-1

I'm writing a program that download a file(dll) from my server and use this file. But, when the download is complete, my antivirus (Kaspersky) detect my file with Constructor.Win32.Downldr.xr. How can I solve this?

However, I put my 2 files in www.virustotal.com and both have no virus.

Note: The two files (the program that makes the download and the file, that is a dll) are made in Delphi 7.

paulohr
  • 576
  • 1
  • 9
  • 24
  • 3
    It seems you made something what heuristic analysis detected as a malicious piece of code (looking on your previous questions, it might be something like loading library from resource or whatever else, hard to say). Still, the only answer here is to contact vendor and send them your files to a deeper analysis and optionally adding your application to their whitelist as a false positive. – TLama Apr 16 '12 at 02:56
  • I seriously doubt you can do much about it. Remember that the reason there are so many signatures that match small delphi executables is because delphi seems insanely popular with malware authors. Make your executable a few hundred kb larger and I bet the problem goes away. :-) – Warren P Apr 16 '12 at 03:00
  • 1
    remember that some av's detect "new files" on system, so, even if you were to use a ssl to download the file, once on disk, some av's will run a scan on it. –  Apr 16 '12 at 06:43
  • @Warren, I had a seriously large application that got false alarmed by AVG a lot. I contacted support, and they gave me an FTP account to send any files to for removing the trigger. But then they switched to recognising digital signatures, and our apps no longer trigger at all. – mj2008 Apr 16 '12 at 07:54
  • This should be linked http://stackoverflow.com/questions/3339136/antivirus-false-positive-in-my-executable – EMBarbosa Apr 18 '12 at 01:34

2 Answers2

5

You can't expect to bypass the anti-virus software so that leaves two options:

  1. Persuade the AV vendors that your DLL is clean and get them to update their signatures.
  2. Change your DLL sufficiently so that it does not fall foul of the scanners. That's going to require trial and error I guess.

In a previous question you asked how to download a DLL file to memory and then load it from memory rather than a file. I expect most good anti-virus software would regard any software that does that as being malware.

If I were you I would download to a temporary file and use the officially supported LoadLibrary to load the code. The AV software may be more lenient to that. If you are not prepared to do that then your software probably is malware in my eyes, even if you don't mean harm. Even if you do that, downloading and executing DLLs from the internet without the user's explicit consent is verging on malware in anyone's eyes.

Let's put it another way. I would never let this program of yours run on my machine and I would be pleased when my AV software flagged it.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
0

You may also try to use HTTPS or any secure connection when downloading the file. Some antiviruses can't look to cryptographed connections.

Gustavo Gondim
  • 1,635
  • 2
  • 18
  • 39
  • 2
    @paulohr, you don't need to trying this. The files are mainly checked when they are downloaded after all. – TLama Apr 16 '12 at 03:26
  • @Gustavo, in English please ;-) That comment was to your answer, nothing rude. I was trying to comment that makes no sense to use secured downloads, because IMHO every antiviral application has a system (laid deep down in a system based on driver), which detects changes on your hard drive and downloading of a file is such change. – TLama Apr 16 '12 at 05:08
  • That just depends at what level the AV looks at the HTTP connection, if before or after it has been decrypted. Guess any good one will install in the network stack to look at them after, or any HTTPS site could be a risk, and anyway if they write to disk data are checked unecrypted. – Mad Hatter Apr 16 '12 at 12:27
  • 1
    @TLama, don't worry =) I said that because I had a problem with an Internet Security once in life... And I solved the problem using a secure connection. But, no problem! – Gustavo Gondim Apr 16 '12 at 14:46