will also change there until official release…? But to be on the top of software protection, to make our clients aware of compatibility of our products, we have tested even this minor Windows release.

Finally let me say: Enigma Protector – Windows 8 compatible!

How Software Licensing works?

Imagine you have written a software which runs on a Windows PC, but you want to lock it by license, so only licensed users will be able to use it. “Lock to License” means the application will require a license key to run it, without valid registration key it is impossible to run and use protected programs. By using Enigma Protector you can protect your software and apply licensing features. After protection you can share protected application with customers.
After the first run of protected program (which is protected with licensing) it will ask user to enter a Registration Name and Registration Key. Registration Name can contain any information, commonly it determines the user and last names and email address. The Registration Key user has to retrieve from owner of this protected program. So each customer will have to ask you for a license (i.e. the pair of Registration Name and Registration Key).
Once user enters Registration Name and Registration Key and successfully registers, the program will continue execution and will not ask for license information anymore.

How to Lock License to Particular PC?

You may generate licenses that are valid for a particular computer only, such licenses are named as Hardware Locked Licenses. There is the following licensing scheme for using of hardware locked registration keys:
- user gets the protected program, run it, the program shows a registration dialog which contains the Hardware ID field (unique computer identifier)
- user sends this hardware id to the owner of protected program
- owner, based on a hardware id generates a license (pair of Registration Name and Registration Key) and send it back to user
- user enters this name and key and successfully registers. If user will try to register same application on another computer with the same registration name and key the owner of program provided – it will just fail to registers (because the registration key is generated for only particular hardware id).

Other License Limitations

Enigma Protector allows very flexible licensing features. Except locking license to particular computer you may also set a wide range of other different limitations, like:
- limit license by number of executions of protected program. The license will expire (stop to work) after defined number of executions
- limit license by a days number, so it will working only allowed number of days since the first registration
- lock license to user’s country
- lock license by a run-time or global time. License will be valid some time since each execution (run-time limit) or protection will count the time since registration (global time limit)

There is a tutorial that shows how to implement licensing features with Enigma Protector, how to generate registration keys and what options in protection has to be enabled.

Video provided by Majid Pasha. Thanks you very much Majid for the nice and very useful movie!

We recommend to use Enigma Protector for Software Protection and Software Licensing!

Difficult to say only one main [...]]]> Each user of almost any serious Software Protection system sometimes may get false detection (false positive detection) from different antivirus software vendors. What is false detection? It is just wrong detection any kind of virus in protected files…

Why False Detection appear?

Difficult to say only one main reason of false positive detection, but usual of them are following:

• the one of the main purposes of protection systems – make it harder to analyze, reverse and crack the application. Malware (virus) makers are also very often use protection systems to protect viruses to make them difficult to analyze. So antivirus software vendors sometimes wrongly detect virus in any protected files, for example, if last days there were lot of protected viruses
• heuristic and generic analyzers of antivirus software may often fail, because these are robot, and automatic robot detections can’t give us 100% result
• just an error of antivirus software engineers, which may wrongly analyze and detect virus in protected file

Is any way to stop false detection?

Yes, sure, there is a way to avoid false detection. If false detection appears you need to send file sample to the antivirus research team and ask them to solve problem. Usually, specialists reply quickly and glad to help to solve the problem. As per our experience, if you send file sample today, tomorrow’s database of the antivirus software will be clean.

Another very promised thing we had got a year ago from IEEE.com members. They decided to unite antivirus software vendors to make a complex solution for software protection vendors that will avoid most part of false detections caused by protected files. Enigma Protector developers are also joined to the process, so we hope that soon we will be completely free of the most false positives!

Something about new anti-false detection system you may read there: http://www.pcmag.com/article2/0,2817,2390388,00.asp

How to Solve False Detection?

Below I’ve written a list of antivirus software vendors and ways how to solve false positive detection of their software. Also, note, customers of the Enigma Protector may always contact to support team at support@enigmaprotector.com and ask for a help regarding any their false detection.

