tags:

views:

607

answers:

10
+22  Q: 

Delphi programs blocked by Kaspersky Antivirus. Need workarround.

Hi. I have a piece of code that is trying to write to disk many files in one second. However, it fails wince I have installed Kaspersky Anrivirus 2011. 

Stream:= TFileStream.Create(sName, fmCreate);

The code totally worked with Kaspersky 2010 and also works with Kaspersky 2011 if I disable its scanners (it cannot be totally unloaded from memory - unless it is uninstalled). The code also works if (Kaspersky 2011 is running and) I write to disk slooooowly. So it obviously is not fast enough to handle my disk requests.

The error I get is EFCreateError ('Cannot create xxx file blablabla'). Error is random. Most of the files are written to disk. About 10% fail.

I have tried to get support but is impossible to find a real person at Kaspersky to speak with. Their so called 'support' is actually a FAQ data base. Of course it speaks about how to install the product and related stuff. There is nothing about programing-related issues. Any ideas?

PS: this has repercussions for the entire Delphi community! All our customers will fail to use Delphi software if they are using KIS 2011 as antivirus. For the moment I recommend to my users to disable their antivirus but I need a real solution.

It will be nice if a person with KIS 2011 can confirm the problem. Just create a tiny program that write 200 small files to disk using TFileStream.

UPDATE:

  • The problem appears ONLY when the file does not exist and it is created (created as opposed to overwritten).
  • Similar report: https://forums.embarcadero.com/thread.jspa?threadID=32751&tstart=15
  • Similar report: http://forum.kaspersky.com/index.php?showtopic=120561
  • A possible solution that popped in my mind is to detect if KIS is running and if it is, to put a delay after each writing to disk. Or at leat, let the user know there may be problems. Anybody knows how to detect if a service is running?
  • I added a delay of 650ms (after each file creation) and the bug is still there). So is not about how fast you write to disk but about how many files you write.
  • Just uninstalled KIS 2011. The problem does not appear anymore.
  • Just reinstalled the good old KIS 2010. The bug is still there but it appear rarely (about every 300 files instead of about 30 as in KIS 2011).
  • The problem was confirmed on a second computer.
  • NEWS: The crash appears in TFileStream.Create however it may be caused by a function called earlier: TestWriteAccess. If I disable this function, the TFileStream.Create doesn't fail anymore. Well, this doesn't change things too much. No matter which line of code generates the error, the program still fails (randomly) to write files to disk while Kaspersky is running.
  • Still waiting a response from a real person from Kaspersky...
  • More automated responses received from Kaspersky support (I sent emails to support in several countries). All pointing to a FAQ database.
  • I change my status from Kaspersky fan (and customer) to Kaspersky hater because I finally receive an answer from a real person from Kaspersky support: I quote "Is het waar of just loads of bollocks? Met vriendelijke groeten, Kaspersky Lab B.V. Papendorpseweg 77-79". Kaspersky may be indeed a pirate company. They don't want to answer the emails because they know their s****y product is too buggy to be fixed.

Steps to reproduce the bug: 

1) Test if the user has write permissions to a file/folder (create a file and immediately delete it). 
2) Test if success/fail. 
3) If success, create the file (again) and write content to it.

The combination create/delete/create will trigger KIS bug if repeated many times per second (~30 times for KIS2011, 300 times for KIS 2010).

Delphi 7, Win 7 (32), KIS 2011

A: 

Don't use KIS! I have also too bad experience with this...mmm..'product'.

John Sinclair  2010-09-17 10:40:23
Please read my post entirely, especially this section: "...this has repercussions for the entire Delphi community! All our customers will fail to use Delphi software if they are using KIS 2011 as antivirus. For the moment I recommend to my users to disable their antivirus but I need a real solution. "
Altar  2010-09-17 11:08:44
+1  A: 

Not an answer to solve your problem, but you should inform Kaspersky, probably they don't know there is a virus signature associated with a Delphi library.

