0

I have a program that my company has been using for more than 10 years. Recently an antivirus vendor began flagging the file as malware. The vendor says that it is injecting itself into a Dr. Watson process. I scanned it with VirusTotal. All 55 engines say there is no malware, but the "behavioral information" tab shows that the program opens Dr. Watson and injects itself into the process.

There is no code in the delphi program to invoke Dr. Watson. Has anyone seen this before with Delphi ? Any idea how to stop this behavior ?

TLama
  • 75,147
  • 17
  • 214
  • 392
user1956070
  • 13
  • 2
  • Is it injecting itself, or a DLL it manages, into *all* processes? Some programs do this for various reasons. – Mason Wheeler Dec 09 '14 at 21:31
  • I don't know. The program is an ActiveX exe that hosts an IE viewer control and loads xml to be viewed by the IE control. After verifying the xml, you can then upload the file to website using the xupload control. That's literally all it does. – user1956070 Dec 09 '14 at 21:33
  • I am the maintainer of the code. I have the source code and 2 build machines. I tried building on the second machine to see if it was just a problem with the previous machine, but the one built on the second machine also shows Dr. Watson injection on VirusTotal – user1956070 Dec 09 '14 at 21:36
  • What exactly is `it is injecting itself into a Dr. Watson process` supposed to mean? Are they suggesting you did something on purpose to make your app do this or else that you potentially have a virus on your system, which is intelligent enough to turn the apps that you build into viruses of their own? - that would be quite a feat. – 500 - Internal Server Error Dec 09 '14 at 22:03
  • 1
    Which version of Delphi are you using? – Tom Brunberg Dec 09 '14 at 22:05
  • When I asked why they were flagging it as malware, they wanted an explanation of why I was invoking dr. watson and injecting myself into it. I'm about at my wits end trying to figure out why it is happening. – user1956070 Dec 09 '14 at 22:08
  • Unfortunately, it is Delphi 5. – user1956070 Dec 09 '14 at 22:09
  • You might want to try and create an exe of your own that hosts your ActiveX - I think you can do that, though I don't have personal experience with it that I can recall - and see if it also has the issue. If not, it could be an IE extension of some kind that's the culprit. – 500 - Internal Server Error Dec 09 '14 at 22:47
  • 5
    Are these people sure it is *injecting* itself? Dr Watson is a debugger. Can't it be that some change in the environment started tripping up your program and now it's crashing and activating Dr Watson? – Jan Doggen Dec 09 '14 at 23:10
  • You'll need to work out what part of your program causes the av tool problems – David Heffernan Dec 10 '14 at 07:57
  • Because Delphi is, apparently, pretty popular among some virus writers, the heuristics of some AV programs identify viruses by their use of a combination of Delphi runtime routines (simply the bit patterns they have). This can produce false positives for totally harmless programs. If it is only one vendor, I'd tell them to change their heuristics. If there are several, they may be right and the code is infected. – Rudy Velthuis Dec 10 '14 at 08:12

1 Answers1

3

Unhandled exceptions that even get through the default handlers Delphi provides (and Delphi 5 provides less than more recent versions) get handled by Windows, and in some cases this may have Windows start DrWatson by default to create and write a kernel dump.

Start DrWatson yourself to see in which folder it keeps these files. Have a close look at them as they are designed to keep track of the position in the compiled logic where the process got into trouble.

If you find out more there about what was running at the moment DrWatson is called, or by adding some logging by yourself, try having more exception handling in that bit of code and catch the exceptions early to handle them appropriately, so Windows won't decide to halt your process.

Stijn Sanders
  • 35,982
  • 11
  • 45
  • 67