My Application's Auto-update utility is triggering Anti-Virus

Question

I've created an auto-updating application which is distributed to 100s of users.

The auto-update utility is being flagged by 55% of antiviruses on virustotal ( link ).

My application was created in Delphi 7. Most of the flags are saying that this is Generic trojan/malware, obviously the software isn't actually malware (I'm the only one with source code access and access to the server which hosts it) but it's causing a lot of users to be

Does anyone have any idea how I can stop this being wrongly flagged?

Answer 1

If, as you stated, empty form applications get rated as virus, you might very well be infected by the Delphi virus. More info about this... thing:

• http://www.delphipraxis.net/topic163041_virus+infects+delphi.html
• http://www.viruslist.com/en/weblog?weblogid=208187826
• Virus in Delphi 7
• http://www.itwriting.com/blog/1717-delphi-developer-virus-exposes-weakness-in-anti-virus-defences.html

In addition, you use Delphi 7, which is a target for this virus (as far as I know not all Delphi versions are).

Answer 2

Delphi 2007: New VCL Application

Compile without changing anything and some antivirus packages will report the resulting EXE as a potential virus/trojan. Change the name of the main form or add a second form to the project etc and antivirus warnings disappear. Undo the changes and they come back (so it's not a D2007 port of the "Delphi Upgrade Incentive Virus").

My guess is that someone, somewhere once upon a time wrote a virus/trojan/malware with Delphi and the signature/heuristics associated with that now sometimes unfortunately collides with other Delphi apps.

Answer 3

I think you have two choices:

a) Submit your auto-update program as a false positive to all those companies, (and do so for any new versions that are detected). Make it easier for them by ensuring your meta-data is correct and signing perhaps.

b) Split up the functionality so you don't have a single Delphi program that downloads files from the internet, overwrites files and patches files.

Answer 4

It depends - if the 100s of users are on a corporate network, using the same enterprise antivirus software administered by group policy, one solution could be to specify your software as an exception in your antivirus package.

Answer 5

I would try to refactor the program, changing names, changing the order of the procedures and methods, some program structures, removing, replacing, and adding code.

Submit each change to VirusTotal.

You might eventually detect what is causing the problem.

Answer 6

If your program "modifies" an executable, it will be picked up by a lot of AV programs. I've even seen Borland's patch program that was distributed with Delphi 7 flagged as a generic virus when installed fresh off the CD.

I'm not sure there is much you can do about it, unless you can turn that "feature" off in the AV program or have the rights to add an exception for it. Personally, I think it's just a lazy "catch-all" created by the AV software writers.

Answer 7

AV software also check the Import Table for common API used in viruses, though I don't see any API that will trigger the AV software in the scan report.

Answer 8

See my post at anyone having problems with delphi 2010 and norton internet security. Lately I have been getting SONAR errors too with Delphi 7 compiled programs (and by programs compiled with other compilers).

I reported this to Norton, look also at hot issues at Norton board.

Of course this is only Norton, you don't specify which virus checkers you encountered.

Answer 9

We got the same problem here... Ant-virus detect some behaviors of our software too. The ant-virus company doesn't say exactly what they watch (sure, security issue). Here for example I got this problem when I started using pipelines.

What we did ? We call the security companies, they analysed our .exe, and now we have "white flag" on them.

...No, it isn't so fast process.