My Application's Auto-update utility is triggering Anti-Virus

views:

488

answers:

+5 Q:

My Application's Auto-update utility is triggering Anti-Virus

I've created an auto-updating application which is distributed to 100s of users.

The auto-update utility is being flagged by 55% of antiviruses on virustotal ( link ).

My application was created in Delphi 7. Most of the flags are saying that this is Generic trojan/malware, obviously the software isn't actually malware (I'm the only one with source code access and access to the server which hosts it) but it's causing a lot of users to be

Does anyone have any idea how I can stop this being wrongly flagged?

What's your executable named? What APIs does it call? Is it digitally signed?

EricLaw -MSFT- 2010-02-02 15:32:23

It's name LibraUpdate.exe - not digitally signed it uses idHTTPHandler to download the update and shellApi to restart the application once it's been updated (there's a list on the virustotal link)

Mikey 2010-02-02 15:35:39

I have a hunch that suddenly the virus makers decided that we all have to digitally sign our software. Maybe they bought stocks of those signing companies ?

Edelcom 2010-02-03 08:22:47

It's possible that enough viruses are now using idHTTP components that their presence is considered potentially malicious in unsigned code. You'll have to ask those companies.

EricLaw -MSFT- 2010-02-03 19:36:22

It depends - if the 100s of users are on a corporate network, using the same enterprise antivirus software administered by group policy, one solution could be to specify your software as an exception in your antivirus package.

GenericMeatUnit 2010-02-02 15:35:13

this is being distributed over the internet so unfortunately not an option

Mikey 2010-02-02 16:07:42

I would try to refactor the program, changing names, changing the order of the procedures and methods, some program structures, removing, replacing, and adding code.

Submit each change to VirusTotal.

You might eventually detect what is causing the problem.

PA 2010-02-02 15:53:04

uploading an empty forms application gives this http://www.virustotal.com/analisis/d592ddc8aff56a928e6dcebf4d8a0f63df3da9523da19f0118c84e9a968584ab-1265126224 am I infected or are the anti-viruses rubbish xD

Mikey 2010-02-02 16:00:18

maybe it's time to submit the sample to the companies that give you the false positives

PA 2010-02-02 17:58:26

Anti-virus apps **ARE** rubbish!! We've had one randomly 'quarantining' data files!! Unfortunately anti-virus apps are something we have to live with. We instructed our client to configure their AV product to ignore our data folder.

Craig Young 2010-02-03 13:23:23

If your program "modifies" an executable, it will be picked up by a lot of AV programs. I've even seen Borland's patch program that was distributed with Delphi 7 flagged as a generic virus when installed fresh off the CD.

I'm not sure there is much you can do about it, unless you can turn that "feature" off in the AV program or have the rights to add an exception for it. Personally, I think it's just a lazy "catch-all" created by the AV software writers.

Catharz 2010-02-02 21:54:44

+1 A:

If, as you stated, empty form applications get rated as virus, you might very well be infected by the Delphi virus. More info about this... thing:

In addition, you use Delphi 7, which is a target for this virus (as far as I know not all Delphi versions are).

Mef 2010-02-02 22:18:32

AV software also check the Import Table for common API used in viruses, though I don't see any API that will trigger the AV software in the scan report.

pani 2010-02-02 22:38:01

+1 A:

Delphi 2007: New VCL Application

Compile without changing anything and some antivirus packages will report the resulting EXE as a potential virus/trojan. Change the name of the main form or add a second form to the project etc and antivirus warnings disappear. Undo the changes and they come back (so it's not a D2007 port of the "Delphi Upgrade Incentive Virus").

My guess is that someone, somewhere once upon a time wrote a virus/trojan/malware with Delphi and the signature/heuristics associated with that now sometimes unfortunately collides with other Delphi apps.

Deltics 2010-02-03 02:15:07

I suspect the answer is not "someone somewhere" but "Lots of people in lots of places." The CLSIDs Microsoft uses in their docs on MSDN for IE extensions have the same problem-- they're often flagged as malicious because malware authors are lazy and used them.

EricLaw -MSFT- 2010-02-03 19:37:08

I would say authors are ignorant and used them, rather than lazy. :)

Toby Allen 2010-02-05 20:37:04

See my post at anyone having problems with delphi 2010 and norton internet security. Lately I have been getting SONAR errors too with Delphi 7 compiled programs (and by programs compiled with other compilers).

I reported this to Norton, look also at hot issues at Norton board.

Of course this is only Norton, you don't specify which virus checkers you encountered.

Edelcom 2010-02-03 08:20:09

+1 A:

I think you have two choices:

a) Submit your auto-update program as a false positive to all those companies, (and do so for any new versions that are detected). Make it easier for them by ensuring your meta-data is correct and signing perhaps.

b) Split up the functionality so you don't have a single Delphi program that downloads files from the internet, overwrites files and patches files.

Douglas Leeder 2010-02-03 09:55:38

We got the same problem here... Ant-virus detect some behaviors of our software too. The ant-virus company doesn't say exactly what they watch (sure, security issue). Here for example I got this problem when I started using pipelines.

What we did ? We call the security companies, they analysed our .exe, and now we have "white flag" on them.

...No, it isn't so fast process.

SaCi 2010-02-03 13:19:03

ansaurus

tags:

views:

answers:

My Application's Auto-update utility is triggering Anti-Virus

related questions