tags:

views:

281

answers:

6
+11  Q: 

Antivirus False positive in my executable

Hi,

I just ran into an annoying problem. Suddenly Avira AntiVir startet to flag one executable from my software as being a virus. As the default action from almost any user is to click OK and Avira suggests to put the "virus" in quarantaine, most of my users are deleting this executable. Well, let´s not be arrogant and check if I´m not infected indeed. I posted the file to http://www.virustotal.com and from all antivirus only Avira flags it as infected. Furthermore I scanned my computer with two different antivirus and it is clean. I already posted a mail to my users explaining what is happening but this is an overhead to my support that I really don´t want. OK, the question is: Is there a way to avoid this kind of behaviour? I can´t think any way else than signing the files, (don´t really know if it would solve) but let´s see if you have any creative idead.

Thanks.

+17  A: 

It is surprisingly common that Delphi applications are reported as (potentially) harmful by AV applications. It happened to me a while ago, using Delphi 2009, see http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue.

At SO, we also have

and many more.

It might be the actual Induc Virus. But most likely, it is a false positive.

Andreas Rejbrand  2010-07-26 21:32:19
+2  A: 

As a solution, you may want to:

1 - Verify your Delphi compiler is not infected
2 - Verify your sources and libraries are not tempered with (that was the M.O. for the Induc Virus)
3 - Check your (guaranteed) clean exe with the AVs. If they report a false positive, contact them so they could fix their tests.

4 - If you need to distribute before there is a chance to correct the AVs, sign your exe, so that your users could verify it's clean.

François  2010-07-27 00:45:18
+13  A: 

Andreas's answer is excellent; it just happens a lot to Delphi applications.

Signing code doesn't make any difference -- I've had NOD32 throw false positives on signed Delphi code.

If there were any techniques that would avoid false-positives, virus authors will use them to avoid detection.

I've found the best course of action is, unfortunately, reactive rather than proactive. All AV vendors have a facility to report false positives, and I've found them to be responsive to reports.

glob  2010-07-27 00:53:47
+1: submitting to the AV vendor is the best option
Remko  2010-07-27 07:13:02
Indeed. Avira took less than 12 hours to confirm the false positive.
Ricardo Acras  2010-07-27 11:31:32
+2  A: 

There are several reasons why an Anti Virus product might trigger on a Delphi produced exe, a few common reasons are:

  • Lots of viruses are written in Delphi and therefore your exe might have some code parts that look the same as existing viruses.
  • The import table of your program is used to determine what your exe might do, for instance linking to Credentials Management or Disk Management functions triggers some AV's.

As suggested before try scanning your release version with online services such as Virustotal or Jotti and always report your false positives to vendors instead of trying to prevent being a false positive. My experience is that AV vendors react quite fast on submission.

Remko  2010-07-27 07:21:20
+1  A: 

In Free Pascal/Lazarus groups and bugtracker, such messages happen nearly every release and/or month.

We generally advise users to ignore all "generic" or "heuristic" scanning types, and stick to signature based scanning (as most corporate virusscanners do).

This because it is nearly always an heuristic alarms, never specific malware. This can be readily seen in the fact that the detected "virus/trojan" is nearly always of the "generic" type. Usually the virusscanners are also typical "home" virusscanners, or home editions of general virusscanners (Norton used to be particularly bad, nowadays it mostly the smaller scale "cheap" home use scanners)

However we communicate mostly with developers, and already have trouble getting this message across. I can imagine, when distributing to clueless end-users, this is a real difficult message to communicate.

Still, there is no other way.

Marco van de Voort  2010-07-27 10:08:51
A: 

False positive :) Check

http://www.ginktage.com/2010/01/delphi-7-mcafee-and-virus/

I have described the problem and possible solution too .

Senthil Kumar B  2010-08-16 09:40:53

related questions

How do you implement Levenshtein distance in Delphi?
Reintroducing functions in Delphi
Does Delphi call inherited on overridden procedures if there is no explicit call
HelpInsight documentation in Delphi 2007
Is it possible to deploy a native Delphi application with ClickOnce
In Delphi 7, why can I assign a value to a const?
Best way to sort an array in delphi
What's the best Delphi book for a newbie?
Visual Studio equivalent to Delphi bookmarks
What's the idiomatic way to do async socket programming in Delphi?
64bit Memory allocation
Documenting Delphi
How to implement Type-safe COM enumerations in Delphi ?
TClientDataSet Aggregates specification aren't added automatically when creating an Aggregate field.
Multiple form Delphi applications and dialogs
Unit testing in Delphi - how are you doing it ?
How to keep track of the references to an object?
Delphi and COM: TLB and maintenance issues
Changing CURRENT save/default directory in Delphi 2007 without using Save-As
What is the best way to make a Delphi Application completely full screen ?
Are there any "mind mapping" components for Delphi? (native VCL preferably)
Delphi resources for existing .NET developer.
What is needed to get Delphi back on top?
Delphi MDI Application and the titlebar of the MDI Children
Can a windows dll retrieve its own filename?