Antivirus False positive in my executable

Question

I just ran into an annoying problem. Suddenly Avira AntiVir started to flag one executable from my software as being a virus.

As the default action from almost any user is to click OK and Avira suggests to put the virus in quarantine, most of my users are deleting this executable.

Well, let's not be arrogant and check if I'm not infected indeed. I posted the file to http://www.virustotal.com and from all anti virus only Avira flags it as infected. Furthermore I scanned my computer with two different anti viruses and it is clean.

I already posted a mail to my users explaining what is happening but this is an overhead to my support that I really don't want.

OK, the question is: Is there a way to avoid this kind of behavior? I can't think any way else than signing the files, (don't really know if it would solve) but let's see if you have any creative idea.

Answer 1

It is surprisingly common that Delphi applications are reported as (potentially) harmful by AV applications. It happened to me a while ago, using Delphi 2009, see http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue.

At SO, we also have

• Virus in Delphi 7
• Accidentally created a virus?

and many more.

It might be the actual Induc Virus. But most likely, it is a false positive.

Answer 2

Andreas's answer is excellent; it just happens a lot to Delphi applications.

Signing code doesn't make any difference -- I've had NOD32 throw false positives on signed Delphi code.

If there were any techniques that would avoid false-positives, virus authors will use them to avoid detection.

I've found the best course of action is, unfortunately, reactive rather than proactive. All AV vendors have a facility to report false positives, and I've found them to be responsive to reports.