And if your program isn't too complex, you might want to try Lazarus/FPC. It's not as good as Delphi, but I've been using it for several years now, and have got good results in Windows/MacOS/Linux.

cronocr  2010-09-17 11:36:52
It is impossible to find a a real person from Kaspersky support. They only offer support via a forum board. Only regular users that don't understand the problem (offering pretty stupid/basic answers) are answering there. I just got only of my posts deleted from "Bug reports" area. Obviously they won't accept this as being a bug in their software. So, you may be right: there is nothing we can do about Kaspersky. But at least we inform Delphi community about this big problem.
Altar  2010-09-17 11:41:35
+10  A: 

You need to instruct your users, i.e. Kaspersky's customers, that Kaspersky is interfering with the operation of your software, and that THEY should report it. Express your frustration that you, as a developer, don't have access to a real human being. This is the only way that the anti-malware companies will ever react - bad PR with their paying customers.

Chris Thornton  2010-09-17 12:14:17
this is slightly not for real life. Anti PR for your program when antivirus says that it is suspicious is more than anti PR for antivirus when you say it is not working ok. It is you (developer) who should contact AV vendor, they have support for such cases. Of course they will not change their AV for you but they might give you useful instructions how to prevent alarm.
Andrey  2010-09-17 14:52:06
@Andrey, I disagree. The AV vendors should share some of the pain that they cause with their carelessness.
Chris Thornton  2010-09-17 15:11:36
@Chris, you can disagree all you like, however the client will think your software is bad if it is not doing what it should or gets reported as a virus. Thats reality.
gbrandt  2010-09-17 15:50:27
@Chris Thornton I was witness of such conversation between AV vendor and app vendor. AV vendor sounds very reasonable. Beside signature analysis (that has lowest false positive rate) they have behavioral and heuristic analyses. They are very important nowadays when viruses and their creators are too smart. The drawback of it is greater false positive rate. It is not carelessness, it is reasonable tradeoff. For some reasons applications created in Delphi has higher rate then average. You should really contact AV vendor for help, not throw stones at each other.
Andrey  2010-09-17 15:51:43
The thing is like this: Kaspersky makes money selling their product. I lose money by not selling my product. Customers are using Kaspersky (which is not working properly) and not using my product which is working properly. Everybody is losing - except Kaspersky.
Altar  2010-09-17 16:58:03
@gbrandt: Given the number of false positives that virus scanners do the reality is that people are getting an education on this already.
Chris Lively  2010-09-17 17:00:10
@Altar you oversimplify. "Everybody is losing - except Kaspersky." this is not correct. User is doing both: winning - he gets more security, loosing for not using your nice product. Now the question is what is more important for *him*, not for you. Every user makes this choice, you can't do it for him. For example I am advanced user, i don't care about AV's warnings, i switch it off if it annoys me. But other user may believe AV and you can't say that he is not right.
Andrey  2010-09-17 17:17:05
@Altar: then: "which is not working properly" is also incorrect. It is not electric bulb: either working or not. With newer analysis methods AV's sometimes can give incorrect results, there are two types of errors: false positive (your case) and false negative (when virus is not caught). Problem is that you can't minimize both, there is always a tradeoff. So every AV vendor makes decision what is more important for them. Usually they try to minimize "false negative", because it is what they are paid for. You can't say that fingerprint scanner is not working if your fingers are dirty.
Andrey  2010-09-17 17:22:47
@Andrey: What security is he getting, exactly? In actuality, he is getting negative security -- he *thinks* he is protected, so he will let his guard down somewhat. (Also, I think I've heard Karspersky is especially bad about this kind of thing.)
SamB  2010-09-17 18:14:55
@Andrey - "false positive (your case)" - No it is not a false positive since KIS shows no warnings/messages. It just crashes the program IF my "faulty" code is not in a TRY EXCEPT clause. Because of this I start to wonder: how many other programs that showed me errors were actually buggy, and how many were ok but Kaspersky made them act badly. My computer is better without a corruptor (a program that makes other programs buggy). Other users may also benefit from switching to less buggy antivirus (there is no indication that security offered by KIS compensates for its buggyness).
Altar  2010-09-17 18:31:27
@Altar - agreed. It's not flagging a virus, so it's not a false positive. It's just getting in the way of file writes, causing errors in other programs, which it should not be allowed to do.
Chris Thornton  2010-09-17 19:01:17
+1  A: 

When you create file, any antivirus checks it. There is probably some kind of collision between your application and KAV. Have you tried to combine fmCreate with share modes. You can see in help for TFileStream.Create for available modes.

