14

Possible Duplicate:
Antivirus False positive in my executable

One application is currently getting detected by a false positive for virus by Avast and ClamAV (never heard of the latter).

I have contacted both and waiting for reply from them, but I guess that takes it time (24 hours ++ now). So what I'm looking for a resource to check if for part of my code is being falsely detected, I personally assume ME and the person who write a virus at one point simply have commen sample code?

I dont have the technical ablities so i could disable the AV and find what signture is triggering ( And i assume companies protect this information). So my question boils down to, is there any resource i can use to check part of my code is being detected?

Extra information:

  • Link to VirusTotals:
  • My application is digitaly signed, and "my" signature has a postive rating at least with MS and never heard anyone complain that its blacklisted.
  • My application does have background update checking and error reporting ( update check is done via http)
  • I have off course scanned my computer used for compiling for viruses ( Both MS and NOD32 )
  • Application gets detected as a false positive detection even when its just zipped and not in a installer.
  • Link to information about what my app is being falsely detected as (Thx to Flanfl )

The people voting to close, please actual read the topic https://stackoverflow.com/questions/3339136/antivirus-false-positive-in-my-executable, one is about Delphi coding. Mine is generic and has a 2 actual replies that helpful to my case.

EKS
  • 5,543
  • 6
  • 44
  • 60
  • 1
    Occam's razor: Maybe your application [has/is infected with] malicious code? – Anthony Pegram Nov 28 '11 at 18:29
  • Thats true, but if you look at at the VT link. You will notice only the "bad" AV companies detect a virus. Not all the good once – EKS Nov 28 '11 at 18:30
  • Does your code do any virus/spyware/malware-like activity? Upload data without user consent, etc? The anti-virus app should be telling what it thinks the infection is, and you should be able to find info about the "detected" virus to determine what, in your app, is triggering the false-positive. For example, Norton has detailed info on all known viruses, so you can compare your app against the behavior of the detected virus. http://us.norton.com/security_response/threatexplorer/ – David Nov 28 '11 at 18:32
  • I'd agree; it's the worse ones that are detecting something, so it's probably something silly like a DLL or namespace name, as they're likely not inspecting the internal code. Maybe look up those viruses and see if any of their typical DLL name/locations schemes match your own. – drharris Nov 28 '11 at 18:34
  • It has a background update checking, and ability to report crash information. By its nature its a "online" application, has ability to publish combat logs to a web service. I have no problem with posting a link to the application if thats helpfull ( But im trying to keep question generic enough so it will help others). – EKS Nov 28 '11 at 18:35
  • You might want to have a look here: [link](http://www.threatexpert.com/report.aspx?md5=58ad8b44ac111ccc53cb8f6bea959148) Does your program do something similar as this Trojan? – Flanfl Nov 28 '11 at 18:36
  • Not realy, I used appdata for settings and we both use TCP for transfering data. The rest is not valid for me – EKS Nov 28 '11 at 18:44
  • 3
    On the upside, Avast is not calling you a virus they are saying you are a [PUP](http://searchsecurity.techtarget.com/definition/PUP) – Scott Chamberlain Nov 28 '11 at 19:02

2 Answers2

4

In the end, there's going to be no one technique that will solve your problem. Signing won't help, and changing names probably won't help; otherwise viruses would use those same ideas to circumvent security. Those AV products have found some chunk of code that matches the virus, and aren't smart enough to distinguish. I would suggest contacting the specific AV providers and getting them to whitelist you.

drharris
  • 11,194
  • 5
  • 43
  • 56
  • I guess your right, but hoping someone has a realy clever idea :) . Other then that i think the "best" soltuion is to be famous on a blog/twitter and then spam them. Because contacting them is taking forever.............. – EKS Nov 28 '11 at 19:13
  • You're probably right. I would have suggested to try a code auditing tool, but I'm not sure if any of them can spot such issue. – Flanfl Nov 28 '11 at 19:14
1

Possible solution for workaround, I'm using hstart in the automatic update system, removing this should fix my problem.

EDIT: This "fixed" my problem, they where detecting hstart.exe...

Solution for others may be the following:

  • Take backups. Install the Anti virus program doing false detections (ClamAV and Avast in my case).
  • Scan you source code. If you're lucky it will show you what file contains the false detection (in my case it was a resource), REMEMBER IF IT FINDS THE FAULT IN THESE WAY ITS LIKELY TO DELETE THE "PROBLEM"
EKS
  • 5,543
  • 6
  • 44
  • 60
  • I had a similar problem about a year ago, Avira was thinking that the application that I was developing was a virus. I just uninstalled Avira and continued with my life, and when I reinstalled it months later it was not detecting my application as a virus anymore. So, I guess what was triggering the false positive was some pattern of code which I introduced at some point and later changed. P.S. What do you mean, 'take backups'? Don't you use a source code repository? – Mike Nakis Nov 29 '11 at 05:57
  • Yea i use a repostory, but if someone follows the "mini guide" to scan their maskin with faulty AV they should realy have backups :). Falste detections is annoying, esp when they happen around big new releases.. Im pretty sure ppl trust their AV more then other apps, so its lost users for sure – EKS Nov 29 '11 at 07:16