Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accidentally created a virus?

I've seen it happen reasonably often: I write an application in Delphi and when I compile it, the virus-scanner tells me that I've created a virus and then immediately deletes the executable again. It's annoying but reasonable easy to fix by doing a full rebuild, deleting the *.dcu files first and sometimes by simply waiting.

It happens with Delphi 6, 7, 2005 and 2007, as far as I know. And Symantec, Kaspersky, McAfee and NOD32 have all been guilty of reporting these false positives. I know it's because Delphi adds timestamps to its DCU files and these timestamps end up in the final executable and apparently appear to be part of some random virus signature.

I don't want to disable the virus-scanner, not even for a single folder or file. And I'm not really for a solution, but am wondering about the following:

  • Do these false positives also occur with other compilers?
  • Does it also happen with .NET executables?
  • Do others also notice similar problems with Delphi?
like image 641
Wim ten Brink Avatar asked Jun 14 '09 20:06

Wim ten Brink


People also ask

Where did COVID-19 origin?

The first known infections from SARS‑CoV‑2 were discovered in Wuhan, China.[17] The original source of viral transmission to humans remains unclear, as does whether the virus became pathogenic before or after the spillover event.[19][75][9] Because many of the early infectees were workers at the Huanan Seafood Market,[76][77] it has been suggested that the virus might have originated from the market.[9][78] However, other research indicates that visitors may have introduced the virus to the market, which then facilitated rapid expansion of the infections.

Is COVID-19 caused by a virus or a bacteria?

The coronavirus disease (COVID-19) is caused by a virus, NOT by bacteria.

When was COVID-19 declared a pandemic?

The World Health Organization declared the outbreak a Public Health Emergency of International Concern on 30 January 2020, and a pandemic on 11 March 2020.

Can COVID-19 spread through water while swimming?

Fact: Water or swimming does not transmit the COVID-19 virusThe COVID-19 virus does not transmit through water while swimming. However, the virus spreads between people when someone has close contact with an infected person. WHAT YOU CAN DO: Avoid crowds and maintain at least a 1-metre distance from others, even when you are swimming or at swimming areas. Wear a mask when you’re not in the water and you can’t stay distant. Clean your hands frequently, cover a cough or sneeze with a tissue or bent elbow, and stay home if you’re unwell.


2 Answers

Do these false positives also occur with other compilers?

Yes, this is has been a common problem in the past for AutoIt as addressed in this forum post "Are my AutoIt EXEs really infected?". In most cases including AutoIt it stems from poor heuristic practices. Since AutoIt uses the free and open UPX compressor, it is often mistaken for malicious code that also uses UPX.

The best (and possibly only) thing you can do is report these mistakes, so they can refine their heuristics or at least white list your app.

Below is a list of contact information for some popular anti-virus companies. They all claim to appreciate submissions as it helps them make their product better.

  • AntiVir - Contact
  • A2 (A-Squared) - Contact (email address)
  • Avast! - Contact
  • AVG - Contact
  • BitDefender - Contact
  • BullGuard - Contact
  • CA Anti-Virus - Contact
  • ClamAV - Contact
  • ClamWin - Contact
  • Comodo - Contact
  • ESET's Nod32 - Contact
  • eSafe - Contact (login required)
  • Fortinet - Contact
  • F-PROT - Contact
  • F-Secure - Contact
  • G-Data - Contact
  • Kaspersky - Contact
  • McAfee - Contact (email address)
  • Norman - Contact (email address)
  • Panda Anti-Virus - Contact
  • Sophos - Contact
  • Symantec (Norton) - Contact
  • Vipre - Contact
  • Windows Live OneCare - Contact
  • ZoneLabs - Contact

Turns out there is a great list of AV software on wikipedia, called 'List of antivirus software'. It is more complete than my list above.

A member of the Autoit Forums made a great script to e-mail a false positive to a huge list of AV vendors to automate this process a bit.

like image 58
Copas Avatar answered Sep 28 '22 04:09

Copas


Sounds more like a heuristic screw-up to me. Do you have heuristics turned on (some scanners may refer to it as "virus-like code")? The chances that time stamps would equate to "a portion of some virus signature" seems too small to be happening all the time.

When I used to run a virus scanner, I never saw this problem with D6 or D7.

like image 39
JimG Avatar answered Sep 28 '22 03:09

JimG