Ljubomir Đokić  2010-09-17 12:26:37
I have tried "fmCreate OR fmShareDenyNone" and still got the error.
Altar  2010-09-17 17:12:33
Actually, what happens is that AV makers sometimes put signatures in their databases that match the runtime library from a particular (release of a) development tool, just because some malware was made with that tool...
SamB  2010-09-17 18:17:50
@SamB: very unlikely to be the case here, as (afaict) the OP's not getting a popup from the antivirus, only a failing file creation.
snemarch  2010-09-17 21:09:05
+14  A: 

I have interesting suggestion! As you might know Kasperski is made in Russia. And me too. Russian site of kasperski has all the contacts. There is even email to report false positive alarms! So i can write there in Russian, they might be more responsive then. (this happens with russian companies that became international). If you like this idea leave me a comment, i will write my email.

I really hate false positive alarms of antiviruses.

Andrey  2010-09-17 13:13:05
This. I come to SO to learn new things but the community is what keeps me coming back time and time again. If I only could upvote you more.
wheaties  2010-09-17 13:16:45
Hi Andrey. It will be nice if you can make Kaspersky management about this issue. The support I got on the forum is useless. I got only an answer from a random user - not a moderator. All the moderator did for me was to delete my post from "bug report" because "it i snot a bug".
Altar  2010-09-17 16:54:13
@Altar Here is it: asyschikov |at| gmail |dot| com
Andrey  2010-09-17 17:24:22
@Altar just send me email, it is hard to communicate here.
Andrey  2010-09-17 17:48:43
+2  A: 

i had similar problems with kaspersky 2011 when i was trying to add my prog to windows startup using d2010's new TFile.Copy() as well as raw api function:

 CopyFile(PChar('C:\chellenger.exe'), PChar('C:\Documents and Settings\Omair\Start Menu\Programs\Startup\chellenger.exe'), False);

my solution was to put my delphi app in vb.net app as a resource, the vb.net app extracted it and put it to startup without false positives . Mixing two languages for your problem might solve your problem too(1 possible solution but a very ugly and nonprofessional solution i admit)

Omair Iqbal  2010-09-17 16:55:08
this is really stupid. looks like they (KIS) prevent **normal** way of adding app to startup. what you actually do is fooling KIS.
Andrey  2010-09-17 17:30:36
Hi Omair. Why is your solution working? Looks like KIS cannot control .Net applications??
Altar  2010-09-17 18:15:43
PS: recently I have discovered that KIS 2011 silently cuts my program from reading updates from internet. It worked fine with KIS 2010. I think I started to dislike Kaspersky (all versions).
Altar  2010-09-17 18:18:08
@altar my solution probably works because unlike delphi vb.net is not a common malware languge.delphi is very suitable for trojan programming this might explain why delphi apps often gets false positives.also i beleave delphi is being bullied(most people might disagree on this),if embarcedo(spellings?) technologies was a big company like microsoft they would have filed a lawsuit against them(kis).the KIS people hate us(delphi comunity) passionately we should hate them back!
Omair Iqbal  2010-09-18 04:02:14
@Andrey:this not just once, kis has been a pain in my shoulder for quite some time,i dont get false positives from other vendors,for this prog above i also tried few other things including adding my program to the windows registry and even that didnt work thats why i had to resort to this trick :)
Omair Iqbal  2010-09-18 04:38:03
@Andrey: in what world copying an EXECUTABLE into a startup folder is a normal way of making it autostart? Normal way is to copy a SHORTCUT. Which is probably why Kaspersky thought this was suspicious.
himself  2010-09-22 12:22:37
@himself i meant that it is normal, because he copies it to start menu, where user can see it. i agree that coping/creating shortcut is better, but it is not problem of antivirus. Virus can also add shortcut.
Andrey  2010-09-22 12:51:54
+1  A: 

If the problem is just with kapersky, then just have your program detect if it is running. If so, scale back your file creation / writes to whatever passes their detection. Make sure you have some little status message somewhere that tells the user why things are slow. Incidentally, virus writers already know this which is why those heuristics simply don't work.

