Possible Duplicate:
Antivirus False positive in my executable
Until now, I had over 15 false virus alarms for my programs. Most of them were from Kaspersky, which reports ALWAYS the same virus: Trojan-GameThief.Win32.Lmir.pcd. There are 3 questions:
For the first question, because it detects always the same virus, I guess it is because one of my routines that I use in all my programs. But which one exactly, I don't know. For the second question I was thinking about modifying the program just a bit and recompiling it, just enough to change its code so the antivirus will not recognize it anymore and release the new version. The third question is the most difficult one. How to check ALL my programs against ALL antivirus programs in the world?
Update:
Has anybody knowledge about how this issue can be handled legally? There seems that many Delphi developers have the same problem. The reckless antivirus companies make money on our back by showing lots of false positive alarms, making their customers to think they are safe when there was actually no danger. While we are losing customers - they are making customers.
I informed the antivirus company about the problem but they fix it only for that specific version. Next time I release an update, the false alarm appears again. They just don't care.
Many honest developers have problems because of careless antivirus software. See this also: How to prevent false positive virus alarm on my software?
Maybe we can unite against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them. We should sign a petition to let them know that we don't accept this anymore.
Update 2017
* Last week my program had a detection ratio of close to 50% on VirusTotal. I deleted a single line of code and magically the detection dropped to 2 out of 61 (antiviruses). It is amazing how random these antivirus products behave.
* Detection is MUCH higher when the program is compiled is 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
* Detection sky rockets when EurekaLog is used.
Update 2019
It is almost 9 years later and not much improved.
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive!
Conclusion:
False positive is falsely and positively identifying a virus, i.e., an instance of wrongly labeling a benign program as malicious program. False positive is considered as a drawback of a virus detection method. Minor weaknesses of any virus detection method can lead to false positives.
There's no foolproof way to know for sure whether a file is actually a false positive. All we can do is gather evidence — what other antivirus programs say, whether the file is from a trustworthy source, and exactly what type of malware the file is flagged as — before making our best guess.
VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue.
First, make sure that you do not have the Win32.Induc delphi virus, which changes SysConst.dcu so that applications you compile will be infected.
Use #3 to narrow down what in your code is causing the false positive. API calls which change process memory will trigger heuristic scanners. Even including the names of some of the API functions (such as WriteProcessMemory) will trigger a scanner. Make changes to a test application and submit to #3 until you narrow the problem down. If you use a packer, then the AV software will probably unpack it anyway, but test with and without packing.
Will depend on #1.
Virustotal is used by virus developers to check their virus is not detected, so Virustotal will send any test file to the anti-virus people for analysis. There used to be an option to switch this off, but it was removed several years ago. This can make the problem worse for you if you submit an application multiple times, so I would recommend using http://virusscan.jotti.org/ for your initial testing.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With