#######################################
Here are some places that can online scan the program and let you know what AV companies are giving False Positives on the files:
NOTE: we do not recommend to use below services to check your files on a false positives, because submitted files are being redirected to Antivirus Software vendors directly. As per our experience, antivirus software vendors are moving these files to black list, so instead of the successful false detection removing you will get a few new false detections. This note is made per our experience only, you may or not may trust it.
http://virustotal.com/
http://virusscan.jotti.org/

I’ll go ahead and list some email addresses and website forms for some of the particular AV companies to make it easy for you.

A-Squared: send false detection sample at fp@emsisoft.com

AntiVir: http://analysis.avira.com/samples/index.php
False positives:
If you think our scanner has detected a clean file by mistake please select “False positive suspicion” from the drop down menu above. Note that suspicious files and false positives need to be uploaded separately. Please make sure you verified that the latest version will still detect the file and it is not a solved false alarm at this point in time.

ArcaVir: send false detection sample at support@arcabit.com

Avast: virus@avast.com
Pack the “infected” file into ZIP archive and lock it with password “virus” (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it’s on the internet.
Add your own note on why do you think that it’s a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com
You’ll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you’ll know if the false positive was fixed.
Until then, you can add the “false positive” file into exclusions:
Left click on “a” ball next to the clock and select Standard Shield.
Click Customize… and select Advanced tab.
Now just enter full path (path plus filename with extension) into the line and press [Enter] on keyboard.
This will exclude the file from scan, so you can use it untill false positive is resolved. Do this with caution or if you’re 100% sure that the alert was false positive for that file.
Alwil staff deals with false positives very fast, so they are usually fixed on next VPS update, or even immediately if the false positive is found in any widely used program.
Try to address false positives directly to Alwil virus submission mail and not here on forums. This way the false positive is solved faster.

AVG Antivirus:
Check the file using this form:
http://samplesubmit.avg.com/ww-en/sample-scanning
If the file is false detected, add it to zip archive with password. Then email zip file to virus@avg.com. Do not forget to note it is “File is incorrectly marked as a virus (false positive)” and archive password for zip file.

BitDefender:
Post false detection in their forum:
http://forum.bitdefender.com/index.php?showforum=138

ClamAV: http://www.clamav.net/sendvirus
Complete the form at http://www.clamav.net/sendvirus. Be sure to select The file attached is… a false positive.

Comodo Antivirus: malwaresubmit@avlab.comodo.com or desktopsupport@comodo.com
Make sure you state “False Positive” in the subject and try to explain what the program is.
Or upload file sample using this online form:
http://internetsecurity.comodo.com/submit.php

Commtouch
do not forget to note that this is False Detection
- Subject line should be in the format of: virus samples
- Attached the sample as encrypted zip file with the password of “infected”
- In the body of the message include that the file is protected with Enigma Protector and it’s version
- Submit the sample to: AVsample@blockvirus.biz

Dr.Web: http://vms.drweb.com/sendvirus/
Make sure you select “False Detect”.

Emsisoft
- send the suspect(s) to fp@emsisoft.com
- Before submitting, create a password protected archive (ZIP or RAR) containing the file(s). Please password protect the archive with word: “fp” (no quotes)

eSafe: http://www.aladdin.com/forms/send-email/form.aspx
Fill out the contact form and let them know it is a False Positive.

F-Prot Antivirus: http://www.f-prot.com/virusinfo/submission_form.html
Be sure to explain it is a False Positive!

F-Secure Antivirus: http://www.f-secure.com/samples/index.html
If you encounter a false positive, please submit a sample of it for testing and verification, specifying that you are submitting a false positive. Any additional information such as the origin of the file, scanning report file, and false positive detection name will help to resolve the issue more quickly.

Fortinet: http://www.fortiguardcenter.com/antivirus/virus_scanner.html
Submit the file and fill out the form stating it is a false positive

Ikarus: send false detection sample at false-positive@ikarus.at

K7AntiVirus:
Password protect the sample and send it to: reportfp@k7computing.com
Include password in the email.

