1

In Visual Studio, I make a new empty project, give it a .c file and put only this in it, then compile for x86 with optimizations, and VirusTotal flags it as a trojan.

  1. What could be causing this?
  2. What can I do to fix it?
int main(void) {
    return 0;
}

I used MalwareBytes to scan my computer for nasty stuff and it did not find anything unexpected... and there was nothing shown as detected in computer memory.

Image Summary

Related: Virustotal flag 32 bit version of my program as malware

Sparky
  • 172
  • 15
  • 3
    I've never heard of those two Antivirus programs. I wouldn't care too much about this. Those two AV programs are probably overcautious. – Jabberwocky Feb 21 '20 at 14:09
  • 1
    Is it C or C++? I could reproduce this with C but it didn't trigger Jangmin but Cylance. – Jabberwocky Feb 21 '20 at 14:14
  • @Jabberwocky Plain C. It's an empty C++ project, but it's a .c file so would compile as C. Could this perhaps be a rogue DLL in the C language files or runtime? – Sparky Feb 21 '20 at 14:16
  • 1
    Often antivirus will trigger if an executable is not signed so that could be one reason as to why? – txk2048 Feb 21 '20 at 14:31
  • @Toothless204 that's true, see my answer below – Jabberwocky Feb 21 '20 at 14:52
  • 1
    @Sparky *It's an empty C++ project, but it's a .c file so would compile as C* But then it's likely linked as a C++ executable, so it will drag in the C++ run-time libraries. – Andrew Henle Feb 21 '20 at 15:04
  • 1
    @AndrewHenle actually with Visual Studio 2019 it's not even possible to create C project, only C++ projects. – Jabberwocky Feb 21 '20 at 15:11
  • @AndrewHenle It has this @__security_check_cookie@4 symbol and other things I have not seen before. I presume those are related to the linked libraries, because when I use /NODEFAULTLIB, it throws errors saying that external symbol and the external symbol _mainCRTStartup are unrecognized. – Sparky Feb 21 '20 at 15:13
  • @Jabberwocky I am using Visual Studio 2017. I am guessing the matter is also with 2017 as you mentioned it is with 2019. I am only concerned with the Windows build of my software right now, but I will take what is learned from here and apply it to builds for other operating systems. – Sparky Feb 21 '20 at 15:33

2 Answers2

1

Modern virus scanners are looking for unusual programs. Most programs do something. Yours doesn't do anything, that makes it unusual. Add some code.

MSalters
  • 173,980
  • 10
  • 155
  • 350
  • I have this same issue with a harmless program that actually does something. I tried a program that does nothing, and here we are. Other program: https://www.virustotal.com/gui/file/54c56db017cf20052209cf3c9c67b51f263d5cb60a0702ba650fb247f759210a/detection I looked at the .exe in IDA Freeware, but I'm at a loss; the main function does nothing but the rest of it, I don't know how to decipher. – Sparky Feb 21 '20 at 14:28
  • 1
    That's probably the cause. I just tried a few configurations, all of them are detected by at least two AV programs, the worst result was an empty c++ program with static linking (Multi-threaded (/MT)) and the "Visual Studio 2019 (v142)" platform where 16 AVs detected something.... – Jabberwocky Feb 21 '20 at 14:29
  • @Jabberwocky Do you see a similarity between the "other program" I linked in my comment here and your tests? – Sparky Feb 21 '20 at 14:32
  • 1
    @Sparky no, it's not the same AVs that triggered with my tests. – Jabberwocky Feb 21 '20 at 14:34
  • 1
    @Jabberwocky Changing between the /MD and /MT Runtime Library embedding options also changes the detection by different Anti-Virus software. – Sparky Feb 23 '20 at 20:06
1

Virus scanners look for all kind of patterns, bahaviour and other things in the code.

An other important things is that signed software is less likely to be detected as false positive.

I just submitted the exact same .exe to Virustotal, once signed once unsigned.

The signed version triggerd 2 hits, the unsigned version triggerd 16 hits.

I'd not care too much about this. But if you write professional software, you definitely should sign all .exe and .dll files before shipping, but signing doesn't give any guarantee.

C++ source code:

int main()
{
}
  • Compiled with Visual Studio 2019 16.4.3 in Release Mode
  • Configuration Properties->C/C++->Runtime Library : Multi-threaded (/MT)
  • Configuration Properties->General->Platform Toolset : Visual Studio 2019 (v142)
  • Configuration Properties->General->Windows SDK Version : 10.0.17134.0
Jabberwocky
  • 48,281
  • 17
  • 65
  • 115
  • Can you clarify, how are there (32-bit) programs that do not flag as a virus, if there are programs that do nothing which flag as a virus? Should I simply ignore those particular virus scanners, or is there something I am supposed to do, besides sign my software, which would pass the test with 0 detections? Seeing as you had different scanners than mine flag yours also, I think overlooking this is problematic. I simply do not know what professional software publishers do in this situation. – Sparky Feb 21 '20 at 15:18
  • 1
    @Sparky as I've written in my answer, signing your binaries reduces the probability that some virus scanner finds a false positive, but there is no guarantee whatsoever. Don't ask me why some AV scanners find false positives in certain binaries and not in others, only the AV compagies know. AV scanners can be a real PITA. – Jabberwocky Feb 21 '20 at 15:23
  • 1
    @Sparky you can't do much. The company I work for experiences this problem every 15 months or so. We then contact each of the AV compagnies (usually less then 4) and deal with them individually. It's a PITA. – Jabberwocky Feb 21 '20 at 15:25
  • Problem is then, I must take them with less of a grain of salt than I already do. I was going by, "3 or more detections means beware," but looking at our tests here... I guess publishing the SHA-256 hash is all I can really do otherwise. – Sparky Feb 21 '20 at 15:25