Best IT Recipes

Antivirus False-positive in my executable file

I just ran into an annoying problem. Suddenly, Avira AntiVir began marking one executable file from my software as a virus.

Since the default action of almost any user is to click OK, and Avira suggests quarantining the virus, most of my users delete this executable file.

Well, let it not be arrogant and check if I'm really not infected. I sent the file to http://www.virustotal.com , and of the entire antivirus, only Avira places it as infected. In addition, I scanned my computer using two different antiviruses and it is clean.

I have already sent mail to my users explaining what is happening, but this is an overhead for my support, which I really do not want.

OK, the question is: is there a way to avoid this behavior? I cannot think differently than signing files (I don’t know if he will decide), but let's see if you have a creative idea.

+39
delphi executable delphi-7 antivirus false-positive
Jul 26 '10 at 9:28 a.m.
source share
6 answers

It is surprisingly common that Delphi applications are reported as potentially dangerous for AV applications. This happened to me a while ago using Delphi 2009, see http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue .

In SO we also have

  • Virus in Delphi 7
  • Accidentally created virus?

and many others.

This may be the actual Induc Virus . But, most likely, this is a false positive.

+27
Jul 26 '10 at 9:32 a.m.
source share

Andreas answers perfectly; this just happens with Delphi applications.

The signature code does not matter - my NOD32 gave false positives for the signed Delphi code.

If there were any methods to avoid false positives, virus authors would use them to avoid detection.

I found that the best course of action, unfortunately, is more reactive than proactive. All AV vendors have the ability to report false positives, and I found that they respond to reports.

+22
Jul 27 '10 at 0:53
source share

As a solution, you can:

1 - Make sure your Delphi compiler is not infected
2 - Check that your sources and libraries are not tempered (this was MO for Induc Virus )
3 - Check (guaranteed) clean EXE using AV. If they report a false positive, contact them so they can fix their tests.

4 - If you need to distribute before you can fix AV files, sign exe so that your users can check it for cleanliness.

+3
Jul 27 '10 at 0:45
source share

There are several reasons why Anti Virus can run on Delphi exe, several common reasons:

  • There are a lot of viruses written in Delphi, so your exe may have some pieces of code that look just like existing viruses.
  • The import table of your program is used to determine what your exe can do, for example, a link to the Credentials Management or Disk Management functions launches some AV files.

As suggested, before attempting to scan your release version using online services such as Virustotal or Jotti and always report your false positives to suppliers instead of trying to prevent false positives. My experience is that AV providers respond quite quickly to transmission.

+3
Jul 27 '10 at 7:21
source share

In Free Pascal / Lazarus and bugtracker, such messages occur almost every issue and / or month.

We generally recommend that users ignore all “general” or “heuristic” types of scans and stick to signature scans (as most corporate viruses do).

This is because it is almost always heuristic alarms, not specific malware. This is easily seen in the fact that the detected "virus / trojan" almost always refers to the "generic" type. Usually virusscanners are also typical “home” vivusscanners or home publications of generic vivusscanners (Norton was especially bad, currently it is mostly “cheap” smaller home scanners)

However, we communicate mainly with developers and already have problems receiving this message. I can imagine that with the distribution of unfamiliar end users this is a real complicated message to communicate.

However, there is no other way.

+3
Jul 27 '10 at 10:08
source share

Many honest developers have problems due to careless antivirus software. See also: How to prevent a false positive virus on my software?

Imagine that for every false positive they show, you are losing a potential buyer. Programmers must take action against such anti-virus products and make them more careful about false-positive alarms, even to get some profit from the sales that we lose because of them.

Update:
I recently noticed that:

  • The number of false positives on VirusTotal.com is MUCH more when the program is compiled into "Release Mode" (with compiler optimization) than when it is compiled into "Debug Mode".
  • Detection of celestial rockets using EurekaLog.

Therefore, send a request to VirusTotal before publishing your program!



Update 2019:
Unfortunately, InnoSetup also did not pass by. I created a dummy installer with InnoSetup and uploaded it to VirusTotal. 5 out of 52 programs reported a false positive! Update upon update: now the number of false positives has been increased to 9!

+3
Nov 21 '10 at 12:11
source share


More articles:


All Articles