-1

I am using Delphi XE3 with its built-in Indy.

I find whenever I build a project which uses Indy IdHTTP component, then Kaspersky will take the built .EXE file as infected a virus called HEUR:Trojan.Win32.Agent.gen.

I think this is a false positive so I report this to Kaspersky, but several weeks passed, no one answers.

Has anyone else encounter such a problem?

Thanks

dummzeuch
  • 10,975
  • 4
  • 51
  • 158
alancc
  • 487
  • 2
  • 24
  • 68
  • 2
    Kaspersky is notorious for false positives. Get a better AV. – Remy Lebeau Sep 28 '19 at 07:15
  • @RemyLebeau that will work for his computer. But what about other's (customer's ?) computers? If I was told by a software vendor to ditch my virus scanner because it falsely detects his software as a virus, I might question his reputation rather than the virus scanner's. – dummzeuch Sep 28 '19 at 10:13
  • @dummzeuch there is no other solution – David Heffernan Sep 28 '19 at 13:30
  • Delphi is a development system. And as such, there have been some viruses written in Delphi. So it is likely that in the course of analyzing such viruses, AV vendors may mark identifying sections of code that are part of the common RTL that gets shared with other non-virus software, leading to false positives – Remy Lebeau Sep 28 '19 at 16:28

2 Answers2

4

Specific answer to your question - yes, this sometimes happens.

The best work around is to digitally sign your executables. Microsoft and AV companies typically look favorably at properly signed executables.

Otherwise, you can report this false-positive to Kaspersky and they may eventually correct it. But, it will occur randomly in the future from Kaspersky or any other anti-malware solution.

Some related links:

Note from the vault: You can also try changing the user-agent on your HTTP-post. This worked many years ago as a workaround.

Darian Miller
  • 7,808
  • 3
  • 43
  • 62
  • Change the user-agent? Do you mean I can use another component instead of TIdHttp to send the POST request? – alancc Sep 29 '19 at 01:58
  • @alancc no, change the TIdHttp.Request.UserAgent property to something other than the default, which is marked as a red flag for malware (not just for AV, but some servers are set to block it as probably intrusion attempts.) – Garth Thornton Sep 29 '19 at 19:16
  • @GarthThornton, I try to change the UserAgent to "FireFox" and "Chrome", both will still cause the Kaspersky to remove the generated .exe file. – alancc Sep 30 '19 at 02:28
1

I've encountered this recently and aside from the tips given by others, it might help if you choose a different target. 32-bit Delphi apps are prone to encountering false positives but 64-bit Delphi apps are less so.

Omen
  • 88
  • 1
  • 4
  • Thank you very much. I try to build to 64bit and now the problem is solved. – alancc Sep 29 '19 at 03:39
  • 4
    You should digitally sign your exe with a valid digital certificate. Pretty much all AV programs consider unsigned executable that are using HTTP, FTP, POP3, SMTP and other common network protocols as potentially harmful especially if they are configured to check programs using heuristic analysis. And this isn't just limited to Delphi made applications but pretty much all applications. – SilverWarior Sep 29 '19 at 05:11
  • @SilverWarior digitally signing the exe is not enough. Try uploading to VirusTotal a 32-bit digitally signed Hello World Delphi app using the latest Community Edition. No networking code at all, and it still gets flagged by some AV engines – Omen Oct 28 '19 at 05:42