Kaspersky:
Zip the file with password “virus” and use this form to send sample:
http://support.kaspersky.com/virlab/helpdesk.html

or email:

newvirus@kaspersky.com
1) Put the suspected virus in a password-protected zip or rar file.
2) Compose an email message (only short description) and attach the zip file.
3) Include the password in the body/subject of the email. If you suspect a false positive, then include “Possible false positive” in the subjectline.
4) Send the zip/rar file to newvirus@kaspersky.com

McAfee: virus_research@avertlabs.com
Send an email to McAfee and let them know it is a false positive.
Make sure you zip up the file(s) and password protect it with the word infected. Even though it is not a virus this password must be contained on the zip file or they will ignore your email.

NOD32:
1. Compress the file(s) into a .zip or .rar archive, and password protect it with the password “infected”.
2. Make a note of this password in the email (bounded by speech marks), attach the zipped file, and email it to samples@eset.com.
3. Use a subject line which clearly states if the attached file contains a suspected infection or a false positive (ie. use the subject Suspected infection or the subject False positive if you report a false positive). Also, please include the Customer Care case number if applicable.
4. In the body of the email it is very important to include:
Any background information as to where the sample was found, especially the url you downloaded the sample from
Why you think it is malware or a false positive report.
If you know that another antivirus company already detects it.
If you are reporting a potential false positive, please provide as much information as possible about the source of the software, including the name of the developer, the name and version application and the address of the site from which the file was downloaded.

Send email to: samples@eset.com

For more info:
http://kb.eset.com/esetkb/index?page=content&id=SOLN141

Norman Virus Control: http://www.norman.com/Support/fp/

Panda Antivirus: falsepositives@pandasecurity.com
If you want to report us False Positives, send the samples inside a passworded RAR or ZIP file to falsepositives@pandasecurity.com

PCTools
Please send an email to support@pctools.com with the subject “false positive” with details of the detection.

Prevx: http://info.prevx.com/service.asp
Contact support by filling out the form and stateing the information about the false positive.

Sophos Antivirus: https://secure.sophos.com/support/samples/
Make sure you let them know it is a “False Positive”.

Sunbelt
Fill out false positive submission form, attach false detected file
http://www.sunbeltsecurity.com/falsepositive/

Symantec:
process a false detection submission form at:
https://submit.symantec.com/false_positive/

or

To submit false positive email to Security Response
Create a new email in RFC-822 MIME format, and attach the false positive email.
In the To box, type:
North America: gfeedback@feedback-1.brightmail.com
EMEA: eurofeedback@feedback-23.brightmail.com
APAC: apacfeedback@feedback-22.brightmail.com
Japan: jpnfeedback@feedback-47.brightmail.com
Only send false positive email to the this address.
Send the message to the Security Response Center.

Trend Micro
Do not forget to note that it is a false detection
Email: trendlabs@av-emea.com
Or: http://subwiz.trendmicro.com/SubWiz/Default.asp

VirusBuster: send false detection sample at support@virusbuster.hu
Make sure you notify them that it is a “False Positive”.

ViRobot
Go to http://www.hauri.net/support/false_report.html there is a false positive submission form. Enter your name, email address, enter False Positive in the subject, some words in the text field and select a file. Note, false detected file should be zip compressed!

VIPRE
Use this form to submit false detection
http://www.sunbeltsecurity.com/falsepositive/

VBA32: send false detection sample at newvirus@anti-virus.by
Put “False Positive” in the subject!

The Enigma Protector 3.0 x86 BETA:
http://enigmaprotector.com/assets/files/enigma_3.00_20110811_en_demo.exe

The Enigma Protector 3.0 x64 BETA:
http://enigmaprotector.com/assets/files/enigma64_3.00_20110811_en_demo.exe

Many developers think that if they simply click “protect” button then protection program will [...]]]> We’ve been asked many times what are the best way to protect software against cracking and reverse engineering with Enigma Protector? Here I will explain what are the best tricks to protect usual application.