After doing that, contact Kapersky and work with them directly to get this resolved.

This gets past your immediate issue and will give you and kapersky time to figure out a long term solution.

Alternatively, you could simply shut kapersky down.. Just make sure you grab all of their watch dogs in the process.. But that tends to be a little more combative.

Chris Lively  2010-09-17 17:04:34
he says that he can't contact kaspersky. and you really can't shut it down they somehow prevent it. yes, even with watchdogs. plus this it not good to switch off user defense without telling him. normal apps should not do this.
Andrey  2010-09-17 17:32:40
I agree. Most antivirus programs are made not to be turned off. And the user may not like it. But, indeed I already added a message to inform the user about the problem when I cannot write to disk.
Altar  2010-09-17 18:39:04
A: 

Creating a huge amount of files sounds like something that isn't necessarily A Good Thing, but you probably have your reasons :)

When you get the error code in Delphi, does KAV pop up any heuristic warnings, or is it completely silent? It wouldn't be weird to get a heuristic "omg, that app is doing something bad!" from creating a ton of new file, but if KAV is silent I'd say it's a bug.

Can you post a delphi executable with the tiniest amount of code that reproduces the bug? And a version that does the same step but only creates one file, it might be interesting to trace with SysInternals' ProcMon.

snemarch  2010-09-17 21:06:50
Amount is not that big: 10 to 100. I just used 1000 files in my tests to make the error appear often so I can observe it. No, KIS shows no messages at all. It is a bug since it blocks the application even I set my application as trusted!!!!!
Altar  2010-09-18 08:53:30
Update - my output has to have a special format. I cannot just merge all files together (imagine merging several mp3 files together - makes no sense - right?)
Altar  2010-09-21 14:56:25
+2  A: 

Kaspersky = pirate company? Maybe yes, maybe no. Maybe just yet another company with a bad product and nonexistent support. Their "support" consists in a FAQ database and an automatic email answering program. Phones are hooked to answering machines also. Their automated answer keep explaining me how to add my program in KIS "exception" database. I keep replying to those stupid emails that I cannot personally go to all my customers at home and put my program in the "exception" database and that it will be better if they will fix the bug.

When I finally got a non-automatic answer (the only one), the support guy fella is as rude as possible.

Possible solutions for Delphi programmers:
* Don't check if the user has write permission to a file (in order not to trigger Kaspersky bug)
* Check if the user has write permission. If the bug appears inform the user that Kaspersky creates problem and it should be temporary disable (while the program is running). Use a TRY EXCEPT block to do this.

Advice (based on my past experience):
Don't always blame your code if you ever received strange bug reports from your users when your program was trying to write to disk. Check also external factors (like existence of Kaspersky antivirus).

UPDATE:
I just applied for a refund. I will go for a chargeback if they won't refund the money (I strongly feel they won't).

Conclusion
When I posted this on StackOverflow I didn't realized the magnitude of the problem and I didn't realized it will deviate so much from initial course. Still I think it is well within the purpose of StackOverflow. We have all learned that sometimes the problems in out programs may not be caused by our faulty code and neither we can control the source of these problems (21 persons voted this question up - which means a lot of other people encountered issues with KIS). We can just hope that poor designed programs that interacts with user's system at a very low level (such as KIS antivirus program) will be soon fixed so our sales won't suffer (much).

It is just frustrating when your program is labeled "buggy" and you can't do much about it!

Altar  2010-09-21 14:55:03
A: 

First, do you really need to test for write permissions by creating a file? Can't you just check the permission directly? I feel that creating a file for that purpose only is a lame way of doing it in any case.

Second, like noted above, it's likely that after you create and then delete a file, there is some intervention by Kaspersky's security mechanisms. Probably a driver tries to check the contents of the file you deleted, and keeps it alive for a while. Like this:

  1. You create the file and open it, incrementing the refcount.
  2. Kaspersky driver notices that and opens the file too. Even if you set share mode deny, as a driver it probably has the power to open it anyway (if Kaspersky could not circumvent sharing denials, any virus could have used the same trick to hide its data!).
  3. You close the file and delete it. When you delete the file, the system just marks it "FILE_FLAG_DELETE_ON_CLOSE", but the file is still there until all the handles to it are closed.
  4. Kaspersky continues to scan file, still haven't released the handle.
  5. Therefore the file is still there.
  6. You try to create a new file and the call fails because the old file is still not deleted.

