I'm a software developer who works as a freelancer, and my question has two parts.
First part:
I was working on a project then out of nowhere while testing on windows 10 VM windows security start blocking my app, I have a legit Bitdeferter and Malwarebytes on my main machine, and when I scanned my app (the EXE file from C# project) everything is clean, yet when I uploaded the file to virustotal.com it shows 5 detections
I start doubting my code and NuGet packages (I use Microsoft.AspNet.WebApi.Client and Newtonsoft.Json) so I removed them and to my surprise, I only got 2 detections out of 5.
I even create an empty Console app and still get those 2 detections, and my main machine still shows nothing as a virus.
So does that mean that my app is good but needs to be signed?
Second part:
If my issue is just a signing certificate, do I need as a developer to obtain that or my client, and then I only sign his/her app under his/her certificate?
Thank you.
Many engines treat VirusTotal samples very harshly, and any new executable has very low reputation (never having been seen before).
Therefore you will get lots of false-positives from VirusTotal when looking at your own new binary.
Signing is likely to help somewhat - at least there's a chance that you can build reputation in your certificate rather than each binary separately.
As far as I know, you get the signing certificate for you as a developer, although that might be different if you are providing source code and the client is building the end executable.