Many developers think that if they simply click “protect” button then protection program will do everything automatically, and there is no need to embed additional protection features. This is completely wrong. Protection System as a very complex service also requires configuration.

Best way to protect application against cracking, unpacking or patching is integration protection into your application. So protection should be a part of application and it should perform some functionality that is necessary for stable and correct work of your product. Just imagine, if you do not use additional protection features, the protection works like an envelope inside which the real application is located. While execution of the program, the envelope opens, and application is being mapped to the process memory for execution. If no additional options of protection is used, cracker may dump the application from the memory, extract necessary information, and reverse it (of course, this is not so easy as I’m writing, newbie cracker will never pass even such protection, but very advanced crackers may do this). From the other side, if your application is integrated with protection (envelope), if application talks and works with envelope, then it is very difficult to divide protection and application and so very difficult to unpack and crack the protection.

Below are common ways how to integrate protection into application.

Virtual Machine

The modern way of protection – virtualization application code. The main purpose of Virtual Machine – translate executable code to own PCODE and then execute it on own virtual processor. Virtualized code is very difficult to reverse, it is good choice to place some unsafe code parts (like verifying registration keys, trial counter etc) inside Virtual Machine. In the Enigma Protector there are 2 ways to virtualize the code:
- using VM Markers, you just around necessary code parts with the VM Markers, and this code will be virtualized while protection

{$I ..\..\..\EnigmaSDK\Delphi\vm_begin.inc}
ShowMessage('This message is shown under virtualized code');
{$I ..\..\..\EnigmaSDK\Delphi\vm_end.inc}

- using Virtual Machine – Functions Selecting feature. Using this feature may require to generate a MAP file, take a look there how to generate map file for different compilers.

Virtual Box

This feature allows to embed the files that your application uses into single protected executable. Embeded files are not extracting to the disk, protection emulates them only in memory, so the files becomes safe. What is advantage of this feature, and how it can help to protect application? Very simple, if cracker want to unpack protection, he will need also extract all embeded files, that could be very difficult!

Markers

Except described above VM Markers it is good to use any other kind of markers. For example, Reg_Crypt markers allows to lock code parts to the registration key, i.e. until the application is not registered, the code inside Reg_Crypt markers become encrypted and can’t be decrypted and executed.
Run_Once marker – deletes the code inside it from the memory after first execution, so if cracker will dump process memory, the code inside these markers will be missed

Enigma API

Try to use special functions of protection that allows control many protection parameters, read more there Enigma API
Crackers often use different strings that exist in your application to find a way to crack it. For example, if you perform check of registration key and then show a message like “Invalid Key”, cracker may find a code where this message is shown, then find a code that check registration key and bypass it. To hide such string constants you may use Protected Strings feature and integrate protection with application by using EP_ProtectedStringByID or EP_ProtectedStringByKey Enigma API.

- Improved compatibility of boxing files packed with other run-time packers
- Improved handing of ZwQueryKey
- Bug fixed handling of ZwDuplicateObject

- Added logging for Keys Generator
- Added few callback functions for plugins
- Added option Miscellaneous – Other – Supress graphical module
- Added option Miscellaneous – Other – Do not check if file is compressed
- Added option Miscellaneous – Other – Do [...]]]> 29 Jun 2011 2.70 Build 20110629

- Added logging for Keys Generator
- Added few callback functions for plugins
- Added option Miscellaneous – Other – Supress graphical module
- Added option Miscellaneous – Other – Do not check if file is compressed
- Added option Miscellaneous – Other – Do not search markers
- Improved Virtual Machine – File Entry Point protection of particular Delphi programs
- Bug fixed showing unicode AppName and AppVer variables for message and dialog designers
- Bug fixed overloading project settings on re-opening project file
- Bug fixed handing unmanaged exceptions for .net applications
- Minor bugs fixed loading new project
- Minor GUI improvements