How can I test my applications against the popular virus scanners?
Asked Answered
P

3

7

I need to find out whether my apps are being flagged as viruses by the most popular anti-virus packages (not best, but biggest by user base). I therefore would like to know how others go about this. Some background:

I have an application written in Delphi. Ever since the Delphi virus was found, I've had problems with false positives on my applications, particularly my demonstration versions for some reason (they all share the same code). AVG has been good, and I can now whitelist my files easily, but then I got the latest DevExpress installer and it was false-positived too. Given this is getting more widespread, it struck me that I need to find out if my apps are being flagged by the most popular anti-virus packages. I therefore would like to know how others go about this. I don't want people to be downloading our demonstration versions, getting an AV warning, and deciding not to try it.

The only options I have so far are buying a load of AV packages and putting them in a VM, or using a service like VirusTotal. The latter seemed an ideal option but for the fact that they limit the test to files under 20Mb, and my files are bigger than this. There is no paid for option either to expand the capability. (I thought this an odd limit, but Kaperskis free checker is limited to 1Mb!)

How do you check your applications?

Palmar answered 6/11, 2009 at 11:42 Comment(0)
P
0

My thoughts on this are as follows: I set up a computer (nothing special) with a lot of disk space. I'll call this the ScanPC. Every time I do a build, the script will copy the new files to the ScanPC into a build specific directory. This will ensure that I have an archive of all builds that can be examined. Any one may have been released to customers.

Now, I then install VMWare server, and set up a number of virtual PCs. In each, I set up the anti-virus software to scan the network share, but in a read-only mode so that no scanner can accidentally modify or remove the false positive. Each VM can then be automatically updated from the vendor, and hopefully they will have an email option to tell me when they spot a virus, which I will then know is a false positive and can report to the vendor.

The benefit of this is that I have a complete build archive (something I need anyway), and it means that old versions out with customers that trigger the AV are identified as well as the most recent. It means I can add or remove AV products as appropriate. It means that I only need a single computer (performance is not important).

Palmar answered 6/11, 2009 at 14:0 Comment(0)
M
5

VirusScan.jotti.org and VirusTotal.com may help

Mcnully answered 6/11, 2009 at 11:52 Comment(1)
The first has a 15Mb limit, and the second a 20Mb limit. The second is what I meant in my text, but I got the name the wrong way round (now corrected). If I could pay to upload loads of files over time and have an email when any one triggers, that would be perfect! Doing one at a time is not too hot as the false trigger may happen after I check.Palmar
S
1

http://online.us.drweb.com/

i couldn't see any file size limit on it

Stormystorting answered 6/11, 2009 at 12:52 Comment(1)
Thanks, but that appears to be a single vendor test? I need to check against all the main AV products.Palmar
P
0

My thoughts on this are as follows: I set up a computer (nothing special) with a lot of disk space. I'll call this the ScanPC. Every time I do a build, the script will copy the new files to the ScanPC into a build specific directory. This will ensure that I have an archive of all builds that can be examined. Any one may have been released to customers.

Now, I then install VMWare server, and set up a number of virtual PCs. In each, I set up the anti-virus software to scan the network share, but in a read-only mode so that no scanner can accidentally modify or remove the false positive. Each VM can then be automatically updated from the vendor, and hopefully they will have an email option to tell me when they spot a virus, which I will then know is a false positive and can report to the vendor.

The benefit of this is that I have a complete build archive (something I need anyway), and it means that old versions out with customers that trigger the AV are identified as well as the most recent. It means I can add or remove AV products as appropriate. It means that I only need a single computer (performance is not important).

Palmar answered 6/11, 2009 at 14:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.