Antivirus False positive in my executable

Question

I just ran into an annoying problem. Suddenly Avira AntiVir started to flag one executable from my software as being a virus.

As the default action from almost any user is to click OK and Avira suggests to put the virus in quarantine, most of my users are deleting this executable.

Well, let's not be arrogant and check if I'm not infected indeed. I posted the file to http://www.virustotal.com and from all anti virus only Avira flags it as infected. Furthermore I scanned my computer with two different anti viruses and it is clean.

I already posted a mail to my users explaining what is happening but this is an overhead to my support that I really don't want.

OK, the question is: Is there a way to avoid this kind of behavior? I can't think any way else than signing the files, (don't really know if it would solve) but let's see if you have any creative idea.

AVG is also a week anti-virus that reports lots of false positives. I have seen it with my (clean) programs. — Z80, Apr 18 '11 at 15:46
My app has 0 dectection rate on Virustotal, but it's being flagged as 'Trojan' by Windows Defender. Very frustrating ! — delphirules, May 05 '16 at 13:32
Maybe a class action lawsuit against those antivirus producers will help: https://docs.google.com/forms/d/1H3_O1z1iEqfh9ZT9u3B0R1tGEj-Hc9o7rAE0LKPr33Y — Z80, May 10 '17 at 08:05

score 27 · Accepted Answer · edited May 23 '17 at 11:54

It is surprisingly common that Delphi applications are reported as (potentially) harmful by AV applications. It happened to me a while ago, using Delphi 2009, see http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue.

At SO, we also have

and many more.

It might be the actual Induc Virus. But most likely, it is a false positive.

score 24 · Answer 2 · answered Jul 27 '10 at 00:53

24

Andreas's answer is excellent; it just happens a lot to Delphi applications.

Signing code doesn't make any difference -- I've had NOD32 throw false positives on signed Delphi code.

If there were any techniques that would avoid false-positives, virus authors will use them to avoid detection.

I've found the best course of action is, unfortunately, reactive rather than proactive. All AV vendors have a facility to report false positives, and I've found them to be responsive to reports.

answered Jul 27 '10 at 00:53

glob

2,929
15
21

2

Indeed. Avira took less than 12 hours to confirm the false positive. – Ricardo Acras Jul 27 '10 at 11:31
Don't forget to take the survey on that: https://docs.google.com/forms/d/1H3_O1z1iEqfh9ZT9u3B0R1tGEj-Hc9o7rAE0LKPr33Y/edit#responses – Z80 Jul 30 '19 at 08:17

Z80 · Answer 3 · 2020-07-26T22:07:22.217

Many honest developers have problems because of careless antivirus software. See this also: How to prevent false positive virus alarm on my software?

Imagine that for each false positive they show, you lose a possible customer. Programmers should take action against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them.

Update:
Recently I have observed that:

Number of false positives on VirusTotal.com is MUCH higher when the program is compiled in 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
Detection sky rockets when EurekaLog is used.

So, submit to VirusTotal before you publish your program!

Update 2019:
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive! Update on update: Now the number of false positive extended to 9!

I clicked rescan, and now it's up to 18! – xioxox Mar 09 '20 at 16:31 — xioxox, Mar 09 '20 at 16:31

score 3 · Answer 4 · answered Jul 27 '10 at 00:45

3

As a solution, you may want to:

1 - Verify your Delphi compiler is not infected
2 - Verify your sources and libraries are not tempered with (that was the M.O. for the Induc Virus)
3 - Check your (guaranteed) clean exe with the AVs. If they report a false positive, contact them so they could fix their tests.

4 - If you need to distribute before there is a chance to correct the AVs, sign your exe, so that your users could verify it's clean.

answered Jul 27 '10 at 00:45

Francesca

21,156
3
46
87

1

Digital signing is a good option and prevent false positive detection too but Most of the developers like me can't afford 200 to 500 USD per year. Sometimes software were freeware or sometimes they doesn't generates much revenue to pay $200/year. – Muhammad Saqib Jul 12 '16 at 19:13
2

Signing applications makes no difference most of the time. All it does is tell *Windows* that your application comes from a trustworthy source. That is all. Antiviruses tend to ignore that, because there are plenty of viruses which may have also been signed. – Jerry Dodge Mar 21 '17 at 00:39

score 3 · Answer 5 · answered Jul 27 '10 at 07:21

There are several reasons why an Anti Virus product might trigger on a Delphi produced exe, a few common reasons are:

Lots of viruses are written in Delphi and therefore your exe might have some code parts that look the same as existing viruses.
The import table of your program is used to determine what your exe might do, for instance linking to Credentials Management or Disk Management functions triggers some AV's.

As suggested before try scanning your release version with online services such as Virustotal or Jotti and always report your false positives to vendors instead of trying to prevent being a false positive. My experience is that AV vendors react quite fast on submission.

"AV vendors react quite fast on submission" --- Most vendors report that the changes will appear 72 hours after they review your case. So, this is like over 100 hours after you SUBMITTED your case. But Sophos especially is a nightmare. Slow and useless. — Z80, Jun 02 '17 at 09:34

score 3 · Answer 6 · answered Jul 27 '10 at 10:08

3

In Free Pascal/Lazarus groups and bugtracker, such messages happen nearly every release and/or month.

We generally advise users to ignore all "generic" or "heuristic" scanning types, and stick to signature based scanning (as most corporate virusscanners do).

This because it is nearly always an heuristic alarms, never specific malware. This can be readily seen in the fact that the detected "virus/trojan" is nearly always of the "generic" type. Usually the virusscanners are also typical "home" virusscanners, or home editions of general virusscanners (Norton used to be particularly bad, nowadays it mostly the smaller scale "cheap" home use scanners)

However we communicate mostly with developers, and already have trouble getting this message across. I can imagine, when distributing to clueless end-users, this is a real difficult message to communicate.

Still, there is no other way.

answered Jul 27 '10 at 10:08

Marco van de Voort

24,435
5
52
86

I've received some comments on this post, acusing me of dissing "home" scanners. I didn't mean to do that since I assume the corporate and home scanners of McAfee and Norton are the same codebase anyway. The point is more that the default settings differ. Corporate versions typically turn off uncertain heuristics. – Marco van de Voort Nov 21 '10 at 13:29
Home users are MUST more lickly to get hit by new viruss, as they are less carefull then a IT department, therefore it is reasonble for the home setting to default to doing as many checks as possible. – Ian Ringrose Nov 24 '10 at 16:55
Home users can turn the avirus off on false positives which is a far bigger risk. But the reality is that home avirus is bought for "scare" value. Home users think that a virus that doesn't react daily is worthless. – Marco van de Voort Nov 25 '10 at 08:05

Antivirus False positive in my executable

6 Answers6

Linked

Related