The reason for all this mess is, of course, partly Kaspersky's checking mechanics, but they did nothing especially wrong here. Kaspersky needs to scan the file anyway, hardly anything can be done about that - it's antivirus, for crying out loud. On the other hand, checking permissions by creating and then deleting a file is (probably) very, very wrong. So I guess, you're the one at fault here.

himself  2010-09-22 12:10:36
"Can't you just check the permission directly" - Can you give example of a function (let's say called CanWrite(Path: string) ) that returns TRUE if the file can be written and FALSE otherwise?
Altar  2010-09-23 11:23:24
"Kaspersky continues to scan file, still haven't released the handle" - The file is damn empty. There is nothing to scan! Shouldn't KIS verify this first?
Altar  2010-09-23 11:25:34
"Kaspersky continues to scan file, still haven't released the handle" - What if I want to read/write data at random location in file? Should I put a 5 seconds delay and hope KIS will release the handle?
Altar  2010-09-23 11:26:27
Why should Kaspersky lock the damn file? Can't it scan it for viruses without locking it? If the file was deleted (without Recycle Bin), what's the point of keeping the lock on it? The file WAS DELETED! No virus can use it.
Altar  2010-09-23 11:29:19
Even if my method is not elegant - it is also NOT wrong!! How can a programmer guess what kind of strange/buggy software may be installed in user's computer? Show we put a 5 seconds delay after every line of code? - - - Actually my code it is elegant, unless somebody else has a better solution. :)
Altar  2010-09-23 11:35:27
@Altar>Why should Kaspersky lock the damn file? --- Because ANY file that is opened for reading is locked for deleting. That's just how Windows does it. How would you expect Kaspersky to behave when the file it's reading is being deleted from under it?
himself  2010-09-23 12:37:29
@Altar>Even if my method is not elegant - it is also NOT wrong!! --- Unless there are some special circumstances I'm not aware of (for example, some kind of bug makes it impossible to just query the permissions), your method is awfully wrong. Right, if you just want to create, delete, and then recreate a file, you do nothing wrong, but in this case you should be ready to handle the situation described. Because any file you create can be opened by anyone else, not only Kaspersky, any driver, and held locked, thus preventing the deletion for indefinite amount of time. That's normal behaviour.
himself  2010-09-23 12:40:55
@altar>Can you give example of a function --- I suggest you check this http://www.codeproject.com/KB/asp/useraccesscheck.aspx, then msdn for the functions used. But the better way of doing it would be NOT checking the permissions then creating the file, but just trying to create the file, and if you have succeeded, passing the handle to the function which needs to write to the file. In other words, like this: hFile := TryToCreateAFile(filename); if (hFile<>INVALID_HANDLE_VALUE) then WriteDataAndClose(hFile);
himself  2010-09-23 12:47:58

related questions

How do you implement Levenshtein distance in Delphi?
Reintroducing functions in Delphi
Does Delphi call inherited on overridden procedures if there is no explicit call
HelpInsight documentation in Delphi 2007
Is it possible to deploy a native Delphi application with ClickOnce
In Delphi 7, why can I assign a value to a const?
Best way to sort an array in delphi
What's the best Delphi book for a newbie?
Visual Studio equivalent to Delphi bookmarks
What's the idiomatic way to do async socket programming in Delphi?
64bit Memory allocation
Documenting Delphi
How to implement Type-safe COM enumerations in Delphi ?
TClientDataSet Aggregates specification aren't added automatically when creating an Aggregate field.
Multiple form Delphi applications and dialogs
Unit testing in Delphi - how are you doing it ?
How to keep track of the references to an object?
Delphi and COM: TLB and maintenance issues
Changing CURRENT save/default directory in Delphi 2007 without using Save-As
What is the best way to make a Delphi Application completely full screen ?
Are there any "mind mapping" components for Delphi? (native VCL preferably)
Delphi resources for existing .NET developer.
What is needed to get Delphi back on top?
Delphi MDI Application and the titlebar of the MDI Children
Can a windows dll retrieve its own filename?