5

We have a Delphi 7 application running on numerous client machines. Recently, some of the client machines started using Microsoft Security Essentials. It started identifying our executable as malware and promptly shut it down. The message displayed by MS Security essentials is:

"Security Essentials detected items on your PC that it doesn't recognize......"

Odd thing is it does not always occur at the same option in the application. You can do the very same operation on subsequent logins and sometimes it works and other times security essentials closes it down. This makes it extremely hard to narrow down to a specific cause in our application.

I tried running the application with elevated account privileges and was still able to get it to fail. I was unable to duplicate the issue when running a Delphi XE2 compile of the same application.

Any ideas about what to look for? We are really trying to avoid adding our application to the Security Essentials exclusion list. Our application has never been identified as a problem with varying security programs (norton, mcaffee, etc.).

Paolo Moretti
  • 54,162
  • 23
  • 101
  • 92
Jeff Cope
  • 781
  • 2
  • 7
  • 15
  • 5
    Easiest way to guarantee this won't happen is to sign your binaries with an Authenticode cert that has a MS accepted root (e.g., verisign rather than self-issued). –  Aug 30 '12 at 15:51
  • 1
    Does your app load dlls or bpls dynamically? The reason that I ask, is that your description doesn't fit the classic "blocked at startup" scenario where signatures within the .exe trigger the identification. Your case seems to crop up later during execution, seemingly dependent on options used. – Chris Thornton Aug 30 '12 at 17:21
  • 1
    @Will That won't guarantee anything. – David Heffernan Aug 30 '12 at 17:47
  • Contact MS and send them the exe. That's always the way to deal with this. – David Heffernan Aug 30 '12 at 17:48
  • @DavidHeffernan: :/ Assuming your binary isn't blocked (downloaded from an untrusted network). Other cases? –  Aug 30 '12 at 18:28
  • 1
    @will If I have a VeriSign cert and sign a virus, I sure as hell hope all AV software detect it, cert or no. The cert just proves that I modified the file last. – David Heffernan Aug 30 '12 at 18:31
  • @David Heffernan - Did you use the security essentials error message to submit the exe to MS or another method? Also, we frequently change the executable so I assume we would have to submit each time? – Jeff Cope Aug 30 '12 at 18:50
  • @JeffCope I'd guess that once you had submitted once, they could adapt their detection so that your app didn't trip it up again. – David Heffernan Aug 30 '12 at 18:51
  • 4
    @DavidHeffernan: I sign all my virii. Best practice. –  Aug 30 '12 at 19:16
  • If it's signed by you @Will, then it's good enough for me ;-) – David Heffernan Aug 30 '12 at 19:17
  • 1
    It sounds like your program is setting off the behavior detection in the antivirus (not a signature issue). You can either modify the applications bahavior (a real hit and miss option), or you can submit to MS for the exclusion list. You could also try updating to a newer IDE, which will have updated runtime and may present the same functions slightly different to the AV. – Daisetsu Aug 30 '12 at 23:03
  • You said ... I was unable to duplicate the issue when running a Delphi XE2 compile of the same application. What stopping you to distribute the XE2 compiled version? – Hendra Aug 31 '12 at 02:56
  • @Hendra We are beta testing the XE2 version at a few client sites. If that goes well then we will move to the XE2 version. However, we still have other D7 applications that have not been ported with the same issue. – Jeff Cope Aug 31 '12 at 15:14
  • @DavidHeffernan - Is this the link you used to submit your application? https://www.microsoft.com/security/portal/Vendor/VendorDispute.aspx – Jeff Cope Aug 31 '12 at 15:16
  • I've never had to do that. But that looks like the right place to start. – David Heffernan Aug 31 '12 at 15:20

1 Answers1

2

I once had a similar issue with an executable built using Delphi(7), though it had nothing to do with Delphi-7. It just so happens that some part of the executable matches some virus signature or the AV heuristic scan suspects that something is wrong with the executable. One thing you can try is to change some of the compiler settings such as Debug options. Changing Debug Information or using debug DCUs might result in a slightly different byte sequences in the final executable.

ssh
  • 943
  • 1
  • 14
  • 23