Login/Register
How to prevent false positive virus alarm on my software? [duplicate]
Asked Answered
Solved delphiantivirusvirus-scanning
N

2

15

Possible Duplicate:
Antivirus False positive in my executable

Until now, I had over 15 false virus alarms for my programs. Most of them were from Kaspersky, which reports ALWAYS the same virus: Trojan-GameThief.Win32.Lmir.pcd. There are 3 questions:

  1. Why it appears?
  2. How to prevent it?
  3. How to detect it?

For the first question, because it detects always the same virus, I guess it is because one of my routines that I use in all my programs. But which one exactly, I don't know. For the second question I was thinking about modifying the program just a bit and recompiling it, just enough to change its code so the antivirus will not recognize it anymore and release the new version. The third question is the most difficult one. How to check ALL my programs against ALL antivirus programs in the world?

Update:
Has anybody knowledge about how this issue can be handled legally? There seems that many Delphi developers have the same problem. The reckless antivirus companies make money on our back by showing lots of false positive alarms, making their customers to think they are safe when there was actually no danger. While we are losing customers - they are making customers. I informed the antivirus company about the problem but they fix it only for that specific version. Next time I release an update, the false alarm appears again. They just don't care.

Many honest developers have problems because of careless antivirus software. See this also: How to prevent false positive virus alarm on my software?

Maybe we can unite against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them. We should sign a petition to let them know that we don't accept this anymore.

Update 2017
* Last week my program had a detection ratio of close to 50% on VirusTotal. I deleted a single line of code and magically the detection dropped to 2 out of 61 (antiviruses). It is amazing how random these antivirus products behave.
* Detection is MUCH higher when the program is compiled is 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
* Detection sky rockets when EurekaLog is used.

Update 2019
It is almost 9 years later and not much improved.
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive!

Conclusion:

  • At the end of the day upload your exe file to VirusTotal. If the detection ratio suddenly jumps, review the changes you have done in your code and remove the "harmful" ones.
  • Use WinRar 3 as installer. It raises less flags than WinRar 5 or InnoSetup.
Nothingness answered 21/11, 2010 at 11:11 Comment(3)
While it is indeed annoying, AV companies usually aren't explicitly designed to cause false positives for the specific purpose of making themselves look better than the competition; if anything, that would actually make them look worse, because it makes them the AV who cried wolf. The issue is merely that a lot of them are overly zealous when analysing programs they're not familiar with (and thus tend to pick up more false positives), which often includes programs you compile yourself.Homan
True, but if it gives messages like that too often, or for programs that other AV programs don't detect anything for (especially if the program's documentation or FAQ explicitly notes that this particular AV program gives a false positive), people will start to get suspicious of the AV program.Homan
What helped to me is 1) turn off optimization, 2) pack the exe with upx.exeBlaineblainey
B
7

First, make sure that you do not have the Win32.Induc delphi virus, which changes SysConst.dcu so that applications you compile will be infected.

  1. Use #3 to narrow down what in your code is causing the false positive. API calls which change process memory will trigger heuristic scanners. Even including the names of some of the API functions (such as WriteProcessMemory) will trigger a scanner. Make changes to a test application and submit to #3 until you narrow the problem down. If you use a packer, then the AV software will probably unpack it anyway, but test with and without packing.

  2. Will depend on #1.

  3. Virustotal is used by virus developers to check their virus is not detected, so Virustotal will send any test file to the anti-virus people for analysis. There used to be an option to switch this off, but it was removed several years ago. This can make the problem worse for you if you submit an application multiple times, so I would recommend using http://virusscan.jotti.org/ for your initial testing.

Backhander answered 21/11, 2010 at 18:57 Comment(2)
Actually, jotti.org sends submitted files to the AV companies too. I don't think this is much of a problem, so perhaps use virustotal as it has the highest number of AV engines (43 vs 20 odd for jotti).Backhander
No. I don' have Win32.Induc. I am sick of these antivirus companies that blame innocent software developers just to make sure they get as many alarms as possible (no matter if they are good or false alarms).Nothingness
D
5

3rd question: There is a website called virus total which scans files with lots of antivirus engines. They have an api, so you can make this part of your build process.

also, some similar questions might help:

Antivirus False positive in my executable

Virus in Delphi 7

https://stackoverflow.com/questions/3534050/my-software-is-not-a-virus-what-should-i-do (Snapshot of deleted question)

Accidentally created a virus?

Distinguished answered 21/11, 2010 at 11:14 Comment(4)
Try to include version informations in your software, this may gives it some prestige of legally!Trauner
the article "Fix anti-virus detection of my software" was useful but a Stackoverflow moderator, in its infinite wisdom deleted it.Nothingness
@Rigel I've added a screenshot. I don't agree with the deletion and I've flagged it but the sad truth is that this is how StackOverflow is these days. Being a moderator is a difficult and thankless task made harder by the general decay of the site: meta.#386824Distinguished
Yet another GOOD article about the decline of SO: hackernoon.com/the-decline-of-stack-overflow-7cb69faa575d and hackernoon.com/…Nothingness

© 2022 - 2024 — McMap. All rights reserved.